Introduction
IBM Spectrum Fusion (referred as ISF here after) is a factory-integrated hyper-converged infrastructure appliance, with world-class storage solution provided by IBM. This is a simple turn-key enterprise-grade solution to deploy Red Hat OpenShift and a hybrid cloud data platform.For information on IBM Spectrum Fusion, visit https://www.ibm.com/docs/en/spectrum-fusion/2.1IBM Cloud Pak® for Security is an open security platform that connects to your existing data sources to generate deeper insights and enables you to act faster with automation.Know more about IBM Cloud Pak for Security, here https://www.ibm.com/docs/en/cloud-paks/cp-securityIn this article we'll see how to integrate these two capabilities together in few minutes by demonstrating Cloud Pak for Security deployment on IBM Spectrum Fusion. For details steps check out https://www.ibm.com/docs/en/cloud-paks/cp-security/1.8?topic=security-installing-cloud-pak-181Prerequisites
Refer to page for details.
Access to OpenShift consoleYou can navigate to OpenShift console from IBM Spectrum Fusion dashboard as shown in Figure 1.
Figure 1
OpenShift cluster administrator username and password
When you completed OpenShift installation (referred to as stage 2 of installation), you would have downloaded kubeadmin password, if an alternate identity provider has not been setup for ISF cluster. It is recommended to setup an identity provider and not use kubeadmin user.
The Fully Qualified Domain (FQDN) chosen for the Cloud Pak for Security application
Optionally choose a FQDN for Cloud Pak for Security application. For example
cp4s-console.apps.isf-rackf.mydomain.com
where isf-rackf.mydomain.com is cluster subdomain.
By default it will be derived with OCP cluster sub domain if not specified.
Openssl tool
Install openssl utility to create CA for Cloud Pak for Security if custom FQDN is specified or custom certificate needs to be generated.
Certificate of Authority (CA), if required for the Cloud Pak for Security application domain
This is an optional step
- It will ask for Cloud Pak for Security FQDN, provide FQDN you chose.
openssl req -newkey rsa:2048 -x509 -sha256 -days 3650 -nodes -out certificate.crt -keyout private.key
Generating a RSA private key
..+++++
.........................................+++++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:ABC
Locality Name (eg, city) [Default City]:GGN
Organization Name (eg, company) [Default Company Ltd]:IBM
Organizational Unit Name (eg, section) []:Storage
Common Name (eg, your name or your server's hostname) []:cp4s-console.apps.isf-rackf.mydomain.com
Email Address []:xxxxxxx@in.ibm.com
-
cp certificate.crt ca_bundle.crt
-
openssl x509 -in certificate.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2a:1b:a8:66:cd:e1:fc:8d:41:57:2a:12:02:00:e6:89:db:bb:c2:db
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = Haryana, L = GGN, O = IBM, OU = Storage, CN = cp4s-console.apps.isf-rackf.mydomain.com, emailAddress = anshugarg@in.ibm.com
Validity
Not Before: Nov 16 10:00:05 2021 GMT
Not After : Nov 14 10:00:05 2031 GMT
Subject: C = IN, ST = Haryana, L = GGN, O = IBM, OU = Storage, CN = cp4s-console.apps.isf-rackf.mydomain.com, emailAddress = anshugarg@in.ibm.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:aa:dd:13:82:3d:35:3c:d1:b5:17:fb:4b:f6:0e:
42:ab:af:8d:8c:1e:57:8c:5b:56:8e:e7:7a:b6:54:
e7:2d:bf:a8:d7:68:7d:0b:24:0b:72:6e:a7:ef:d3:
2a:13:7c:45:03:1f:5b:b6:53:a0:60:50:a0:c4:c5:
8d:54:ca:6c:3b:6f:23:58:12:dd:b1:99:b0:8e:43:
47:c1:d4:44:5e:a6:0b:e3:6f:12:23:d9:48:ac:b2:
e4:30:93:63:c5:4e:aa:6e:f3:d8:f1:c3:f6:81:7f:
08:2e:10:ec:2e:c5:2c:e8:cc:c2:0d:b9:21:04:10:
2f:8e:fb:ce:08:62:87:6f:6b:6c:e4:c2:c7:55:71:
7c:c8:4a:29:4a:7f:84:bf:01:98:f2:43:6c:25:6d:
ab:d3:aa:8a:5c:8c:b0:f6:2b:c2:8a:6f:6c:e9:18:
df:0d:fd:c9:67:80:35:be:1f:b8:04:17:ab:ad:9e:
99:0d:47:8b:48:1f:5f:95:6c:92:a9:e4:05:39:82:
98:3b:01:f8:08:6b:e3:43:99:ca:32:c9:a3:39:72:
aa:f4:a5:b1:85:ec:a5:9e:64:5f:72:e2:e4:ec:ac:
37:32:18:5b:c6:2e:bc:8c:7e:2e:7d:2c:93:f3:f5:
4e:58:49:86:77:a3:7c:d8:ac:72:01:95:3f:ff:19:
84:07
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4B:C2:EA:BA:6C:CE:D4:0F:4D:CC:C6:0F:DA:6E:99:5B:25:FB:12:A8
X509v3 Authority Key Identifier:
keyid:4B:C2:EA:BA:6C:CE:D4:0F:4D:CC:C6:0F:DA:6E:99:5B:25:FB:12:A8
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
16:aa:6b:83:ac:00:27:6f:9e:cb:71:d7:04:79:02:19:f0:6e:
52:d1:a1:d8:f6:08:b4:af:ae:9f:b6:cd:7a:2d:76:d9:e5:cf:
4e:cd:ca:bf:ca:5e:a4:f3:79:71:b9:37:33:3c:01:cd:8f:48:
28:09:83:b3:bd:3b:58:12:f8:5e:33:ab:04:9c:bf:ba:c4:07:
0a:58:a1:4e:48:d7:18:44:9e:a1:10:23:c7:74:3b:55:5a:c6:
e2:d5:1c:85:5b:87:79:b9:e0:8d:81:7a:d6:c9:2f:b0:3e:46:
4a:3c:e2:b4:c6:63:4e:78:c5:58:0e:bb:01:91:8a:70:57:a6:
2b:ea:b3:6a:c0:bd:67:f4:43:85:6e:c3:d9:97:44:9d:1e:76:
3b:a9:84:62:f5:8d:30:41:7f:06:51:de:8c:2a:29:b4:73:9d:
54:b4:8a:17:ae:99:c6:2d:25:6f:47:f7:73:79:e2:b1:96:84:
65:cf:2a:48:62:34:12:a6:16:5a:8b:41:d9:48:d4:eb:13:82:
59:eb:d4:5e:d9:ee:15:02:b9:61:82:02:0e:d5:c2:41:a5:93:
57:b9:e1:02:a0:9f:db:5b:02:16:c7:a2:db:df:e7:29:19:07:
c5:aa:df:ca:9d:e9:11:05:0f:b9:5e:ba:92:0b:b6:e4:54:34:
c5:55:67:9f
-----BEGIN CERTIFICATE-----
MIIELTCCAxWgAwIBAgIUKhuoZs3h/I1BVyoSAgDmidu7wtswDQYJKoZIhvcNAQEL
BQAwgaUxCzAJBgNVBAYTAklOMRAwDgYDVQQIDAdIYXJ5YW5hMQwwCgYDVQQHDANH
R04xDDAKBgNVBAoMA0lCTTEQMA4GA1UECwwHU3RvcmFnZTExMC8GA1UEAwwoY3A0
cy1jb25zb2xlLmFwcHMuaXNmLXJhY2tmLm15ZG9tYWluLmNvbTEjMCEGCSqGSIb3
DQEJARYUYW5zaHVnYXJnQGluLmlibS5jb20wHhcNMjExMTE2MTAwMDA1WhcNMzEx
MTE0MTAwMDA1WjCBpTELMAkGA1UEBhMCSU4xEDAOBgNVBAgMB0hhcnlhbmExDDAK
BgNVBAcMA0dHTjEMMAoGA1UECgwDSUJNMRAwDgYDVQQLDAdTdG9yYWdlMTEwLwYD
VQQDDChjcDRzLWNvbnNvbGUuYXBwcy5pc2YtcmFja2YubXlkb21haW4uY29tMSMw
IQYJKoZIhvcNAQkBFhRhbnNodWdhcmdAaW4uaWJtLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKrdE4I9NTzRtRf7S/YOQquvjYweV4xbVo7nerZU
5y2/qNdofQskC3Jup+/TKhN8RQMfW7ZToGBQoMTFjVTKbDtvI1gS3bGZsI5DR8HU
RF6mC+NvEiPZSKyy5DCTY8VOqm7z2PHD9oF/CC4Q7C7FLOjMwg25IQQQL477zghi
h29rbOTCx1VxfMhKKUp/hL8BmPJDbCVtq9OqilyMsPYrwopvbOkY3w39yWeANb4f
uAQXq62emQ1Hi0gfX5VskqnkBTmCmDsB+Ahr40OZyjLJozlyqvSlsYXspZ5kX3Li
5OysNzIYW8YuvIx+Ln0sk/P1TlhJhnejfNiscgGVP/8ZhAcCAwEAAaNTMFEwHQYD
VR0OBBYEFEvC6rpsztQPTczGD9pumVsl+xKoMB8GA1UdIwQYMBaAFEvC6rpsztQP
TczGD9pumVsl+xKoMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
ABaqa4OsACdvnstx1wR5AhnwblLRodj2CLSvrp+2zXotdtnlz07Nyr/KXqTzeXG5
NzM8Ac2PSCgJg7O9O1gS+F4zqwScv7rEBwpYoU5I1xhEnqEQI8d0O1VaxuLVHIVb
h3m54I2BetbJL7A+Rko84rTGY054xVgOuwGRinBXpivqs2rAvWf0Q4Vuw9mXRJ0e
djuphGL1jTBBfwZR3owqKbRznVS0iheumcYtJW9H93N54rGWhGXPKkhiNBKmFlqL
QdlI1OsTglnr1F7Z7hUCuWGCAg7VwkGlk1e54QKgn9tbAhbHotvf5ykZB8Wq38qd
6REFD7leupILtuRUNMVVZ58=
-----END CERTIFICATE-----
The persistent storage and storage class to be used.
