IBM Cloud Pak for Security on the AWS Cloud

Quick Start Deployment Guide

QS

March 2022
Ann Hayes, Patrick Kent Dacoliat, Kieran O Mahony, Manoj Nanjala, Divya Dinesan, Bhavana R, Samrika Singh, and Shinu Shaju, IBM
Vinod Shukla, AWS Integration & Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Quick Start. To comment on the documentation, refer to Feedback.

This Quick Start was created by IBM in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices.

Overview

This Quick Start deploys IBM Cloud Pak for Security on the AWS Cloud. If you are unfamiliar with AWS Quick Starts, refer to the AWS Quick Start General Information Guide.

Costs and licenses

There is no cost to use this Quick Start, but you will be billed for any AWS services or resources that this Quick Start deploys. For more information, refer to the AWS Quick Start General Information Guide.

For IBM Cloud Pak for Security product and pricing information, or to use your existing entitlements, contact your IBM sales representative at +1 (877) 426-3774 or online at IBM Cloud Pak for Security. For more information about licensing terms, see the IBM Cloud Pak for Security Software License Agreement.

Depending on your purchase of IBM Cloud Pak for Security, you can additionally choose to install the Orchestration & Automation application on IBM Cloud Pak for Security platform, you must accquire a license key to access its capabilities in conjunction with IBM Cloud Pak for Security license. For more information on the Orchestration & Automation license, see the IBM Cloud Pak for Security documentation on Licensing and Entitlement.

Architecture

Deploying this Quick Start with default parameters builds the following IBM Cloud Pak for Security environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for IBM Cloud Pak for Security on AWS

As shown in Figure 1, this Quick Start sets up the following:

  • A highly available architecture that spans across three Availability Zones.*

  • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*

  • In the public subnets:

    • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*

    • A boot node Amazon EC2 instance that also serves as a bastion host to allow inbound Secure Shell (SSH) access to EC2 instances in the private subnets.

  • In the private subnets:

    • Red Hat OpenShift Container Platform (OCP) master nodes in up to three Availability Zones.

    • Red Hat OpenShift Container Platform (OCP) compute nodes with OpenShift autoscaling for hosting the IBM Cloud Pak for Security capabilities.

    • Amazon Elastic Block Storage disks that are mounted on the compute nodes for container-persistent data.

  • A Classic Load Balancer spanning the public subnets for accessing IBM Cloud Pak for Security from a web browser.

  • A Network Load Balancer spanning the public subnets for routing external OpenShift application programming interface (API) traffic to the OCP master instances.

  • A Network Load Balancer spanning the private subnets for routing internal OpenShift API traffic to the OCP master instances.

  • OpenShift autoscaling for the OCP compute nodes.

  • Amazon Route 53 as your public Domain Name System (DNS) for resolving domain names of the IBM Cloud Pak for Security management console and applications deployed on the cluster.

  • Amazon S3 for storing the pull secret, TLS certificate and key, SOAR Entitlement and OpenShift image registry.

  • AWS Secrets Manager to encrypt, store, and retrieve credentials and secrets for your IBM Cloud Pak for Security deployment.

The IBM Cloud Pak for Security components run as containers on the OpenShift compute nodes, and build on a range of common platform and operational services that underpin all IBM Cloud Paks.

* The template that deploys this Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Deployment options

This Quick Start provides the following deployment options:

This Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and IBM Cloud Pak for Security settings.

Predeployment steps

Create an Amazon S3 bucket

You need to create an Amazon S3 bucket in one of the AWS Regions. See AWS documentation on how to Create your first S3 bucket.

To upload files into your S3 bucket, see Upload an object to your bucket.

This S3 bucket is used for storing Red Hat OpenShift pull secret which is required for deploying IBM Cloud Pak for Security. Additionally, it can also be used to store the optional TLS certificates, keys, and SOAR Entitlement.

Sign up for a Red Hat subscription

This Quick Start requires a Red Hat subscription. During the deployment of the Quick Start, provide your OpenShift Installer Provisioned Infrastructure pull secret.

If you don’t have a Red Hat account, you can create one on the Red Hat website. Note that registration may require a non-personal email address. To get a 60-day evaluation license for OpenShift, see the instructions in Red Hat OpenShift Container Platform.

Upload the OpenShift pull secret to your S3 bucket. The Quick Start pulls this secret from your S3 bucket location to provision the cluster.

IBM Cloud Pak for Security subscription

  • The Quick Start requires an entitlement key to access the IBM Cloud Pak for Security content.

    • You can acquire your IBM entitlement key from IBM Container Library.

    • During stack creation you will need to pass the IBM entitlement key as the RepositoryPassword parameter.

  • The Quick Start uses an optional SOAR Entitlement for Orchestration & Automation application on IBM Cloud Pak for Security.

    • To know how to acquire your SOAR Entitlement, see the IBM Cloud Pak for Security documentation on Licensing and Entitlement.

    • Upload the SOAR Entitlement to your S3 bucket. The Quick Start pulls this SOAR Entitlement from the specified S3 bucket location for configuring Orchestration & Automation.

Domain name and TLS certificates

Confirm that you have a domain name to use for OpenShift in Amazon Route 53. If you do not have a domain name, see the AWS documentation on Registering a new domain.

