Pre-installation tasks

A checklist of required information for a successful installation.

Introduction

This checklist will help you to gather all the needed information that is required for a successful installation. You need to provide the values during the installation process.

Attention: This checklist is only to be considered complete if you do not deviate from the defaults. For some deviations from the default you will probably need other or more pieces of information.

Obtaining installation files

To obtain files required for installation of IBM Financial Services Workbench go to Passport Advantage Online . Search for Financial Services Workbench for Cloud Pak for Data and download the presented file. This file contains all container images and accompanying resource files needed for installation on OpenShift 4.3.

Checklist

OpenShift

  • external_address_image_registry The external address of the internal docker registry. If the OpenShift image registry is used, this address can be found via the route image-registry in namespace openshift-image-registry .

  • host_domain The external hostname for the OpenShift cluster, which will be used as a base path for serving components, e.g. apps.openshift-cluster.mydomain.cloud

  • A valid docker-image-secret ( .dockercfg ) that is able to read the internal OpenShift docker registry in the cpd namespace. For example, find the secret of typ kubernetes.io/dockercfg with suffix builder-dockercfg in the cpd namespace.

CPD installation

  • cpd_namespace The name of the namespace, where cpd is installed, commonly zen

  • helm-tls-ca-cert The filename of the helm tls ca certificate, which was created by the cpd installation, e.g. /path/to/my/ca.cert.pem

  • helm-tls-cert The filename of the helm tls certificate, which was created by the cpd installation, e.g. /path/to/my/helm.cert.pem

  • helm-tls-key The filename of the helm tls key, which was created by the cpd installation, e.g. path/to/my/helm.key.pem

Identity Management

The installation of IBM Financial Services Workbench will automatically create security realms in Keycloak. In order to do that, please provide credentials for a Keycloak administrative account with privileges to create and configure Keycloak realms. The automatic configuration can be disabled to set up the realms manually (compare Create the OAuth2 secret).

Attention: If you want to use the same realm by multiple components such as Solution Designer, Hub and Envoy, then you must create the realm manually and set up the roles manually.

  • identity_provider_host The hostname including the protocol for the identity provider (Keycloak), e.g. https://identity.apps.openshift-cluster.mydomain.cloud

  • global.identity.adminUser A username of a keycloak admin, e.g. admin

  • global.identity.adminPassword A password of a keycloak admin, e.g. secret123

  • The complete certificate chain of identity server, e.g. 
    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Mongo Database

  • global.mongodb.designer.connectionString A mongo database connection string, that will be used for the Solution Designer, e.g. mongodb://admin:password@mongodb.foundation.svc.cluster.local:27017/admin?ssl=false

  • global.mongodb.solutions.connectionString A mongo database connection string, that will be used for the Solution Envoy, e.g. mongodb://admin:password@mongodb.foundation.svc.cluster.local:27017/admin?ssl=false

  • certificate chain Optionally the certificate chain for accessing the database over SSL, , e.g. 
    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Apache Kafka

Note: In order to be able to provision for Kafka topics, please provide credentials for a Kafka administrative account with the privileges: CREATE TOPIC, READ TOPIC, WRITE TOPIC.

  • global.messagehub.brokersSasl A kafka or strimzi bootstrap adress, that will be used for bootstrapping the messaging server, e.g. ["kafka-cluster-kafka-bootstrap.foundation.svc.cluster.local:9093"]

  • global.messagehub.user A kafka or strimzi user, that will be used for accessing the messaging server, e.g. kafka-user

  • global.messagehub.password A kafka or strimzi password of the user, that will be used for accessing the messaging server, e.g. secret123

  • global.messagehub.saslMechanism The authentication mechanism for the usage with kafka / strimzi, e.g. SCRAM-SHA-512

  • global.messagehub.saslJaasConfigLoginModule The login module for the authentication mechanism for the usage with kafka / strimzi, e.g. org.apache.kafka.common.security.scram.ScramLoginModule

  • certificate chain Optionally the certificate chain for accessing the kafka over SSL,, e.g. 
    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Clock Synchronization

The IBM Financial Services Workbench requires that you synchronize the clocks on each node in the cluster. The clocks must be within one second of each other. It is recommended that you use chrony to synchronize your clocks. For more information about setting up chrony, see the user documentation for your operating system.

Certificates

It is recommended NOT to use self-signed certificates. As a feasible solution it might be sufficient to use certificates that are signed by Let’s encrypt.