Hyperconverged Infrastructure (HCI)

 View Only

Deploying Cloud Pak for Security 1.8 on IBM Spectrum Fusion 2.1

By ANSHU Garg posted Tue November 30, 2021 06:39 AM

  
Introduction

IBM Spectrum Fusion (referred as ISF here after) is a factory-integrated hyper-converged infrastructure appliance, with world-class storage solution provided by IBM. This is a simple turn-key enterprise-grade solution to deploy Red Hat OpenShift and a hybrid cloud data platform.

For information on IBM Spectrum Fusion, visit https://www.ibm.com/docs/en/spectrum-fusion/2.1

IBM Cloud Pak® for Security is an open security platform that connects to your existing data sources to generate deeper insights and enables you to act faster with automation.

Know more about IBM Cloud Pak for Security, here https://www.ibm.com/docs/en/cloud-paks/cp-security

In this article we'll see how to integrate these two capabilities together in few minutes by demonstrating Cloud Pak for Security deployment on IBM Spectrum Fusion. For details steps check out https://www.ibm.com/docs/en/cloud-paks/cp-security/1.8?topic=security-installing-cloud-pak-181

Prerequisites 

Refer to page for details.

Access to OpenShift console


You can navigate to OpenShift console from IBM Spectrum Fusion dashboard as shown in Figure 1.

ISF dashboard
                                                                                                                                             Figure 1

OpenShift cluster administrator username and password

When you completed OpenShift installation (referred to as stage 2 of installation), you would have downloaded kubeadmin password, if an alternate identity provider has not been setup for ISF cluster. It is recommended to setup an identity provider and not use kubeadmin user.

The Fully Qualified Domain (FQDN) chosen for the Cloud Pak for Security application

Optionally choose a FQDN for Cloud Pak for Security application. For example

cp4s-console.apps.isf-rackf.mydomain.com

where isf-rackf.mydomain.com  is cluster subdomain.

By default it will be derived with OCP cluster sub domain if not specified.

Openssl tool

Install openssl utility to create CA for Cloud Pak for Security if custom FQDN is specified or custom certificate needs to be generated. 

Certificate of Authority (CA), if required for the Cloud Pak for Security application domain

This is an optional step

-  
It will ask for Cloud Pak for Security FQDN, provide FQDN you chose.

openssl req -newkey rsa:2048 -x509 -sha256 -days 3650 -nodes -out certificate.crt -keyout private.key
Generating a RSA private key
..+++++
.........................................+++++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:ABC
Locality Name (eg, city) [Default City]:GGN
Organization Name (eg, company) [Default Company Ltd]:IBM
Organizational Unit Name (eg, section) []:Storage
Common Name (eg, your name or your server's hostname) []:cp4s-console.apps.isf-rackf.mydomain.com
Email Address []:xxxxxxx@in.ibm.com

