Cloud Pak for Security

 View Only
  • 1.  Where to get the latest documentation about CP4S installation?

    Posted Wed April 22, 2020 09:35 AM
    Hi all,
    Where to get the latest documentation about CP4S installation?
    Is this really the latest version?
    https://www.ibm.com/support/knowledgecenter/SSTDPP_1.2.0/docs/security-pak/csinstall_online.html
    I have installed latest version of OpenShift 4 cluster on bare metal. All nodes on RHCOS. There are no yum, no docker. How can I install IBM Cloud Platform Common Services on it?

    ------------------------------
    Valentyn Gostiev
    ------------------------------


  • 2.  RE: Where to get the latest documentation about CP4S installation?

    Posted Thu April 23, 2020 04:52 PM

    Hi Valentyn,

    The link as you posted is correct and it is the latest. As it says, you need to install Docker on your installer node. If you do not have one, you will need to create one (VM or physical machine) and install Docker. I recommend putting Centos on this installer node, so you can follow instructions as written. I do not believe you can install Docker on your OpenShift RHCOS nodes, which is why the documentation shows the procedure it does. 


    Once you have Docker, just follow the details in the article as written. I think you can also do these steps with your Mac or Linux desktop or laptop, but I have not tested this approach yet.


    If this is not clear, please respond to the thread and I will try to get you more details.



    ------------------------------
    David Druker
    ------------------------------



  • 3.  RE: Where to get the latest documentation about CP4S installation?

    Posted Sat April 25, 2020 04:34 AM
    Hi,  David ,
    Thanks for your reply!
    I was misled by the "boot node". In my OpenShift installation, the boot node was the main installation node. And installation the RHCOS (without docker on it) was mandatory.
    I already installed CP4S from an external RHEL7 with docker, but I ran into a new problem.

    1. I added a user from LDAP to the CP4S group with the administrator role, but I can't log into the CP4S console. Permanently redirected to the IBM Cloud Platform login page.
    2. And I also noticed that isc-cases-operator pod is running but constantly restarted.

    Using a self-signed TLS certificate for the FQDN of the CP4S application could be the reason? This FQDN is not exposed on the Internet.  






  • 4.  RE: Where to get the latest documentation about CP4S installation?

    Posted Mon April 27, 2020 12:22 AM

    Hi Valentyn,

    As noted in https://www.ibm.com/support/knowledgecenter/SSTDPP_1.2.0/docs/security-pak/tls_certs.html, this version of Cloud Pak for Security requires 1) a Fully Qualified Domain Name pointing the the (public) OpenShift Cluster IP address and 2) a TLS certificate signed by well-known certificate authority. 

    What actually happens at authentication is that the Cloud Pak for Security console redirects the browser to the IBM Cloud Platform Services console, a URL beginning 'icp-console...'. After authentication, the browser is redirected back to the FQDN. The FQDN does not have be reachable from Internet, but to get a certificate from a well-known CA, you will, in general, have to demonstrate to the CA that you control the domain which includes the FQDN.

    In practice, this means you need to secure (possibly buy) a domain from the domain registrar and secure a certificate for your Cloud Pak for Security console from that CA. You do not actually need to have the FQDN listed in DNS. (I generally do, even if the Cloud Pak for Security instance is in a private network. It does not harm anything. If your instance is reachable from the Internet, I would strongly recommend have a DNS entry.)

    You can get a free certificate from a number of places. One supplier is https://www.sslforfree.com/.

    The lack of a signed certificate is very likely causing error 1 in your note.

    The cases app issue is likely related to an Elastic pods issue. A fix for this problem is documented at https://www.ibm.com/support/knowledgecenter/SSTDPP_1.2.0/docs/security-pak/issue_elastic_pods.html



    ------------------------------
    David Druker
    ------------------------------



  • 5.  RE: Where to get the latest documentation about CP4S installation?

