Pre-installation tasks
A checklist of required information for a successful installation.
Introduction
This checklist will help you to gather all the information that is needed for a successful installation. You need to provide the values during the installation process.
Obtain the installation package
To obtain files required for upgrading IBM Financial Services Workbench:
- Go to Passport Advantage Online.
- Search for Financial Services Workbench for Cloud Pak for Data
- Download the presented file, e.g. ssob-2.7.0-ibm-openshift-4.5-cpd-installations.tgz. This file contains all container images and accompanying resource files needed for installation on OpenShift 4.5.
$ INSTALLDIR=~/install/
$ mkdir ${INSTALLDIR}
$ cd ${INSTALLDIR}
$ tar xzvf ssob-2.7.0-ibm-openshift-4.5-cpd-installations.tgz
$ mv ssob-2.7.0-ibm-openshift-4.5-cpd-installations ssob_2.7.0
$ cd ${INSTALLDIR}/ssob_2.7.0ssob-install/deployments/configs folder that will contain the customized
parameters for this installation are still accessible after installation when upgrading to a
newer version (see Installing an Upgrade or Hotfix).Checklist before installation
Keep OpenShift details available
-
host_domainThe external hostname for the OpenShift cluster, which will be used as a base path for serving components, e.g.apps.openshift-cluster.mydomain.cloud
-
external_address_image_registryThe external address of the internal docker registry. If the OpenShift image registry is used, this address can be found via the routeimage-registryin namespaceopenshift-image-registry. -
internal_address_image_registryThe address of the internal docker registry, e.g.image-registry.openshift-image-registry.svc:5000 -
A service account is required that is able to pull images from the provided internal docker registry. If you use the internal cluster registry, you can use the
Builderservice account and get the Docker configuration from the Builder Secret, which is always created when you create a project.
Keep Cloud Pak for Data (CPD) installation details available
-
cpd_namespaceThe name of the namespace, where CPD is installed, commonlyzen -
helm-tls-ca-certThe filename of the Helm TLS CA certificate, which was created by the CPD installation, e.g./path/to/my/ca.cert.pem -
helm-tls-certThe filename of the Helm TLS certificate, which was created by the CPD installation, e.g./path/to/my/helm.cert.pem -
helm-tls-keyThe filename of the Helm TLS key, which was created by the CPD installation, e.g.path/to/my/helm.key.pem
Checklist before configuration
Keep Identity Management access details available
The installation of IBM Financial Services Workbench will automatically create security realms in Keycloak. In order to do that, please provide credentials for a Keycloak administrative account with privileges to create and configure Keycloak realms. The automatic configuration can be disabled to set up the realms manually (compare Create the OAuth2 secret).
-
identity_provider_hostThe hostname including the protocol for the identity provider (Keycloak), e.g.https://identity.apps.openshift-cluster.mydomain.cloud -
global.identity.adminUserA username of a keycloak admin, e.g.admin -
global.identity.adminPasswordA password of a keycloak admin, e.g.secret123 -
The complete certificate chain of identity server, e.g.
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Keep Mongo Database access details available
-
global.mongodb.designer.connectionStringA mongo database connection string, that will be used for the Solution Designer, e.g.mongodb://admin:password@mongodb.foundation.svc.cluster.local:27017/admin?ssl=false -
global.mongodb.solutions.connectionStringA mongo database connection string, that will be used for the Solution Envoy, e.g.mongodb://admin:password@mongodb.foundation.svc.cluster.local:27017/admin?ssl=false -
certificate chainOptionally the certificate chain for accessing the database over SSL, , e.g.-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Keep Apache Kafka access details available
CREATE TOPIC, READ
TOPIC, WRITE TOPIC.-
global.messagehub.brokersSaslA kafka or strimzi bootstrap adress, that will be used for bootstrapping the messaging server, e.g.["kafka-cluster-kafka-bootstrap.foundation.svc.cluster.local:9093"] -
global.messagehub.userA kafka or strimzi user, that will be used for accessing the messaging server, e.g.kafka-user -
global.messagehub.passwordA kafka or strimzi password of the user, that will be used for accessing the messaging server, e.g.secret123 -
global.messagehub.saslMechanismThe authentication mechanism for the usage with kafka or strimzi, e.g.SCRAM-SHA-512 -
global.messagehub.saslJaasConfigLoginModuleThe login module for the authentication mechanism for the usage with kafka or strimzi, e.g.org.apache.kafka.common.security.scram.ScramLoginModule -
certificate chainOptionally the certificate chain for accessing the kafka over SSL,, e.g.-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Clock Synchronization
The IBM Financial Services Workbench requires that you synchronize the clocks on each node in the cluster. The clocks must be within one second of each other. It is recommended that you use chrony to synchronize your clocks. For more information about setting up chrony, see the user documentation for your operating system.
Certificates
It is recommended to NOT use self-signed certificates. As a feasible solution it might be sufficient to use certificates that are signed by Let’s encrypt.