- 

cp certificate.crt ca_bundle.crt

-

openssl x509 -in certificate.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2a:1b:a8:66:cd:e1:fc:8d:41:57:2a:12:02:00:e6:89:db:bb:c2:db
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = Haryana, L = GGN, O = IBM, OU = Storage, CN = cp4s-console.apps.isf-rackf.mydomain.com, emailAddress = anshugarg@in.ibm.com
Validity
Not Before: Nov 16 10:00:05 2021 GMT
Not After : Nov 14 10:00:05 2031 GMT
Subject: C = IN, ST = Haryana, L = GGN, O = IBM, OU = Storage, CN = cp4s-console.apps.isf-rackf.mydomain.com, emailAddress = anshugarg@in.ibm.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:aa:dd:13:82:3d:35:3c:d1:b5:17:fb:4b:f6:0e:
42:ab:af:8d:8c:1e:57:8c:5b:56:8e:e7:7a:b6:54:
e7:2d:bf:a8:d7:68:7d:0b:24:0b:72:6e:a7:ef:d3:
2a:13:7c:45:03:1f:5b:b6:53:a0:60:50:a0:c4:c5:
8d:54:ca:6c:3b:6f:23:58:12:dd:b1:99:b0:8e:43:
47:c1:d4:44:5e:a6:0b:e3:6f:12:23:d9:48:ac:b2:
e4:30:93:63:c5:4e:aa:6e:f3:d8:f1:c3:f6:81:7f:
08:2e:10:ec:2e:c5:2c:e8:cc:c2:0d:b9:21:04:10:
2f:8e:fb:ce:08:62:87:6f:6b:6c:e4:c2:c7:55:71:
7c:c8:4a:29:4a:7f:84:bf:01:98:f2:43:6c:25:6d:
ab:d3:aa:8a:5c:8c:b0:f6:2b:c2:8a:6f:6c:e9:18:
df:0d:fd:c9:67:80:35:be:1f:b8:04:17:ab:ad:9e:
99:0d:47:8b:48:1f:5f:95:6c:92:a9:e4:05:39:82:
98:3b:01:f8:08:6b:e3:43:99:ca:32:c9:a3:39:72:
aa:f4:a5:b1:85:ec:a5:9e:64:5f:72:e2:e4:ec:ac:
37:32:18:5b:c6:2e:bc:8c:7e:2e:7d:2c:93:f3:f5:
4e:58:49:86:77:a3:7c:d8:ac:72:01:95:3f:ff:19:
84:07
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4B:C2:EA:BA:6C:CE:D4:0F:4D:CC:C6:0F:DA:6E:99:5B:25:FB:12:A8
X509v3 Authority Key Identifier:
keyid:4B:C2:EA:BA:6C:CE:D4:0F:4D:CC:C6:0F:DA:6E:99:5B:25:FB:12:A8

