Installing Cloud Pak for Data - IBM...To remove Cloud Pak for Data from Red Hat OpenShift, delete the project, all cluster scoped items, and any remaining Persistent Volumes. Related

Installing Cloud Pak for Data

IBM

Contents

Installing.............................................................................................................. 1Pre-installation tasks................................................................................................................................... 2

Setting up your registry server............................................................................................................... 3Obtaining the installation files............................................................................................................... 3Preparing for air-gapped installations................................................................................................... 4Setting up your environment..................................................................................................................6

Installing on an OpenShift cluster............................................................................................................... 9Post-installation tasks............................................................................................................................... 12

Securing communication ports............................................................................................................ 12Setting up the web client..................................................................................................................... 12Setting up a tethered namespace........................................................................................................17

Uninstalling Cloud Pak for Data.................................................................................................................18

ii

Installing IBM Cloud Pak™ for Data

After you review the system requirements and other planning information, you install IBM Cloud™ Pak™ forData by completing the pre-installation tasks, completing the installation task itself, and then completingthe post-installation tasks. When complete, you will have installed the Cloud Pak for Data control plane.Services are installed separately.

You use the Cloud Pak for Data command-line interface to install the Cloud Pak for Data control plane andany services that you wan to run.

You can install the software on a cluster that is connected to the internet or a cluster that is air-gapped.The following sections explain how the installation process works in each environment.

Internet-connected clusters

When you run the cpd installation command from a client workstation, it downloads Helm charts from apublic IBM file server, transfers all images from the entitled IBM Docker registry to your registry server,and deploys the Helm charts to a project in your OpenShift cluster.

Figure 1. Flow when running the cpd command on a cluster connected to the internet

Air-gapped clusters

When you run the cpd download command from a client workstation, it downloads all of the images andHelm charts from a public IBM file server to the client workstation. Next, you transfer the images to yourregistry server. Then, from a system that can connect to the cluster, you run the cpd command to pushthe images to your registry server. Lastly, you run the cpd installation command, which deploys the Helmcharts to a project in your OpenShift cluster.

Installing IBM Cloud Pak™ for Data 1

Figure 2. Flow when running the cpd command on an air-gapped cluster

Installation components

Cloud Pak for Data defines the modular installation components as follows:

AssemblyA particular Cloud Pak for Data service (and its dependent assemblies) to deploy to a project in RedHat OpenShift. Assemblies for Cloud Pak for Data control plane and services are stored on a publicIBM file server, and do not have to be installed at the same time.

Global configurationA server definition YAML file that you download to your Linux or Mac OS client workstation and thencustomize. It specifies:

• URLs and credentials for the file server to download Helm charts from.• URLs and credentials for the registry server to download images from.

The default server definition YAML is repo.yaml.

Pre-installation tasksBefore you install Cloud Pak for Data, complete the following tasks.Related tasksInstalling Cloud Pak for Data on a Red Hat OpenShift clusterA project administrator can install IBM Cloud Pak™ for Data on a Red Hat OpenShift environment.Uninstalling Cloud Pak for Data

2 Installing Cloud Pak for Data

To remove Cloud Pak for Data from Red Hat OpenShift, delete the project, all cluster scoped items, andany remaining Persistent Volumes.Related referencePost-installation tasksAfter you install Cloud Pak for Data, complete the following tasks.

Setting up your registry serverTo install Cloud Pak for Data, you must have a registry server where you can host the images for the CloudPak for Data control plane and the services that you want to install.

If you have an existing registry server, you can use it, provided that it is in close proximity to the Red HatOpenShift cluster where you will deploy Cloud Pak for Data and that the pull secrets are properlymanaged. If your registry server is not in close proximity to your OpenShift cluster, you might noticeperformance issues.

Alternatively, you can use the internal Docker registry in your Red Hat OpenShift cluster. This option isrecommended because it does not require you to manage pull secrets.

Before you begin

Complete this task only if you intend to use the internal Docker registry on the Red Hat OpenShift and youhave not yet configured it.

Ensure that you have:

• A registry. See Red Hat OpenShift Internal Registry Overview for details.• The oc command-line interface. You can download the appropriate client tools for your operating

system from OKD. Ensure that the version is compatible with the version of Red Hat OpenShift on yourcluster.