Being an HCI solution ISF comes with already setup storage classes for ready to be used.
Figure 2
Use ibm-spectrum-scale-sample storage class.
Obtain the IBM Entitled Registry key
You must have an entitlement key for the IBM Entitled Registry to install Cloud Pak for Security. Obtain it from MyIBM Container Software Library
Identity provider configured for OCP cluster
It is required to configure an identity provider with OCP cluster before deploying Cloud Pak for Security. See steps here https://docs.openshift.com/container-platform/4.7/authentication/identity_providers/configuring-ldap-identity-provider.html.
Optionally, complete this step as post installation task.
Select Cloud Pak for Security admin user
For example cp4sadmin. It must be present in identity provider you have configured with ISF OCP cluster.
Install IBM Cloud Pak for Security
Detailed steps are available at https://www.ibm.com/docs/en/cloud-paks/cp-security/1.8?topic=icps1-installing-cloud-pak-security-by-using-openshift-web-console
Create project
Figure 3
Create an ibm-entitlement-key secret
Create an ibm-entitlement-key secret for the IBM Entitlement Registry in the namespace that you created above.
Figure 4
Create an ibm-isc-pull-secret secret
Create anibm-isc-pull-secretsecret for the IBM Entitlement Registry in the namespace that you created above.
Figure 5
Install the IBM Operator Catalog Source
Out of the box ISF comes with IBM Operator catalog source enabled.
Figure 6
Install the Cloud Pak for Security Operator
Navigate to Operators->OperatorHub in OCP console and search for "Cloud Pak for Security"
Figure 7
Click the tile as shown in Figure 7 and click install on top of page that opens up.
This will bring to Operator Installation page where:
- select latest Update Channel available
- select A specific namespace on the cluster for Installation mode
- use operator recommended Namespace for Installed Namespace
- select Automatic for Update approval
It will take couple minutes to install operator.
It will also deploy prerequisite operators like IBM Cloud Paks for foundational services. Figure 8 shows successfully installed operator.
Figure 8
Install Cloud Pak for Security Threat Management
- Go to and ensure that the Project is set to the namespace that you created.
- In the list of installed operators, click IBM Cloud Pak for Security.
- On the Details tab, click Create instance.
- Review the license agreement and accept the license.
- Expand the Basic Deployment Configuration section and set the Admin User.
The other parameters in the Basic Deployment Configuration section are optional.
- Expand the Optional Threat Management Capabilities section and select which capabilities you don't want to deploy.
- Expand the Extended Deployment Configuration section and set any of the optional parameters.
- Click Create to start installation.
Figure 9
Provide inputs as shown
Figure 10
Figure 11
Figure 12
Monitor Installed Operators->IBM Cloud Pak for Security -> Threat Management -> threatmgmt instance Status as shown in Figure 13
Figure 13
It will take approximately 90-100 minutes to install Cloud Pak for Security.
Post Installation tasks
Refer here for elaborate steps.
Configure LDAP
An identity provider is needed to be configured to be able to login to Cloud Pak for Security console. For this article we are going to use open ldap. See steps to setup open LDAP here. Working steps are as following
POD=$(oc get pod --no-headers -lrun=cp-serviceability | cut -d' ' -f1)
oc cp $POD:/opt/bin/linux/cpctl ./cpctl && chmod +x ./cpctl
install -vm 0755 -o root ./cpctl /usr/local/bin/cpctl
cpctl load
cpctl tools deploy_openldap --token sha256~8jqUszkkvtpeC4RBaFK7l9kW9MOZBQR5yrGT17_nFUQ --operation install --ldap_usernames cp4sadmin --ldap_password cp4sadmin
Here ensure ldap_usernames is same as user you specified at time of CP4 Security deployment.
Once above steps are executed, you will see user cp4sadmin (or user you specified as CP4S user) in OpenShift as shown in Figure 14.
First time login
Now you are ready to access Cloud Pak for Security console. You can find it from OCP console as shown in Figure 15
Figure 15
Open highlighted URL in browser to access CP4Security console and use "Enterprise LDAP" as authentication type.
Figure 16
Login using cp4s user you added with it's password as set in your LDAP.
Figure 17
Now you can continue to further perform post installation task starting with user access, roles and permissions.
For more information please refer the link : https://www.ibm.com/docs/en/cloud-paks/cp-security/1.8?topic=planning-storage-requirements