Pre-installation tasks

A checklist of required information for a successful installation.

Introduction

This checklist will help you to gather all the information that is needed for a successful installation. You need to provide the values during the installation process.

Attention: This checklist is only to be considered complete if you do not deviate from the defaults. For some deviations from the default you will probably need other or more pieces of information.

Obtain the installation package

To obtain files required for upgrading IBM Financial Services Workbench:

  • Go to Passport Advantage Online.
  • Search for Financial Services Workbench for Cloud Pak for Data
  • Download the presented file, e.g. ssob-2.7.0-ibm-openshift-4.5-cpd-installations.tgz. This file contains all container images and accompanying resource files needed for installation on OpenShift 4.5.
Unpack the installation file on the computer from which the installation commands are to be executed:
$ INSTALLDIR=~/install/
$ mkdir ${INSTALLDIR}
$ cd ${INSTALLDIR}
$ tar xzvf ssob-2.7.0-ibm-openshift-4.5-cpd-installations.tgz     
$ mv ssob-2.7.0-ibm-openshift-4.5-cpd-installations ssob_2.7.0      
$ cd ${INSTALLDIR}/ssob_2.7.0
Important: Make sure that the configuration files in the ssob-install/deployments/configs folder that will contain the customized parameters for this installation are still accessible after installation when upgrading to a newer version (see Installing an Upgrade or Hotfix).

Checklist before installation

Keep OpenShift details available

  • host_domain The external hostname for the OpenShift cluster, which will be used as a base path for serving components, e.g. apps.openshift-cluster.mydomain.cloud

  • external_address_image_registry The external address of the internal docker registry. If the OpenShift image registry is used, this address can be found via the route image-registry in namespace openshift-image-registry .

  • internal_address_image_registry The address of the internal docker registry, e.g. image-registry.openshift-image-registry.svc:5000

  • A service account is required that is able to pull images from the provided internal docker registry. If you use the internal cluster registry, you can use the Builder service account and get the Docker configuration from the Builder Secret, which is always created when you create a project.

Keep Cloud Pak for Data (CPD) installation details available

  • cpd_namespace The name of the namespace, where CPD is installed, commonly zen

  • helm-tls-ca-cert The filename of the Helm TLS CA certificate, which was created by the CPD installation, e.g. /path/to/my/ca.cert.pem

  • helm-tls-cert The filename of the Helm TLS certificate, which was created by the CPD installation, e.g. /path/to/my/helm.cert.pem

  • helm-tls-key The filename of the Helm TLS key, which was created by the CPD installation, e.g. path/to/my/helm.key.pem

Checklist before configuration

Keep Identity Management access details available

The installation of IBM Financial Services Workbench will automatically create security realms in Keycloak. In order to do that, please provide credentials for a Keycloak administrative account with privileges to create and configure Keycloak realms. The automatic configuration can be disabled to set up the realms manually (compare Create the OAuth2 secret).

Attention: If you want to use the same realm by multiple components such as Solution Designer, Hub and Envoy, then you must create the realm manually and set up the roles manually.
  • identity_provider_host The hostname including the protocol for the identity provider (Keycloak), e.g. https://identity.apps.openshift-cluster.mydomain.cloud

  • global.identity.adminUser A username of a keycloak admin, e.g. admin

  • global.identity.adminPassword A password of a keycloak admin, e.g. secret123

  • The complete certificate chain of identity server, e.g.
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

Keep Mongo Database access details available

  • global.mongodb.designer.connectionString A mongo database connection string, that will be used for the Solution Designer, e.g. mongodb://admin:password@mongodb.foundation.svc.cluster.local:27017/admin?ssl=false

  • global.mongodb.solutions.connectionString A mongo database connection string, that will be used for the Solution Envoy, e.g. mongodb://admin:password@mongodb.foundation.svc.cluster.local:27017/admin?ssl=false

  • certificate chain Optionally the certificate chain for accessing the database over SSL, , e.g.
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

Keep Apache Kafka access details available

Note: In order to be able to provision for Kafka topics, please provide credentials for a Kafka administrative account with the privileges: CREATE TOPIC, READ TOPIC, WRITE TOPIC.
  • global.messagehub.brokersSasl A kafka or strimzi bootstrap adress, that will be used for bootstrapping the messaging server, e.g. ["kafka-cluster-kafka-bootstrap.foundation.svc.cluster.local:9093"]

  • global.messagehub.user A kafka or strimzi user, that will be used for accessing the messaging server, e.g. kafka-user

  • global.messagehub.password A kafka or strimzi password of the user, that will be used for accessing the messaging server, e.g. secret123

  • global.messagehub.saslMechanism The authentication mechanism for the usage with kafka or strimzi, e.g. SCRAM-SHA-512

  • global.messagehub.saslJaasConfigLoginModule The login module for the authentication mechanism for the usage with kafka or strimzi, e.g. org.apache.kafka.common.security.scram.ScramLoginModule

  • certificate chain Optionally the certificate chain for accessing the kafka over SSL,, e.g.
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

Clock Synchronization

The IBM Financial Services Workbench requires that you synchronize the clocks on each node in the cluster. The clocks must be within one second of each other. It is recommended that you use chrony to synchronize your clocks. For more information about setting up chrony, see the user documentation for your operating system.

Certificates

It is recommended to NOT use self-signed certificates. As a feasible solution it might be sufficient to use certificates that are signed by Let’s encrypt.

Note: The line length of the certificates must comply with the standard for PEM messages, with each line containing exactly 64 printable characters except the last line and 64 or fewer printable characters in the last line.