Procedure

To set up the Docker registry on OpenShift:1. Sign into OpenShift as the cluster administrator:

oc login openshift_url:port

2. Verify whether the registry has an external route:

oc get routes -n default | grep docker-registry

If the command finds a default route, then you must create a new external route:

oc expose service docker-registry -n default --hostname=docker-registry-default.9.87.654.321.nip.io

Replace default.9.87.654.321.nip.io with your public IP address.3. Ensure the /etc/hosts file in each node has a DNS entry for your Docker registry name:

9.87.654.321 docker-registry.default.svc

You will use this Docker registry name, for example, docker-registry.default.svc:5000 for theCloud Pak for Data installation. Alternatively, if the registry is outside of the cluster, you must use theexternal registry name instead.

Obtaining the installation filesBefore you install Cloud Pak for Data, ensure that the installation files are available on your client system.

Before you beginEnsure that you have:


https://docs.openshift.com/container-platform/3.11/install_config/registry/index.html

https://www.okd.io/download.html

• Your entitlement license API key from My IBM and your IBM ID.• A Linux or Mac OS client workstation to run the installation from. The workstation does not have to be a

node of the cluster, but must have internet access and be able to connect to the OpenShift cluster.

Procedure

1. Obtain the installation files:a) On the Linux or Mac OS workstation, download the installation package from IBM Passport

Advantage.b) Extract the cpd installer executable and repo.yaml file from the installation package.

2. Set up the requirements for the cpd command:a) On the same workstation, download and extract either the Linux or Mac OS oc v3.11 client tools

from the Download OKD web site.The oc command is required for the cpd command to succeed.

b) Edit the server definition file repo.yaml that you downloaded.This file specifies the repositories for the cpd command to download the installation files from.Make the following changes to the file:

Parameter Value

username Specify your IBM ID username.

apikey Specify your entitlement license API key.

3. Save the file.

Preparing for air-gapped installationsIf you plan to install IBM Cloud Pak™ for Data or a service on an air-gapped cluster, a cluster administratormust make the required files available to the cluster before installation.

Before you begin

Required role: To complete this task, you must be a cluster administrator.

Ensure that the Mac OS or Linux machine from which you will run the commands is connected to theinternet.

Download the Cloud Pak for Data command-line interface to the machine from which you will run thecommands. See “Obtaining the installation files” on page 3.

If you are using the internal registry server on Red Hat OpenShift, create the project (namespace) whereyou will deploy the software. The project must exist before you push the images to the registry server.

About this task

You will download the required files for the software that you want to install and then transfer the files toa machine that is accessible from the cluster.

If you are installing multiple services on Cloud Pak for Data, you must repeat this task for each servicethat you want to install.

Procedure

1. Change to the directory where you extracted the Cloud Pak for Data installation command-lineinterface.

2. Run the following command to download the required files to your local machine:


https://www.ibm.com/account/us-en/


./cpd-Operating_System preloadImages --repo repo.yaml \--assembly Assembly_name \--action download \

Replace the following values:

Variable Replace with

Operating_System For Linux, specify linux. For Mac OS, specify darwin.

Assembly_name For the Cloud Pak for Data control plane, specify lite. For aservice, specify the assembly name of the service.

The files are saved to the cpd-Operating_System-workspace directory, which is created in thedirectory that contains the Cloud Pak for Data command-line interface.

The directory contains the images, assembly manifest files, module manifest files, charts, and otherartifacts that are required for installation.

Depending on the assembly that you specify, the directory might contain one or more directories thatcontain YAML files that describe the changes that must be made to the cluster. When you set up thecluster, you can optionally use these files to automatically apply the changes to your cluster. (Thesefiles will be used only if you run the cpd adm command with the --apply parameter.)

3. Transfer the following items to a machine that can connect to the cluster and to the registry server:

• The cpd-Operating_System-workspace directory. Ensure that the directory structure remainsunchanged.

• A copy of the Cloud Pak for Data installation command-line interface. Ensure that the command-lineinterface is compatible with the machine that you are transferring the files to and that it is the sameversion as the command-line interface that you ran in the preceding steps.

4. From the machine that can connect to the cluster, run the following command to push the images tothe registry server.

Important: If you are using the internal registry server on Red Hat OpenShift:

• Log in to the oc command-line interface before you push the images:

oc login

• If you are using the default self-signed certificate, specify the --insecure-skip-tls-verifyparameter to prevent x509 errors.

