Installing IBM Security Guardium Key Lifecycle Manager on Red Hat OpenShift using NFS Server

View Only

Installing IBM Security Guardium Key Lifecycle Manager on Red Hat OpenShift using NFS Server

By Tamil Selvam R posted 4 days ago

Like

Installing IBM Security Guardium Key Lifecycle Manager on Red Hat OpenShift using NFS storage

Overview: This document provides step-by-step instructions for installing IBM Security Guardium Key Lifecycle Manager (SGKLM) on Red Hat OpenShift using IBM Db2U Community Edition as the database, with Helm and Tiller as the package management tools. This installation also leverages an NFS Server for storage.

Prerequisites

Red Hat OpenShift Cluster Setup

Obtain and install Red Hat OpenShift Container Platform Version 4.2 or later.
Ensure your OpenShift Cluster is running and fully functional. For documentation, refer to: OpenShift Container Platform.
If using horizontal scaling, configure a load balancer to distribute incoming traffic to SGKLM containers.

OpenShift CLI (oc) Tool

Download the oc command-line tool for your OpenShift version and operating system.
Follow the installation instructions from the OpenShift CLI Documentation..

IBM Db2U Database Installation

This procedure uses IBM Db2U Community Edition Version 11.5.4.0.
Refer to Installing Db2 on a Red Hat OpenShift cluster.
Upload the IBM Db2U license if required. For more information, see Upgrading your Db2 Community Edition license certificate key

Obtain Helm Charts

Install Helm using the Helm Installation Guide.
Ensure that your Helm version is compatible with OpenShift.
Download the openshift-helm.zip file from the IBM Guardium Key Lifecycle Manager utilities page.

Obtain Container Installation Files and License

Download the container installation files (eImages) for IBM Guardium Key Lifecycle Manager from IBM Passport Advantage. See: Installation Images for Containerized Platforms.
Extract the files to a local directory and specify the path in the values.yaml configuration file.

NFS Server Setup

Install and configure an NFS server on a suitable host.
Create a shared directory on the NFS server for SGKLM data storage.
Ensure that the OpenShift nodes have access to the NFS server and the shared directory.

Note: More about the NFS installation steps refer this link https://developer.ibm.com/tutorials/awb-set-up-nfs-storage-qradar-suite-deployment/

Installation Steps

Obtain the log-in token:

a. Log in to the Red Hat OpenShift Container Platform by using the kubeadmin credentials

b. Click the Copy Login Command option

c. Copy the log in command that is displayed in the Log in with this token section,

d. Use the copied command to log in to the OCP server by using the command line tool (oc)

Example: Login to OpenShift Container Platform cluster with OC command line tool

Step 1: Below the example steps to Install Helm

i). Create Directories for Helm:

mkdir ~/sklm

mkdir ~/sklm/helm

cd ~/sklm/helm/

ii). Download and Extract Helm:

wget https://get.helm.sh/helm-v2.17.0-linux-386.tar.gz

tar -zxvf helm-v2.17.0-linux-386.tar.gz

mv linux-386/helm /usr/local/bin/helm

iii). Initialize Helm with Tiller Service Account:

helm init --stable-repo-url https://charts.helm.sh/stable --service-account tiller

Step 2: Below the example steps for Tiller Installation and Configuration

i). Create Tiller Namespace and Service Account:

oc adm new-project tiller

oc create serviceaccount tiller -n tiller

ii). Create Cluster Role Binding for Tiller:

oc create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=tiller:tiller -n tiller

oc get serviceaccount tiller -n tiller

iii). Initialize Tiller in the tiller Namespace:

helm init --tiller-namespace tiller --service-account tiller

iv).Verify Tiller Pods

oc get pods -n tiller -l app=helm

Example:

v). Set Tiller Namespace

export TILLER_NAMESPACE=tiller

echo $TILLER_NAMESPACE

Step 3: Below the example steps Install IBM Db2U Community Edition 11.5.4.0

Pre-install Cluster Configuration

i). Create Directories for Db2U Installation:

mkdir ~/sklm/sklmdb2

cd ~/sklm/sklmdb2/

ii). Clone IBM Charts Repository:

git clone https://github.com/IBM/charts.git

iii). Create OpenShift Namespace for Db2U:

oc new-project sklmdb2

cd ~/sklm/sklmdb2/charts/stable/ibm-db2/ibm_cloud_pak/pak_extensions

iv). Run Namespace Prerequisite Script:

./pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh sklmdb2

v). Set Environment Variables

RELEASE_NAME="db2u-release-1"

PASSWORD="SKLM@db2121"

vi). Create a Secret for Db2U Password:

oc create secret generic ${RELEASE_NAME}-db2u-instance --from-literal=password="${PASSWORD}"

Install IBM Db2U

Navigate to the Installation Directory:

cd ~/sklm/sklmdb2/charts/stable/ibm-db2/ibm_cloud_pak/pak_extensions/common/

Install IBM Db2U Using Helm:

./db2u-install --namespace sklmdb2 --release-name db2u-release-1 --db-name klmdb421 --db-type db2oltp --storage-class csi-cephfs --accept-eula

Note: Replace csi-cephfs with the actual storage class used in your OpenShift environment.

Verify Db2U Installation:

Check the Pods in the sklmdb2 Namespace:

oc get pods -n sklmdb2

oc get svc -n sklmdb2

Example:

Step 4: Install IBM Guardium Key Lifecycle Manager (SGKLM) 4.1

Log in to OpenShift:

oc login --token=<TOKEN> --server=<SERVER_URL>

Extract the openshift-helm.zip and Navigate to the sklmapp Directory:

cd openshift-helm/sklmapp

Create the Security Context Constraint (SCC):

oc apply -f liberty_scc.yaml

Create WebSphere Service Account and Bind SCC:

oc create serviceaccount websphere -n sklmdb2

oc adm policy add-scc-to-user ibm-websphere-scc -z websphere -n sklmdb2

Modify the values.yaml File as Needed:

Adjust parameters in values.yaml according to your deployment requirements.
Crucially, update the following:

Image: Specify the path to the downloaded SGKLM container image.
Persistence:

Configure the persistence section to use the NFS volume.
Define the NFS server address and the shared directory path.
Create a PersistentVolumeClaim (PVC) that references the NFS volume.

Install SGKLM Using Helm:

helm install sklmapp

Verification

Verify SGKLM Pods:

Navigate to OpenShift and check the Workloads > Pods section to ensure that the SGKLM application pod is running.

Create a Route for SGKLM Application:

Go to Networking > Routes in OpenShift and click "Create Route".

Configure the route with the following details:

Name: sklmapp-route
Service: sklmapp
Target Port: 9443 -> 9443 (TCP)
TLS Termination: Passthrough
Insecure Traffic: Redirect

Click "Create".

Access the SGKLM Application:

Copy the application URL displayed in the Location field.
Open the URL in a browser and log in to the IBM Guardium Key Lifecycle Manager GUI using the administrator credentials (sklmadmin).

Once you logged you see the GKLM welcome page.

To verify this GKLM, refer to this link and follow the procedure accordingly.

Manage e-commerce encryption keys using Guardium Key Lifecycle Manager

Verify that the new key on the GKLM server end. In the GKLM interface, click the Clients tab and select KMI_DEMO. Click Modify and find the key with the rkp alias name. Double-click on the key to see the details.

You have now successfully used rekey to change your e-commerce application’s key.

Summary

This document provides step-by-step instructions for installing IBM Security Guardium Key Lifecycle Manager (SGKLM) on Red Hat OpenShift using IBM Db2U Community Edition as the database and NFS for storage. It covers prerequisites, Helm and Tiller setup, IBM Db2U installation, and SGKLM deployment using Helm charts. Finally, it includes verification steps to ensure proper installation and access to the SGKLM application.

Contribute by Tamilselvam R(tamilselvam.ramalingam@ibm.com)

0 comments

10 views

IBM Security

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.

IBM Guardium