IBM Cloud Pak for Security can be installed using the FQDN and TLS certificates of the Red Hat® OpenShift® Container Platform by not passing in an FQDN in the optional CP4SFQDN parameter during installation. If you choose this method, you don’t have to create your own fully qualified domain name.

If you wish to create your own FQDN for the IBM Cloud Pak for Security, add a DNS record to your hosted zone in Amazon Route 53.

The following procedure explains how to create records using the Amazon Route 53 console.

  1. Go to Amazon Route 53 console. Click here.

  2. Choose the hosted zone that corresponds to the domain name you will use when creating the stack.

  3. Choose Create Record.

  4. Enter a value for record name, this record will be used for the IBM Cloud Pak for Security CP4SFQDN parameter value when creating the stack.

    Make sure that your FQDN must not be the same as the Red Hat OpenShift Container Platform cluster FQDN, or any other FQDN associated with the Red Hat OpenShift Container Platform cluster.
  5. Confirm that the record type is CNAME.

  6. For the value of the record, specify console-openshift-console.apps.ClusterName.DomainName, where ClusterName and DomainName are the respective input parameters used when creating the stack.

  7. For the routing policy, pick Simple routing, and then choose Create record, as shown in Figure 2.

DNS Record
Figure 2. Create DNS record for FQDN for the IBM Cloud Pak for Security


If you are using your own FQDN, you must provide an optional TLS certificate and TLS key, that use keys that are signed by a trusted certificate authority (CA). A custom TLS certificate is required, if the provided server keys are not signed by a trusted certificate authority. For more information, see the IBM Cloud Pak for Security documentation on Domain Name and TLS Certificates.

Upload the TLS certificate, TLS key and custom TLS certificate to your S3 bucket. The Quick Start pulls these certificates and keys from your S3 bucket location for IBM Cloud Pak for Security deployment.

Deployment steps

  1. Sign in to your AWS account, and launch this Quick Start, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template. Deployment takes about 2 hours to complete.

  2. Choose the correct AWS Region, and then choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you are customizing the Quick Start templates for your own projects, don’t change the default settings for the following Amazon Simple Storage Service (Amazon S3) parameters: Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these settings automatically updates code references to point to a new Quick Start location. For more information, refer to the AWS Quick Start Contributor’s Guide.
  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources that might require the ability to automatically expand macros.

  7. Choose Create stack to deploy the stack.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the IBM Cloud Pak for Security deployment is ready.

  9. To view the created resources, choose the Outputs tab.

IBM Cloud Pak for Security deployment outputs
Figure 3. IBM Cloud Pak for Security outputs after successful deployment

Postdeployment steps

Configuring Identity Provider authentication

To log in to IBM Cloud Pak for Security, you must configure at least one Identity Provider (IDP). The CP4SAdminUser, shown in Figure 3, that you provided while creating the stack must exist in the choosen Identity Provider (IDP). This CP4SAdminUser is the initial user who can log in and add other users. Use the password that you specified for the user when you configured the Identity Provider (IDP). To know more details on configuring Identity Provider (IDP) authentication, see the IBM Cloud Pak for Security documentation on Configuring Identity Provider Authentication.

Login into IBM Cloud Pak for Security

After configuring at least one Identity Provider (IDP) navigate to the CP4SWebClientURL output of the root stack, shown in Figure 3.

Log in to the IBM Cloud Pak for Security web client by choosing Enterprise LDAP authentication, and then enter the CP4SAdminUser value and the admin password that you supplied while configuring LDAP authentication during post installation.

.Login page for IBM Cloud Pak for Security web client
Figure 4. Login page for IBM Cloud Pak for Security web client


Upon logging in to the IBM Cloud Pak for Security web client URL, the welcome page opens for the System Administrator account, as shown in Figure 5.

CP4S welcome page
Figure 5. Welcome page for IBM Cloud Pak for Security web client

Create accounts in IBM Cloud Pak for Security

As a system administrator, you can create Standard or Provider accounts in IBM Cloud Pak for Security, or delete existing accounts. You must be working in the System Administration account and have the required permission to manage accounts. For more details, see the IBM Cloud Pak for Security documentation on Creating or Deleting Accounts.

Configure a data source connection

To begin working with applications, enable IBM Cloud Pak for Security to connect with data sources. For more details, see the IBM Cloud Pak for Security documentation on Configuring a Data Source Connection.

Manage your cluster using the Red Hat OpenShift web console

To access the Red Hat Openshift Container Platform web console, navigate to the OpenshiftWebConsoleURL in the Outputs tab of the root stack. See, Figure 3.

Log in to the Openshift web console by using use the default OpenShift administrator kubeadmin. The password can be obtained from the OpenShiftSecret resource from the Resources tab of IBM Cloud Pak for Security stack.

OpenShift secret resource
Figure 6. OpenShift secret resource


You can retrieve the secret value by choosing Retrieve secret value, as shown in the figure below. Use this secret value as OpenShift console administrative password.

Retrieve secret value for console password
Figure 7. Retrieve secret value for console password

Accessing Red Hat OpenShift cluster from the command-line interface

In your Red Hat OpenShift web console, click your profile name and then click Copy Login. Click Display Token, copy the oc login command, and paste the command into your command line.

Troubleshooting

For troubleshooting common Quick Start issues, refer to the AWS Quick Start General Information Guide and Troubleshooting CloudFormation.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, refer to the Quick Start Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.