./cpd-Operating_System preloadImages \ --assembly Assembly_name \--version Assembly_version \--action push \--ask-push-registry-credentials \--load-from Image_Directory_Location \--transfer-image-to Registry_location \



Operating_System Use the value that you specified when you ran the cpdpreloadImages command with the --action downloadparameter.

Assembly_name Use the value that you specified when you ran the cpdpreloadImages command with the --action downloadparameter.



Assembly_version The version of the assembly that is specified in the cpd-Operating_System-workspace/assembly/Assembly_name/versions.yaml file.

Image_Directory_Location The location of the cpd-Operating_System-workspace/images directory.

Registry_location The location where you want to place the images on the registryserver.

What to do nextProvide the following information to the person who will install the software.

Required information Description

OpenShift_URL:port The URL to use when logging in to the OpenShift cluster.

Assembly_name The name of the assembly to install.

Assembly_version The version of the assembly to install.

Project The project where the software will be installed.

Storage_class_name The storage class to use for the software.

Registry_location The location of the images that you pushed to the registry server.

Registry_from_cluster The location from which pods on the cluster can pull images.

Setting up your Cloud Pak for Data environmentBefore you install the IBM Cloud Pak™ for Data control plane, a cluster administrator must set up thecluster for the control plane.

Before you begin


If you are installing the service on an air-gapped cluster, ensure that you completed the steps in“Preparing for air-gapped installations” on page 4 to download the required files for the service.

Ensure that the Mac OS or Linux machine where you will run the commands meets the appropriaterequirements for your environment:

Requirements for the machine Cluster is connectedto the internet

Cluster is air-gapped

Can connect to the cluster. ✓ ✓

Is connected to the internet. ✓

Has the oc command-line interface.

You can download the appropriate client tools for youroperating system from OKD. Ensure that the version iscompatible with the version of Red Hat OpenShift onyour cluster.

✓ ✓

Has the Cloud Pak for Data command-line interface. ✓ ✓





See “Obtaining the installation files” on page 3. Use thesame version of the command-line interface each timeyou run the commands.

Has the updated repo.yaml file in the same directoryas the Cloud Pak for Data command-line interface.

See “Obtaining the installation files” on page 3.

✓

Has the cpd-Operating_System-workspacedirectory, which contains the required files.

✓

The Cloud Pak for Data (cpd) command-line interface requires the oc command-line interface. If youhave not used the oc command-line interface on this machine, ensure that it works:

1. On the machine from which you will run the commands, log in to the cluster as an administrator:

oc login OpenShift_URL:port

2. Run a command to ensure that the oc command-line interface can communicate with the cluster:

oc get nodes

3. Log out of the cluster.

Procedure

To set up the cluster for the Cloud Pak for Data control plane:1. See what changes need to be made to the cluster, by running the appropriate cpd adm command for

your environment:

Tip: For a list of all available options, enter the command: ./cpd-Operating_System --help.

• To run the command on a cluster that can connect to the internet:

a. Change to the directory where you placed the Cloud Pak for Data command-line interface andthe repo.yaml file.

b. Run the cpd adm command with the following parameters to preview the list of resources thatmust be created on the cluster:

./cpd-Operating_System adm --repo repo.yaml \--assembly lite \--namespace Project




Project The project where you will install the Cloud Pak for Datacontrol plane.

The command returns a list of the changes that you must make to your cluster to ensure that thecontrol plane can run on your cluster, including the creation of service accounts and SCCbindings and the configuration of all of the necessary resources.

• To run the command on an air-gapped cluster:

a. Change to the directory where you placed the Cloud Pak for Data command-line interface.


b. Run the cpd adm command with the following parameters to preview the list of resources thatmust be created on the cluster:

./cpd-Operating_System adm \--assembly lite \--version Assembly_version \--namespace Project \--load-from Image_directory_location




Assembly_version The version of the assembly that is specified in the cpd-Operating_System-workspace/assembly/lite/versions.yaml file.

Project The project where you will install the Cloud Pak for Datacontrol plane.

Image_directory_location The location of the cpd-Operating_System-workspacedirectory.

The command returns a list of the changes that you must make to your cluster to ensure that thecontrol plane can run on your cluster, including the creation of service accounts and SCCbindings and the configuration of all of the necessary resources.