    Posted Mon April 27, 2020 06:35 PM
    Hi, David!
    You're right! I found the "Authentication finally failed for the administrator from ..." error in the Elastic logs, but the module is in the "Running" state and the fix does not work((( 






  • 6.  RE: Where to get the latest documentation about CP4S installation?

    Posted Tue April 28, 2020 06:35 AM
    I also found a problem in my cases-activemq pod:
    Caused by: java.io.EOFException: SSL peer shut down incorrectly at com.ibm.jsse2.b.a(b.java:261) at com.ibm.jsse2.av.a(av.java:558) ... 17 common frames omitted 10:19:22.319 [ActiveMQ BrokerService[detachedBroker] Task-6] ERROR v=unknown o.a.a.broker.TransportConnector - Could not accept connection from tcp://10.128.2.1:58462 : {} javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake  






  • 7.  RE: Where to get the latest documentation about CP4S installation?

    Posted Tue April 28, 2020 09:06 AM
    I apologize for the large number of posts (
    It looks like I have a problem with the certificate (
    Can you tell me what's wrong with him?

    [core@worker-1 ~]$ curl -vvI https://cp4s.ocp.etele.com.ua/console
    *   Trying 192.168.1.148...
    * TCP_NODELAY set
    * Connected to cp4s.ocp.etele.com.ua (192.168.1.148) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.3 (IN), TLS handshake, [no content] (0):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.3 (OUT), TLS alert, unknown CA (560):
    * SSL certificate problem: unable to get local issuer certificate
    * Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: https://curl.haxx.se/docs/sslcerts.html

    curl failed to verify the legitimacy of the server and therefore could not
    establish a secure connection to it. To learn more about this situation and
    how to fix it, please visit the web page mentioned above.

