Pre-installation tasks
A checklist of required information for a successful installation.
Introduction
This checklist will help you to gather all the needed information that is required for a successful installation. You need to provide the values during the installation process.
Obtaining installation files
To obtain files required for installation of IBM Financial Services Workbench go to Passport Advantage Online . Search for Financial Services Workbench for Cloud Pak for Data and download the presented file. This file contains all container images and accompanying resource files needed for installation on OpenShift 4.3.
Checklist
OpenShift
-
external_address_image_registry
The external address of the internal docker registry. If the OpenShift image registry is used, this address can be found via the routeimage-registry
in namespaceopenshift-image-registry
. -
host_domain
The external hostname for the OpenShift cluster, which will be used as a base path for serving components, e.g.apps.openshift-cluster.mydomain.cloud
-
A valid docker-image-secret (
.dockercfg
) that is able to read the internal OpenShift docker registry in the cpd namespace. For example, find the secret of typkubernetes.io/dockercfg
with suffixbuilder-dockercfg
in the cpd namespace.
-
internal_address_image_registry
The address of the internal docker registry, e.g.image-registry.openshift-image-registry.svc:5000
CPD installation
-
cpd_namespace
The name of the namespace, where cpd is installed, commonlyzen
-
helm-tls-ca-cert
The filename of the helm tls ca certificate, which was created by the cpd installation, e.g./path/to/my/ca.cert.pem
-
helm-tls-cert
The filename of the helm tls certificate, which was created by the cpd installation, e.g./path/to/my/helm.cert.pem
-
helm-tls-key
The filename of the helm tls key, which was created by the cpd installation, e.g.path/to/my/helm.key.pem
Identity Management
The installation of IBM Financial Services Workbench will automatically create security realms in Keycloak. In order to do that, please provide credentials for a Keycloak administrative account with privileges to create and configure Keycloak realms. The automatic configuration can be disabled to set up the realms manually (compare Create the OAuth2 secret).
-
identity_provider_host
The hostname including the protocol for the identity provider (Keycloak), e.g.https://identity.apps.openshift-cluster.mydomain.cloud
-
global.identity.adminUser
A username of a keycloak admin, e.g.admin
-
global.identity.adminPassword
A password of a keycloak admin, e.g.secret123
-
The complete certificate chain of identity server, e.g.
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Mongo Database
-
global.mongodb.designer.connectionString
A mongo database connection string, that will be used for the Solution Designer, e.g.mongodb://admin:password@mongodb.foundation.svc.cluster.local:27017/admin?ssl=false
-
global.mongodb.solutions.connectionString
A mongo database connection string, that will be used for the Solution Envoy, e.g.mongodb://admin:password@mongodb.foundation.svc.cluster.local:27017/admin?ssl=false
-
certificate chain
Optionally the certificate chain for accessing the database over SSL, , e.g.-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Apache Kafka
CREATE TOPIC
, READ
TOPIC
, WRITE TOPIC
.-
global.messagehub.brokersSasl
A kafka or strimzi bootstrap adress, that will be used for bootstrapping the messaging server, e.g.["kafka-cluster-kafka-bootstrap.foundation.svc.cluster.local:9093"]
-
global.messagehub.user
A kafka or strimzi user, that will be used for accessing the messaging server, e.g.kafka-user
-
global.messagehub.password
A kafka or strimzi password of the user, that will be used for accessing the messaging server, e.g.secret123
-
global.messagehub.saslMechanism
The authentication mechanism for the usage with kafka / strimzi, e.g.SCRAM-SHA-512
-
global.messagehub.saslJaasConfigLoginModule
The login module for the authentication mechanism for the usage with kafka / strimzi, e.g.org.apache.kafka.common.security.scram.ScramLoginModule
-
certificate chain
Optionally the certificate chain for accessing the kafka over SSL,, e.g.-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Clock Synchronization
The IBM Financial Services Workbench requires that you synchronize the clocks on each node in the cluster. The clocks must be within one second of each other. It is recommended that you use chrony to synchronize your clocks. For more information about setting up chrony, see the user documentation for your operating system.
Certificates
It is recommended NOT to use self-signed certificates. As a feasible solution it might be sufficient to use certificates that are signed by Let’s encrypt.