Cloud Pak for Security

 View Only
Expand all | Collapse all

CP4S installation parameters question

  • 1.  CP4S installation parameters question

    Posted Wed October 21, 2020 07:04 AM
    Hello.
    Could you please in more details (than in the documentation) the following things mentioned here (Configuration parameters) for Cloud Pak for Security?
     
    1) cp4sapplicationDomain
    2) cp4scustomcaFilepath
    3) cp4sdomainCertificatePath
    4) cp4sdomainCertificatePath
    5) cp4sdomainCertificateKeyPath
    6) adminUserId - do we need to write it here with domain or without it? domain\user1 or just user1
     
    I will explain what we have: OpenShift, PC from which we managed OpenShift, Bind (DNS server) and HAProxy are also deployed (in Docker containers) on this PC. We will use use our corporate Active Directory for Authentication in Cloud Pak web console. From where should we take the above mentioned certificates? And what certificated are mentioned there?
     
    Best regards,
    Igor.


    ------------------------------
    Igor Volkov
    ------------------------------


  • 2.  RE: CP4S installation parameters question

    IBM Champion
    Posted Wed October 21, 2020 08:03 AM
    Edited by Pascal Weber Wed October 21, 2020 01:00 PM
    Hello Igor,

    For sharing, and give my understanding feedback.

    For the AdminUserId, i used the user I created with the admin privilege on the installation process of OpenShift using and applying  `oauth-htpasswd.yaml` file to the cluster
    (ocp4-metal-install/manifest/oauth-htpasswd.yaml then oc adm policy add-cluster-role-to-user cluster-admin admin).
    So check on the Web Interface, User Management / your user with role Bindings admin and cluster-admin.

    As mentioned in a previous post, all these information are required on file in : inventory/installProduct/files/values.conf

    • cp4sapplicationDomain -> Fully Qualified Domain Name (FQDN) created for the IBM Cloud Pak for Security application
    • cp4sdomainCertificatePath -> Location of the TLS cert associated with the IBM Cloud Pak for Security application domain
    • cp4sdomainCertificateKeyPath -> Location of the TLS key associated with the IBM Cloud Pak for Security application domain
    • cp4scustomcaFilepath -> Location of the custom TLS certificate associated with the IBM Cloud Pak for Security application domain. Only required if using custom or self-signed certificate

    A Fully Qualified Domain Name (FQDN) must be created for CP4S. It must not be the same as the Red Hat OpenShift Container Platform (RHOCP) cluster FQDN, the IBM Cloud Platform Common Services FQDN, or any other FQDN associated with the RHOCP cluster.

    The application FQDN must point to the RHOCP cluster public IP address or hostname.
    It has to be resolved too.

    For the certificates, I don't know if you generated It with your own PKI (myself i tried using my own lab Redhat Identity Manager to handle these certificates with my own CA), to get the right files :

    • .cert
    • .key
    • and my CA.pem.

    If your OpenShift is deployed with IBM OpenShift Cloud, you can use the procedure mentioned here : https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.4.0/platform/docs/security-pak/tls_certs.html

    Hope this helps,
    Regards 
    zoldax



    ------------------------------
    @zoldax

    https://www.youracclaim.com/users/pascal-weber.029e134d/badges
    ------------------------------