    [root@nfs ~]# openssl s_client -showcerts -servername cp4s.ocp.etele.com.ua -connect cp4s.ocp.etele.com.ua:443
    CONNECTED(00000003)
    depth=0 CN = cp4s.ocp.etele.com.ua
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 CN = cp4s.ocp.etele.com.ua
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
     0 s:/CN=cp4s.ocp.etele.com.ua
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    -----BEGIN CERTIFICATE-----
    MIIFYDCCBEigAwIBAgISBH2ERCgpFhKfblZVxBQfG9d8MA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA0MjcwNzQ2MDNaFw0y
    MDA3MjYwNzQ2MDNaMCAxHjAcBgNVBAMTFWNwNHMub2NwLmV0ZWxlLmNvbS51YTCC
    ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANH52zOktGsXoSwEdaL3xjd+
    Pdiuh12ciU9cY3xtzHk5tMombCkSZqhGcKNGril/luPbV9YZUB938+S+AKY61aGH
    j1WGwfsmveklJV4ZFfE9SiLq5tSiLRMT8Ba/KsUlA4JBO4L7Kui1rmBqafh+/d8K
    UM2muV5lQr/kL6xmKaMGk9xvBOTPXKOSnxcxwmGHEm7P2QMOS11/xuLvNTVIxgLb
    mXH9hgq3R05EBB5ox9NqrcTFfmKbk2iT5taGFuO9jzdEwP0+w2zX3xNVC4qaHOxC
    aVUEL0lgr3JXluv1EbIPA3bEqFPlIhuWFqvTmlb5s3HTJtjTsbB8bOOUH7sLSUcC
    AwEAAaOCAmgwggJkMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
    AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUb43OXzC3F3id/Q7q
    hK4usF+Bmx4wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYB
    BQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu
    Y3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2Vu
    Y3J5cHQub3JnLzAgBgNVHREEGTAXghVjcDRzLm9jcC5ldGVsZS5jb20udWEwTAYD
    VR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYa
    aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggECBgorBgEEAdZ5AgQCBIHzBIHw
    AO4AdQCyHgXMi6LNiiBOh2b5K7mKJSBna9r6cOeySVMt74uQXgAAAXG60JMqAAAE
    AwBGMEQCIDfWNf6nGrOUDfcstIiNWQVGhFG7Tgt+1EuKLPTG2jM7AiBurxxNI/Yx
    +HHg54xSXIu+6WK2b3th9X1mwO/RsD3OawB1AOcS8rA3fhpi+47JDGGE8ep7N8tW
    HREmW/Pg80vyQVRuAAABcbrQkzwAAAQDAEYwRAIgW+7SEi8FdojusHBhfZh0Nt91
    Kz8GSvS5P2xeRmglNWoCIGymgnjpMGD1E2dQ99GfHqX3gMIKSE4dgh3CSTt1dhvj
    MA0GCSqGSIb3DQEBCwUAA4IBAQCJNLl8vzg/JNDgS/gRMbKWBqIDqFYXx1RUYSee
    SdO9WHMuZmP1y1mAPc+gn0p6qV84mni9q1oLITydpLseF/ZTj6YB+eZzCeBT+6/U
    YqFYlK2F81Gbqm5Ft5SEsSm1s1rveyWEsFWTLoVvyZVkWL5lF6CTPwL/M/QpeMa1
    9b0ETo268cHki00DU+LVhlufDODiGEWAmenXUp97w4m0k2ioWlq+oIYSqB0Ts3VJ
    6cO3ip0Vm6IM2VyQqtl5042pc6IG7luwqv1XSv12JKv4MaZJioA7RGaRCMsZCz93
    xdadLrzR9mVf6OcOlzsEgpFmyq0Q2m6N5VxDheiozkzjtpFp
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/CN=cp4s.ocp.etele.com.ua
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 2064 bytes and written 445 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 772693E846352FC40E6F4DADC5ACE029D8C8966CDEA57E04BF0C9500B4E65830
        Session-ID-ctx:
        Master-Key: 0B28755A7C9F0419F9EB6B2C00CE1C830957E2D841774A45D4EA28BA3C9468898AF65C6DF4E992FEC43D38EFCFA15901
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 7200 (seconds)
        TLS session ticket:
        0000 - 7a e2 95 08 09 75 4b fb-4d d5 8e 9c 9c d1 e0 05   z....uK.M.......
        0010 - 05 b2 14 26 ae d0 d0 52-c9 f8 64 8e b6 fd b8 19   ...&...R..d.....
        0020 - 9e 1f 29 44 09 e7 78 08-ca ec a7 85 42 d5 b4 fa   ..)D..x.....B...
        0030 - 62 8e 11 d2 0a 7a a0 27-c9 4c e3 95 f8 55 49 ab   b....z.'.L...UI.
        0040 - cc 19 58 87 a4 9e 3c 4c-b1 d5 e4 7e 91 e2 e1 75   ..X...<L...~...u
        0050 - 38 ae 0c 58 59 0c fc 0a-94 72 84 a1 e7 2b 2f 4f   8..XY....r...+/O
        0060 - f4 76 08 eb 97 61 ab 5d-b5 f7 6b a9 67 84 a4 70   .v...a.]..k.g..p
        0070 - ce ea 7a 7f 8a 61 6c 4d-f5 95 87 75 5a 94 db 52   ..z..alM...uZ..R
        0080 - 3e a8 17 28 0e 42 10 62-f1 55 9e 2a 62 fc 81 9b   >..(.B.b.U.*b...
        0090 - 5e b4 8f 21 7b 21 ce 27-2d 09 9c d8 59 70 b0 1f   ^..!{!.'-...Yp..
        00a0 - cb 56 07 96 06 ec a6 31-de 77 a5 43 fc ad be 47   .V.....1.w.C...G
        00b0 - b3 99 20 e0 09 20 ee aa-e9 07 6f 05 ec a7 2c 19   .. .. ....o...,.

        Start Time: 1588078507
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    ---
    read:errno=0