By Umesh Torawane and Nilesh Amrutkar
This is a step-by-step quick start guide to setting up the IBM Security Access Manager (ISAM) on Docker and orchestrated using Kubernetes.
ISAM on docker trial - https://www.ibm.com/downloads/cas/9W5R3QE8
In a world of highly fragmented access management environments, IBM Security Access Manager helps you simplify your users' access while more securely adopting web, mobile and cloud technologies. This solution helps you strike a balance between usability and security through the use of risk-based access, single sign-on, integrated access management control, identity federation and its mobile multi-factor authentication capability, IBM Verify.
Install Docker Engine -
# yum install -y yum-utils
# yum install -y device-mapper-persistent-data lvm2
# yum-config-manager --enable rhel-7-server-extras-rpms
# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# yum makecache fast
# yum -y install docker-ce
# docker –version
# systemctl start docker
# systemctl enable docker
# docker login
# docker pull store/ibmcorp/isam:9.0.6.0
# docker images
Kubernetes Installation -
# CNI_VERSION="v0.7.5"
# mkdir -p /opt/cni/bin
# curl -L "https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-amd64-${CNI_VERSION}.tgz" | tar -C /opt/cni/bin -xz
# CRICTL_VERSION="v1.11.1"
# mkdir -p /opt/bin
# curl -L "https://github.com/kubernetes-incubator/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz" | tar -C /opt/bin -xz
# RELEASE="$(curl -sSL https://dl.k8s.io/release/stable.txt)"
# cd /opt/bin
# curl -L --remote-name-all https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/amd64/{kubeadm,kubelet,kubectl}
# chmod +x {kubeadm,kubelet,kubectl}
# curl -sSL "https://raw.githubusercontent.com/kubernetes/kubernetes/${RELEASE}/build/debs/kubelet.service" | sed "s:/usr/bin:/opt/bin:g" > /etc/systemd/system/kubelet.service
# mkdir -p /etc/systemd/system/kubelet.service.d
# curl -sSL "https://raw.githubusercontent.com/kubernetes/kubernetes/${RELEASE}/build/debs/10-kubeadm.conf" | sed "s:/usr/bin:/opt/bin:g" > /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
# export PATH=$PATH:/opt/bin
cat > /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
]
}
EOF
# systemctl stop firewalld
# systemctl disable firewalld
# cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
# sysctl --system
# systemctl restart docker
# systemctl daemon-reload
Initializing your master
The master is the machine where the "control plane" components run, including etcd (the cluster database) and the API server (which the kubectl CLI communicates with).
# kubeadm init
Above command may fail with the error -
Run
#swapoff –a and then re-run #kubeadm init
Copy the "kubectl" config files to the home directory:
#mkdir -p $HOME/.kube
#sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
#sudo chown $(id -u):$(id -g) $HOME/.kube/config
Now your Kubernetes control-plane has initialized successfully!
In case you want to deploy the pods on a master then you need to make additional required changes.
As per Kubernetes master default behavior – No pods are allowed to deploy/schedule on Master node (I.e. Master node is tainted). It has to be first untainted and then the pods can be scheduled on master node.
# kubectl taint nodes --all node-role.kubernetes.io/master-
root@fits1:/opt/bin# kubectl taint nodes --all node-role.kubernetes.io/master-
node/fits1.fyre.ibm.com untainted
root@fits1:/opt/bin#
root@fits1:/opt/bin#
root@fits1:/opt/bin# kubectl get nodes
NAME STATUS ROLES AGE VERSION
fits1.fyre.ibm.com Ready master 7m9s v1.15.3
Deploying ISAM configs (yaml) -
Secrets -
A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in an image; putting it in a Secret object allows for more control over how it is used, and reduces the risk of accidental exposure.
#kubectl create secret generic samadmin
#kubectl patch secret/samadmin -p '{"data":{"adminpw":"b2JqZWN0MDA="}}'
#kubectl create secret generic configreader
#kubectl patch secret/configreader -p '{"data":{"cfgsvcpw":"b2JqZWN0MDA="}}'
PV and PVC -
PVCs are requests for those resources and also act as claim checks to the resource. So a persistent volume (PV) is the "physical" volume on the host machine that stores your persistent data. A persistent volume claim (PVC) is a request for the platform to create a PV for you, and you attach PVs to your pods via a PVC.
#kubectl create -f pv.yaml
#kubectl get pv
root@fits1:/home/ISAM-K8S# kubectl create -f pv.yaml
persistentvolume/isamconfig created
root@fits1:/home/ISAM-K8S# kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
isamconfig 250M RWO Retain Available 7s
#kubectl create -f pvc.yaml
#kubectl create -f isamconfig.yaml
#kubectl get services
#kubectl get pods -o wide
Access the LMI using the public IP of the node and the port 30442(shown above).
In the same way deploy the runtime, reverse proxy and DSC configs -
# kubectl create -f wrpcontainer.yaml
# kubectl create -f isamruntime.yaml
# kubectl create -f dsc.yaml
# kubectl get deployment
# kubectl get services
ALL SET. Take back control of your access management with IBM Security Access Manager.
------------------------------------------------------------------------------------------------------------------------------------------
AUTHOR -
Umesh Torawane (IAM ISAM/ISDS/ISDI Technical Specialist)
Email ID – torawane.umesh@in.ibm.com
Nilesh Amrutkar (IBM ISAM/ISDS Technical Specialist)
Email ID – nilesh_amrukar@in.ibm.com
------------------------------------------------------------------------------------------------------------------------------------------