Cloud Pak for Security

Deploying the Cloud Pak for Security on AWS

By Mark Parzygnat posted Fri December 11, 2020 11:44 AM

  

Created by : Barry Mosakowski and Mark Parzygnat

The deployment for the Cloud Pak for Security has a few parameters you need to change to properly install.

 

The entire installation process can be found here: https://www.ibm.com/support/knowledgecenter/en/SSTDPP and is the right place to start. First make sure you go thru the planning section this will assist in fully understanding what you are going to do during the install. Now choose you version. We of course recommend the latest version for the most current feature set.



Next return to https://www.ibm.com/support/knowledgecenter/en/SSTDPP. Again choose you version, then go into “install”, under “Getting Started”


then on the next page “Online installation”


Once you complete the “Procedure” which includes getting the .tgz, compressed .tar, file and completing the extraction you will need to complete a critical aspect. This is to properly build your values.conf file.  The file is located at:

<working-directory>/ibm-cp-security/inventory/installProduct/files

 

Note: working_directory is the output directory in which the Cloud Pak for Security resources are placed.   The parameters that can cost you time are:

 

Here is an example values.conf file we will use in this documentation. It should be located in this directory <working-directory>/ibm-cp-security/inventory/installProduct/files.

 

cloudtype

cp4sapplicationDomain

cp4sdomainCertificatePath

cp4sdomainCertificateKeyPath

storageClass

 

Now, let’s look at how to code each of these parameters with the correct value.  

 

cloudType

 

Note: Do not make the common mistake and code ‘ocp’ when on AWS, even though, you are using OpenShift.  When on AWS be sure to set this parm to “aws”.

#Cluster type e.g aws,ibmcloud, ocp (Required)

cloudType="aws" 

cp4sapplicationDomain, cp4sdomainCertificatePath, cp4sdomainCertificateKeyPath


For these, you can use your own public domain.  If you do this, then you need to register this outside of this task.  A quick and easy way is to leverage your existing AWS OpenShift cluster domain name and certificate/key.  

To get this, make sure you are logged into your cluster, and run the following command in your command line interface. 

 

Command:

oc get secrets -n openshift-ingress | grep router-certs

 

You will something similar to this:

router-certs-default           kubernetes.io/tls

 

The router-certs-default secret contains the cluster so now save the cert and private key and set our parameters.

 

Command:

oc get secret router-certs-default -n openshift-ingress -o go-template='{{index .data "tls.key" | base64decode}}'>cluster.key

 

oc get secret router-certs-default -n openshift-ingress -o go-template='{{index .data "tls.crt" | base64decode}}' >cluster.crt

 

Now save the output of the commands into two files, cluster.jey and cluster.crt which, these will be used later. Next, determine the FQDN and our subdomain for the Cloud Pak for Security.

 

openssl x509 -in cluster.crt -text -noout -certopt ca_default,no_sigdump | grep Subject:

        Subject: CN=*.apps.cp4sec-aws200.cloudpak-bringup.com              

 

The field you need is the CN value from the Subject. Notice the asterik at the beginning.  This serves as a wildcard.  We can now create our parms with a unique name.  In this example, I will prepend “cp4s” for my FQDN.

 

# CP4S FQDN domain(Required)

cp4sapplicationDomain="cp4s.apps.cp4sec-aws200.cloudpak-bringup.com"

 

Now point to the certificate and the extracted key.

 

# e.g ./path-to-cert/cert.crt (Required)

cp4sdomainCertificatePath="<Absolute Path>/cluster.crt"

 

## Path to domain certificate key ./path-to-key/cert.key (Required)

cp4sdomainCertificateKeyPath="="<Absolute Path>/cluster.key"

 

You can use a relative path, however, when creating config files it is recommended to use the absolute path to avoid any issues if the files are moved.

 

storageClass

 

The last parameter is the storageClass.  You can see what AWS provides out of the box.

 

Command:

oc get sc         

 

NAME            PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE

gp2 (default)   kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   true                   7d13h

 

The default of gp2 meets our requirements, so let’s add:

storageClass="gp2"

 

We now are ready to install the Cloud Pak for Security.  Please refer to the installation manuals for all of the configuration parameters and let’s summarize what we modified.

 

#Cluster type e.g aws,ibmcloud, ocp (Required)

cloudType="aws"

 

# CP4S FQDN domain(Required)

cp4sapplicationDomain="cp4s.apps.cp4sec-aws200.cloudpak-bringup.com"

 

# e.g ./path-to-cert/cert.crt (Required)

cp4sdomainCertificatePath="/Users/bmosus.ibm.com/cloudpak/cp4sec/ibm-cp-security/inventory/installProduct/files/cluster.crt"

 

## Path to domain certificate key ./path-to-key/cert.key (Required)

cp4sdomainCertificateKeyPath="/Users/bmosus.ibm.com/cloudpak/cp4sec/ibm-cp-security/inventory/installProduct/files/cluster.key"

 

# Block storage (Required)

storageClass="gp2"

 #Security

​​#CloudPak4Security

#MarkBarry

​​
0 comments
20 views

Permalink