2. Log in to your Red Hat OpenShift cluster:


3. Make the necessary changes to your cluster.You can choose one of the following methods to make the changes:

• To automatically apply the changes to your cluster:

Re-run the cpd adm command with the --apply flag:

– To run the command on a cluster that can connect to the internet:

./cpd-Operating_System adm --repo repo.yaml \--assembly lite \--namespace Project \--apply

– To run the command on an air-gapped cluster:

./cpd-Operating_System adm \--assembly lite \--version Assembly_version \--namespace Project \--load-from Image_directory_location \--apply

Replace the variables with the same values that you used the last time you ran the command.• To manually apply the changes to your cluster:

Follow the appropriate procedures from the Red Hat OpenShift documentation to complete therequired tasks.

Results

When you run the cpd adm command with the --apply flag, the following OpenShift service accountsare created:


Service account GET permissions PUT/POST/DELETEpermissions

Elevated securitycontext

cpd-viewer-sa Y N N

cpd-editor-sa Y Y N

cpd-admin-sa Y Y Y

Installing Cloud Pak for Data on a Red Hat OpenShift clusterA project administrator can install IBM Cloud Pak™ for Data on a Red Hat OpenShift environment.

Before you begin

Required role: To complete this task, you must be an administrator of the project (namespace) whereyou will deploy the Cloud Pak for Data control plane.

Ensure that you meet the System requirements for.

Ensure your Red Hat OpenShift cluster administrator completed the steps in “Setting up your Cloud Pakfor Data environment” on page 6.

If you are running the installation on an air-gapped cluster, ensure that a Red Hat OpenShift administratorhas completed the steps in “Preparing for air-gapped installations” on page 4 to download the requiredfiles for the service.

Ensure that the Mac OS or Linux machine where you will run the commands meets the appropriaterequirements for your environment:



Can connect to the cluster. ✓ ✓

Is connected to the internet. ✓

Has the oc command-line interface.

You can download the appropriate client tools for youroperating system from OKD. Ensure that the version iscompatible with the version of Red Hat OpenShift onyour cluster.

✓ ✓

Has the Cloud Pak for Data command-line interface.

See “Obtaining the installation files” on page 3. Use thesame version of the command-line interface each timeyou run the commands.

✓ ✓

Has the updated repo.yaml file in the same directoryas the Cloud Pak for Data command-line interface.

See “Obtaining the installation files” on page 3.

✓

Has the cpd-Operating_System-workspacedirectory, which contains the required files.

✓

Ensure that you have the following information from your Red Hat OpenShift cluster administrator:



Required information Description

OpenShift_URL:port The URL and port number to use when logging in toyour Red Hat OpenShift cluster.

Ensure that you have the appropriate credentials tolog into the cluster using oc login.

Value:

Your cluster administrator should tell you whetheryour cluster is connected to the internet or is air-gapped.

Assembly_version

Needed for air-gapped installations only.

The version of the assembly to install.

Value:

Storage_class_name The name of the storage class to use to provisionstorage for the service.

If your cluster is not set up to use dynamic storageprovisioning, work with an IBM Supportrepresentative to determine how you can specifypersistent volume claims when you install theservice.

Value:

Registry_location The location to store the images in the registryserver.

For example, if you are using the internal Red HatOpenShift registry, the default route is:

docker-registry-default.9.87.654.321.nip.io/project

Where default.9.87.654.321.nip.io is yourpublic IP address.

If you are installing the service when you areconnected to the internet, ensure that you have theappropriate credentials to push images to theregistry server.

Value:

Registry_from_cluster The location from which pods on the cluster canpull images.

For example, if you are using the internal Red HatOpenShift registry, the default service name is:

docker-registry.default.svc:5000/project

Value:

Project The project (namespace) where the IBM CloudPak™ for Data control plane is installed.

Value:


Procedure

Run the appropriate cpd command for your environment:

Tip: For a list of all available options, enter the command: ./cpd-Operating_System --help.

• To install the service on a cluster that can connect to the internet:

a. Change to the directory where you placed the Cloud Pak for Data command-line interface and therepo.yaml file.

b. Log in to your Red Hat OpenShift cluster as a project administrator:


c. Run the following command to install the service:

./cpd-Operating_System --repo ./repo.yaml \--assembly lite \--namespace Project \--storageclass Storage_class_name \--transfer-image-to Registry_location \--cluster-pull-prefix Registry_from_cluster \--ask-push-registry-credentials




Project Use the value provided by your cluster administrator.

