To deploy IBM Guardium Insights (v3.4.x or later) on-premises using VMware, you'll use Red Hat OpenShift Container Platform (OCP) on VMware vSphere. Below is a streamlined guide covering the essential technical points for a successful setup.
Overview of IBM Guardium Insights
Guardium Insights is a data security hub that provides in-depth data activity monitoring, risk scoring, and compliance reporting. It improves data protection efficiency and supports flexible IT environments.
Prerequisites and Requirements
- Load Balancing: Setup API and application ingress load balancers using HAProxy for API server, machine config, and ingress traffic across HTTP/HTTPS ports.
To set up the load balancing infrastructure for IBM Guardium Insights with OpenShift on VMware, you’ll need to provision HAProxy as a load balancer for both API server and application ingress traffic. Here’s a sample configuration file to guide you, which can be saved to /etc/haproxy/haproxy.cfg
.
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
bind *:5000
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
use_backend static if url_static
default_backend app
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend static
balance roundrobin
server static1 127.0.0.1:4331 check
server static2 127.0.0.1:4332 check
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app
balance roundrobin
server app1 127.0.0.1:5001 check
server app2 127.0.0.1:5002 check
server app3 127.0.0.1:5003 check
server app4 127.0.0.1:5004 check
Adding vCenter Root CA Certificates
- Download the vCenter Root CA Certificates: Retrieve the root CA certificates directly from the vCenter homepage.
- Add Certificates to System Trust:
- Update the System Trust: Refresh the system trust settings with:
update-ca-trust extract
Deploying the Cluster
Prerequisites
- Download Requirements: Obtain the OpenShift installation program and the pull secret from Red Hat OpenShift pull-secret.
- Cloud Account Permissions: Ensure that the cloud provider account has the necessary permissions for the deployment.
Deployment Procedure
- Navigate to the Installation Directory: Go to the directory where the installation program is located.
- Start the Cluster Deployment:
Deployment on VMware vSphere
-
VMware Setup:
- Create a vCenter Account: Ensure it has global administrative privileges.
- Persistent Storage: Enable access on port 443 for vCenter and ESXi hosts, and adjust firewall settings as needed.
-
Red Hat OpenShift Installation:
Example install-config.yaml
additionalTrustBundlePolicy: Proxyonly
apiVersion: v1
baseDomain: soclab.com
compute:
- architecture: amd64
hyperthreading: Enabled
name: worker
platform: {}
replicas: 5
controlPlane:
architecture: amd64
hyperthreading: Enabled
name: master
platform: {}
replicas: 3
metadata:
creationTimestamp: null
name: oc
networking:
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
machineNetwork:
- cidr: 10.0.0.0/16
networkType: OVNKubernetes
serviceNetwork:
- 172.30.0.0/16
platform:
vsphere:
vCenter: 10.221.192.2
username: tamilselvam@gsilab.com
password: Tamilselvam#2023
cluster: NewCluster
datacenter: Datacenter
defaultDatastore: datastore1
network: LAN
folder: /Datacenter/vm/ocp-cluster
resourcePool: /Datacenter/host/NewCluster/Resources/
diskType: thin
fips: false
pullSecret: '’
sshKey:
Verification
Upon successful completion of the OpenShift installation:
- Access Instructions: Instructions for accessing the cluster will be displayed on the console.
- Credential Information: Login credentials are stored in
<installation_directory>/.openshift_install.log
.
Example Output
INFO Install complete!
INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/myuser/install_dir/auth/kubeconfig'
INFO Access the OpenShift web-console here: https://console-openshift-console.apps.mycluster.example.com
INFO Login to the console with user: "kubeadmin", and password: "password"
INFO Time elapsed: 36m22s
For more detailed installation instructions, refer to the official Red Hat OpenShift documentation.
Installing Guardium Insights Components
-
Download the Guardium Insights CASE File:
-
Install IBM Cloud Pak Foundational Services:
Deploying Storage Backend Using the ODF Operator
To deploy your storage backend with the OpenShift Data Foundation (ODF) operator, follow the guidelines outlined in the official documentation. Here’s a summarized step-by-step approach to get you started, along with setting the default storage class to thin-csi
.
-
Prerequisites
Before you begin, ensure you have the following:
- Access to an OpenShift cluster.
- Sufficient permissions to create namespaces and manage operators.
-
Install the ODF Operator
Install the ODF Operator from the OperatorHub:
- Navigate to the OpenShift Web Console.
- Go to Operators > OperatorHub.
- Search for "OpenShift Data Foundation" and click on it.
- Click Install and select the appropriate namespace (e.g.,
openshift-storage
).
-
Configure the Operator Settings
- Choose the installation mode (e.g., All namespaces).
- Set the approval strategy (Automatic or Manual) as per your needs.
-
Set Default Storage Class to thin-csi
- List available storage classes:
oc get sc
- Set
thin-csi
as the default storage class by editing the storage class:
oc patch storageclass thin-csi -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class":"true"}}}'
- Verify the change:
oc get sc
Refer to the official OpenShift ODF operator installation documentation for a detailed step-by-step process. Openshift ODF operator installation
Guardium Insights v3.4.x Deployment
Before installing IBM Guardium Insights, ensure that you have the required hardware, software, and storage. Detailed system requirements are available in the IBM documentation.
Download the Guardium Insights CASE File
The Guardium Insights Container Application Software for Enterprises (CASE) installer can be downloaded as an archive (tar) file from GitHub. Ensure that you only install products your site is entitled to.