X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
16:aa:6b:83:ac:00:27:6f:9e:cb:71:d7:04:79:02:19:f0:6e:
52:d1:a1:d8:f6:08:b4:af:ae:9f:b6:cd:7a:2d:76:d9:e5:cf:
4e:cd:ca:bf:ca:5e:a4:f3:79:71:b9:37:33:3c:01:cd:8f:48:
28:09:83:b3:bd:3b:58:12:f8:5e:33:ab:04:9c:bf:ba:c4:07:
0a:58:a1:4e:48:d7:18:44:9e:a1:10:23:c7:74:3b:55:5a:c6:
e2:d5:1c:85:5b:87:79:b9:e0:8d:81:7a:d6:c9:2f:b0:3e:46:
4a:3c:e2:b4:c6:63:4e:78:c5:58:0e:bb:01:91:8a:70:57:a6:
2b:ea:b3:6a:c0:bd:67:f4:43:85:6e:c3:d9:97:44:9d:1e:76:
3b:a9:84:62:f5:8d:30:41:7f:06:51:de:8c:2a:29:b4:73:9d:
54:b4:8a:17:ae:99:c6:2d:25:6f:47:f7:73:79:e2:b1:96:84:
65:cf:2a:48:62:34:12:a6:16:5a:8b:41:d9:48:d4:eb:13:82:
59:eb:d4:5e:d9:ee:15:02:b9:61:82:02:0e:d5:c2:41:a5:93:
57:b9:e1:02:a0:9f:db:5b:02:16:c7:a2:db:df:e7:29:19:07:
c5:aa:df:ca:9d:e9:11:05:0f:b9:5e:ba:92:0b:b6:e4:54:34:
c5:55:67:9f
-----BEGIN CERTIFICATE-----
MIIELTCCAxWgAwIBAgIUKhuoZs3h/I1BVyoSAgDmidu7wtswDQYJKoZIhvcNAQEL
BQAwgaUxCzAJBgNVBAYTAklOMRAwDgYDVQQIDAdIYXJ5YW5hMQwwCgYDVQQHDANH
R04xDDAKBgNVBAoMA0lCTTEQMA4GA1UECwwHU3RvcmFnZTExMC8GA1UEAwwoY3A0
cy1jb25zb2xlLmFwcHMuaXNmLXJhY2tmLm15ZG9tYWluLmNvbTEjMCEGCSqGSIb3
DQEJARYUYW5zaHVnYXJnQGluLmlibS5jb20wHhcNMjExMTE2MTAwMDA1WhcNMzEx
MTE0MTAwMDA1WjCBpTELMAkGA1UEBhMCSU4xEDAOBgNVBAgMB0hhcnlhbmExDDAK
BgNVBAcMA0dHTjEMMAoGA1UECgwDSUJNMRAwDgYDVQQLDAdTdG9yYWdlMTEwLwYD
VQQDDChjcDRzLWNvbnNvbGUuYXBwcy5pc2YtcmFja2YubXlkb21haW4uY29tMSMw
IQYJKoZIhvcNAQkBFhRhbnNodWdhcmdAaW4uaWJtLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKrdE4I9NTzRtRf7S/YOQquvjYweV4xbVo7nerZU
5y2/qNdofQskC3Jup+/TKhN8RQMfW7ZToGBQoMTFjVTKbDtvI1gS3bGZsI5DR8HU
RF6mC+NvEiPZSKyy5DCTY8VOqm7z2PHD9oF/CC4Q7C7FLOjMwg25IQQQL477zghi
h29rbOTCx1VxfMhKKUp/hL8BmPJDbCVtq9OqilyMsPYrwopvbOkY3w39yWeANb4f
uAQXq62emQ1Hi0gfX5VskqnkBTmCmDsB+Ahr40OZyjLJozlyqvSlsYXspZ5kX3Li
5OysNzIYW8YuvIx+Ln0sk/P1TlhJhnejfNiscgGVP/8ZhAcCAwEAAaNTMFEwHQYD
VR0OBBYEFEvC6rpsztQPTczGD9pumVsl+xKoMB8GA1UdIwQYMBaAFEvC6rpsztQP
TczGD9pumVsl+xKoMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
ABaqa4OsACdvnstx1wR5AhnwblLRodj2CLSvrp+2zXotdtnlz07Nyr/KXqTzeXG5
NzM8Ac2PSCgJg7O9O1gS+F4zqwScv7rEBwpYoU5I1xhEnqEQI8d0O1VaxuLVHIVb
h3m54I2BetbJL7A+Rko84rTGY054xVgOuwGRinBXpivqs2rAvWf0Q4Vuw9mXRJ0e
djuphGL1jTBBfwZR3owqKbRznVS0iheumcYtJW9H93N54rGWhGXPKkhiNBKmFlqL
QdlI1OsTglnr1F7Z7hUCuWGCAg7VwkGlk1e54QKgn9tbAhbHotvf5ykZB8Wq38qd
6REFD7leupILtuRUNMVVZ58=
-----END CERTIFICATE-----


The persistent storage and storage class to be used.

Being an HCI solution ISF comes with already setup storage classes for ready to be used.
Storage class

                                                                                                                                          Figure 2

Use ibm-spectrum-scale-sample storage class.

Obtain the IBM Entitled Registry key

You must have an entitlement key for the IBM Entitled Registry to install Cloud Pak for Security. Obtain it from MyIBM Container Software Library

Identity provider configured for OCP cluster

It is required to configure an identity provider with OCP cluster before deploying Cloud Pak for Security. See steps here https://docs.openshift.com/container-platform/4.7/authentication/identity_providers/configuring-ldap-identity-provider.html.

Optionally, complete this step as post installation task.

Select Cloud Pak for Security admin user


For example cp4sadmin. It must be present in identity provider you have configured with ISF OCP cluster.

Install IBM Cloud Pak for Security

Detailed steps are available at https://www.ibm.com/docs/en/cloud-paks/cp-security/1.8?topic=icps1-installing-cloud-pak-security-by-using-openshift-web-console

Create project

Project

                                                                                                                                             Figure 3

Create an ibm-entitlement-key secret

Create an ibm-entitlement-key secret for the IBM Entitlement Registry in the namespace that you created above.

