Pre-installation tasks

A checklist of required information for a successful installation.

Introduction

This checklist will help you to gather all the information that is needed for a successful installation. You need to provide the values during the installation process.

Attention: This checklist is only to be considered complete if you do not deviate from the defaults. For some deviations from the default you will probably need other or more pieces of information.

Obtain the installation package

To obtain files required for upgrading IBM Financial Services Workbench:

  • Go to Passport Advantage Online.
  • Search for Financial Services Workbench for Cloud Pak for Data
  • Download the presented file, e.g. ssob-2.4.0-ibm-openshift-4.3-cpd-installations.tgz. This file contains all container images and accompanying resource files needed for installation on OpenShift 4.3.
Unpack the installation file on the computer from which the installation commands are to be executed: 
$ INSTALLDIR=~/install/
$ mkdir ${INSTALLDIR}
$ cd ${INSTALLDIR}
$ tar xzvf ssob-2.4.0-ibm-openshift-4.3-cpd-installations.tgz     
$ mv ssob-2.4.0-ibm-openshift-4.3-cpd-installations ssob_2.4.0      
$ cd ${INSTALLDIR}/ssob_2.4.0
Important: Make sure that the configuration files in the ssob-install/deployments/configs folder that will contain the customized parameters for this installation are still accessible after installation when upgrading to a newer version (see Installing an Upgrade or Hotfix).

Checklist

OpenShift

  • external_address_image_registry The external address of the internal docker registry. If the OpenShift image registry is used, this address can be found via the route image-registry in namespace openshift-image-registry .

  • host_domain The external hostname for the OpenShift cluster, which will be used as a base path for serving components, e.g. apps.openshift-cluster.mydomain.cloud

  • A valid docker-image-secret ( .dockercfg ) that is able to read the internal OpenShift docker registry in the cpd namespace. For example, find the secret of typ kubernetes.io/dockercfg with suffix builder-dockercfg in the cpd namespace.

Cloud Pak for Data (CPD) installation

  • cpd_namespace The name of the namespace, where CPD is installed, commonly zen

  • helm-tls-ca-cert The filename of the Helm TLS CA certificate, which was created by the CPD installation, e.g. /path/to/my/ca.cert.pem

  • helm-tls-cert The filename of the Helm TLS certificate, which was created by the CPD installation, e.g. /path/to/my/helm.cert.pem

  • helm-tls-key The filename of the Helm TLS key, which was created by the CPD installation, e.g. path/to/my/helm.key.pem

Identity Management

The installation of IBM Financial Services Workbench will automatically create security realms in Keycloak. In order to do that, please provide credentials for a Keycloak administrative account with privileges to create and configure Keycloak realms. The automatic configuration can be disabled to set up the realms manually (compare Create the OAuth2 secret).

Attention: If you want to use the same realm by multiple components such as Solution Designer, Hub and Envoy, then you must create the realm manually and set up the roles manually.

  • identity_provider_host The hostname including the protocol for the identity provider (Keycloak), e.g. https://identity.apps.openshift-cluster.mydomain.cloud

  • global.identity.adminUser A username of a keycloak admin, e.g. admin

  • global.identity.adminPassword A password of a keycloak admin, e.g. secret123

  • The complete certificate chain of identity server, e.g. 
    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Mongo Database

  • global.mongodb.designer.connectionString A mongo database connection string, that will be used for the Solution Designer, e.g. mongodb://admin:password@mongodb.foundation.svc.cluster.local:27017/admin?ssl=false

  • global.mongodb.solutions.connectionString A mongo database connection string, that will be used for the Solution Envoy, e.g. mongodb://admin:password@mongodb.foundation.svc.cluster.local:27017/admin?ssl=false

  • certificate chain Optionally the certificate chain for accessing the database over SSL, , e.g. 
    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Apache Kafka

Note: In order to be able to provision for Kafka topics, please provide credentials for a Kafka administrative account with the privileges: CREATE TOPIC, READ TOPIC, WRITE TOPIC.

  • global.messagehub.brokersSasl A kafka or strimzi bootstrap adress, that will be used for bootstrapping the messaging server, e.g. ["kafka-cluster-kafka-bootstrap.foundation.svc.cluster.local:9093"]

  • global.messagehub.user A kafka or strimzi user, that will be used for accessing the messaging server, e.g. kafka-user

  • global.messagehub.password A kafka or strimzi password of the user, that will be used for accessing the messaging server, e.g. secret123

  • global.messagehub.saslMechanism The authentication mechanism for the usage with kafka or strimzi, e.g. SCRAM-SHA-512

  • global.messagehub.saslJaasConfigLoginModule The login module for the authentication mechanism for the usage with kafka or strimzi, e.g. org.apache.kafka.common.security.scram.ScramLoginModule

  • certificate chain Optionally the certificate chain for accessing the kafka over SSL,, e.g. 
    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Clock Synchronization

The IBM Financial Services Workbench requires that you synchronize the clocks on each node in the cluster. The clocks must be within one second of each other. It is recommended that you use chrony to synchronize your clocks. For more information about setting up chrony, see the user documentation for your operating system.

Certificates

It is recommended to NOT use self-signed certificates. As a feasible solution it might be sufficient to use certificates that are signed by Let’s encrypt.