Procedure
-
Export Environment Variables and Create Local Directories:
export CASE_NAME=ibm-guardium-insights
export CASE_VERSION=<CASE_VERSION>
export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
export CASE_ARCHIVE=$CASE_NAME-$CASE_VERSION.tgz
-
Specify the CASE_VERSION
that matches the version of Guardium Insights you are deploying. For example, Guardium Insights 3.4.0 requires CASE_VERSION 2.4.0
.
-
Save the CASE Bundle Locally:
oc ibm-pak get $CASE_NAME --version $CASE_VERSION --skip-verify
-
Extract the CASE Bundle to Your Local Directory:
tar -xvf $LOCAL_CASE_DIR/$CASE_ARCHIVE --directory $LOCAL_CASE_DIR
This completes the setup of the Guardium Insights CASE file for deployment.
Installing IBM Cloud Pak Foundational Services
IBM Guardium Insights is deployed on IBM Cloud Pak foundational services with the OpenShift® Container Platform.
Note: If using the all-in-one script for installation, foundational services will be installed automatically if the SKIP_INSTALL_ICS
parameter is set to false
. If you already have Cloud Pak foundational services version 4.5.x installed, you can skip this task.
Procedure
-
Log in to your OpenShift Cluster Instance:
oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true]
-
Create a Namespace for Cloud Pak Foundational Services:
export NAMESPACE=<GI_NAMESPACE>
oc create namespace ${NAMESPACE}
-
Choose the CASE Version:
export CASE_ARCHIVE=ibm-guardium-insights-<GI_Case_version>.tgz
-
Install the IBM Cert Manager and IBM Common Services:
- Create a Namespace for IBM Cert Manager:
oc create namespace ibm-cert-manager
- Set the Environment Variable for the
--inventory
Parameter:
export CERT_MANAGER_INVENTORY_SETUP=ibmCertManagerOperatorSetup
- Install the IBM Cert Manager Catalog:
oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--action install-catalog \
--inventory $CERT_MANAGER_INVENTORY_SETUP \
--namespace openshift-marketplace \
--args "--inputDir ${LOCAL_CASE_DIR}"
-
Check the Pod and Catalog Source Status:
oc get pods -n openshift-marketplace
oc get catalogsource -n openshift-marketplace
-
Install the IBM Cert Manager Operators:
oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--inventory $CERT_MANAGER_INVENTORY_SETUP \
--action install-operator \
--namespace ibm-cert-manager \
--args "--inputDir ${LOCAL_CASE_DIR}"
-
Install the IBM Cloud Pak Foundational Services Catalog:
export ICS_INVENTORY_SETUP=ibmCommonServiceOperatorSetup oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--action install-catalog \
--inventory $ICS_INVENTORY_SETUP \
--namespace $NAMESPACE \
--args "--registry icr.io --recursive --inputDir ${LOCAL_CASE_DIR}"
-
Check the Pod and Catalog Source Status:
oc get pods -n openshift-marketplace
oc get catalogsource -n openshift-marketplace
-
Install the Cloud Pak Foundational Services Operators:
export ICS_SIZE=small oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--inventory $ICS_INVENTORY_SETUP \
--action install-operator \
--namespace $NAMESPACE \
--args "--size ${ICS_SIZE} --inputDir ${LOCAL_CASE_DIR}"
-
Verify that the CSV is in Succeeded State:
oc get csv -n $NAMESPACE
-
Verify that the Operand Request is Available:
oc get opreq -n $NAMESPACE
-
Verify that All Cloud Pak Foundational Services Pods are Running or Completed:
oc get pods -n ${NAMESPACE}
-
Retrieve Console Credentials:
oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' -n $NAMESPACE | base64 -d | awk '{print $1}'
oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' -n $NAMESPACE | base64 -d | awk '{print $1}'
-
Retrieve the Cloud Pak Console Route:
oc get route cp-console -n $NAMESPACE
This completes the installation of IBM Cloud Pak foundational services.
Online Installation of Guardium Insights Using Automated Installation Script
Procedure
-
Log in to Your OpenShift Cluster Instance:
oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true]
-
Edit the values.conf
File:
- Locate the configuration file at
$LOCAL_CASE_DIR/ibm-guardium-insights/inventory/automateInstall/files/values.conf
and provide the mandatory parameters for the installation.
-
Define the Location of the Custom Resource (CR) File:
export LOCAL_INSTALL_DIR=<CR file location>
-
Start the Installation Process of Guardium Insights:
oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--namespace ${NAMESPACE} \
--inventory automateInstall \
--action autoInstall \
--tolerance 1 | tee -a ${LOCAL_INSTALL_DIR}/installation.log
-
Check the Status of the Instance Creation:
oc get guardiuminsights
After completion, the output is similar to the following example.
Now its time to Login:
Get the Correct Route using OC get Routes and then use the cpadmin to login as default login, also you can setup LDAP for login to Guardium Insights.
login screen would look like :
Troubleshooting Guardium Insights Deployment
If your Guardium Insights deployment fails, follow these steps to check and create the required PersistentVolumeClaim (PVC).
-
Check the PVC Status:
-
Create the PVC:
-
Check the Deployment Again:
-
List the deployments in the Guardium Insights namespace:
oc get deployments -n guardium-insights
If the deployment is still failing, check the logs for more details:
oc logs deployment/<guardium-insights-deployment-name> -n guardium-insights
Following these technical steps will guide you through a successful Guardium Insights deployment on a VMware-based on-premises infrastructure. For further details, consult IBM’s official documentation.
Reach out to us if you need further guidance. Let’s elevate your security operations together!
Tamil Selvam R - tamilselvam.ramalingam@ibm.comAnuj Shrivastava - ashrivastava@in.ibm.com