Entitlement secret

                                                                                                                                    Figure 4

Create an ibm-isc-pull-secret secret 

Create anibm-isc-pull-secretsecret for the IBM Entitlement Registry in the namespace that you created above.

isc secret


                                                                                                                                  Figure 5

Install the IBM Operator Catalog Source

Out of the box ISF comes with IBM Operator catalog source enabled.

IBM operators

                                                                                                                                  Figure 6

Install the Cloud Pak for Security Operator

Navigate to Operators->OperatorHub in OCP console and search for "Cloud Pak for Security"

Cp4S operator

                                                                                                                                  Figure 7


Click the tile as shown in Figure 7 and click install on top of page that opens up.

This will bring to Operator Installation page where:

- select latest Update Channel available
- select A specific namespace on the cluster for Installation mode
- use operator recommended Namespace for Installed Namespace
- select Automatic for Update approval

It will take couple minutes to install operator.

It will also deploy prerequisite operators like IBM Cloud Paks for foundational services. Figure 8 shows successfully installed operator.

CP4S operator installed

                                                                                                                                  Figure 8

Install Cloud Pak for Security Threat Management

  1. Go to Operators > Installed Operators and ensure that the Project is set to the namespace that you created.
  2. In the list of installed operators, click IBM Cloud Pak for Security.
  3. On the Details tab, click Create instance.
  4. Review the license agreement and accept the license.
  5. Expand the Basic Deployment Configuration section and set the Admin User.
    The other parameters in the Basic Deployment Configuration section are optional.
  6. Expand the Optional Threat Management Capabilities section and select which capabilities you don't want to deploy.
  7. Expand the Extended Deployment Configuration section and set any of the optional parameters.
  8. Click Create to start installation.

Threat mgmt install

                                                                                                                                  Figure 9

Provide inputs as shown

Basic

                                                                                                                                  Figure 10

threat-ip-optional

                                                                                                                                  Figure 11

Threat-ip-extended

                                                                                                                                  Figure 12


Monitor Installed Operators->IBM Cloud Pak for Security -> Threat Management -> threatmgmt instance Status as shown in Figure 13

Threat mgmt status
                                                                                                                                  Figure 13

It will take approximately 90-100 minutes to install Cloud Pak for Security.


Post Installation tasks

Refer here for elaborate steps.

Configure LDAP

An identity provider is needed to be configured to be able to login to Cloud Pak for Security console. For this article we are going to use open ldap. See steps to setup open LDAP here.  Working steps are as following

POD=$(oc get pod --no-headers -lrun=cp-serviceability | cut -d' ' -f1)

oc cp $POD:/opt/bin/linux/cpctl ./cpctl && chmod +x ./cpctl

install -vm 0755 -o root ./cpctl /usr/local/bin/cpctl

cpctl load

cpctl tools deploy_openldap --token sha256~8jqUszkkvtpeC4RBaFK7l9kW9MOZBQR5yrGT17_nFUQ --operation install --ldap_usernames cp4sadmin --ldap_password cp4sadmin


Here ensure ldap_usernames is same as user you specified at time of CP4 Security deployment.

Once above steps are executed, you will see user cp4sadmin (or user you specified as CP4S user) in OpenShift as shown in Figure 14.

user in ocp
                                                                                                                                Figure 14


First time login

Now you are ready to access Cloud Pak for Security console. You can find it from OCP console as shown in Figure 15

CP4S-console
                                                                                                                                  Figure 15

Open highlighted URL in browser to access CP4Security console and use "Enterprise LDAP" as authentication type.

CP4s-authtype

                                                                                                                                  Figure 16

Login using cp4s user you added with it's password as set in your LDAP.

CP4 login

                                                                                                                                  Figure 17

Now you can continue to further perform post installation task starting with user access, roles and permissions.

For more information please refer the link : https://www.ibm.com/docs/en/cloud-paks/cp-security/1.8?topic=planning-storage-requirements
0 comments
8 views

Permalink