Storage_class_name Use the value provided by your cluster administrator.

Registry_location Use the value provided by your cluster administrator.

Registry_from_cluster Use the value provided by your cluster administrator.

• To install the service on an air-gapped cluster:

a. Change to the directory where you placed the Cloud Pak for Data command-line interface.b. Log in to your Red Hat OpenShift cluster as a project administrator:


c. Run the following command to install the service:

Important: If you are using the internal Red Hat OpenShift registry, do not specify the --ask-pull-registry-credentials parameter.

./cpd-Operating_System \--assembly lite \--version Assembly_version \--namespace Project \--storageclass Storage_class_name \--cluster-pull-prefix Registry_from_cluster \--ask-pull-registry-credentials \--load-from Image_directory_location




Assembly_version Use the value provided by your cluster administrator.

Project Use the value provided by your cluster administrator.



Storage_class_name Use the value provided by your cluster administrator.

Registry_from_cluster Use the value provided by your cluster administrator.

Image_directory_location The location of the cpd-Operating_System-workspacedirectory.

What to do nextAfter you install the Cloud Pak for Data control plane, complete the “Post-installation tasks” on page 12.Related tasksUninstalling Cloud Pak for DataTo remove Cloud Pak for Data from Red Hat OpenShift, delete the project, all cluster scoped items, andany remaining Persistent Volumes.Related referencePre-installation tasksBefore you install Cloud Pak for Data, complete the following tasks.Post-installation tasksAfter you install Cloud Pak for Data, complete the following tasks.

Post-installation tasksAfter you install Cloud Pak for Data, complete the following tasks.Related tasksInstalling Cloud Pak for Data on a Red Hat OpenShift clusterA project administrator can install IBM Cloud Pak™ for Data on a Red Hat OpenShift environment.Uninstalling Cloud Pak for DataTo remove Cloud Pak for Data from Red Hat OpenShift, delete the project, all cluster scoped items, andany remaining Persistent Volumes.Related referencePre-installation tasksBefore you install Cloud Pak for Data, complete the following tasks.

Securing communication portsTo ensure secure transmission of network traffic to and from the Cloud Pak for Data cluster, you need toconfigure the communication ports used by the network.

Ports for services

When you provision a new service or integration on your Cloud Pak for Data cluster, the services mightrequire connections to be made from outside the cluster. For example, you might require connectionswhen you access databases, or run data virtualization through an ODBC/JDBC connection. If the serviceor integration requires connections to be made to the cluster, then you need to open the appropriatenetwork ports. See the detailed information for each specific service or integration to determine whatextra connections you might need to configure.

Setting up the Cloud Pak for Data web clientAfter you install Cloud Pak for Data, you can configure the web client to add users and set up emailnotifications.

Procedure

To configure the Cloud Pak for Data web client:


1. Optional: Add an entry to the DNS server to resolve the IP address. For example:

123.45.67.89 ibm-nginx-svc

As a result, you will be able to sign into the web client through the https://ibm-nginx-svc/zenweb address.

If you don't add the DNS server entry, you can still sign in to the client, but you need to enter your highavailability proxy IP address followed by the project name, for example, https://123.45.67.89/zen.

2. Sign in to the Cloud Pak for Data web client as the default administrator. The default user name isadmin, and the default password is password.

3. Change the password for the admin user:a) From the menu, click Administer > User management.b) On the Users page, select the admin user and select Edit user from the actions menu.c) Change the password and specify an email address.

Note: Emails will be sent to this address only if you set up email notifications. See “Enabling emailnotifications” on page 16

What to do nextAlthough you can complete the following tasks at any time, it is strongly recommended that you completethem before you give users access to the web client:

• “Enabling email notifications” on page 16• Connecting to your LDAP server

Then, you can start giving users access to the web client. For more information, see Managing users.

Using a custom TLS certificate for HTTPS connectionsThe IBM Cloud Pak™ for Data installation includes a self-signed TLS certificate that can be used to enableHTTPS connections. By default, this certificate is untrusted by all HTTPS clients. However, you canreplace the default certificate with your own TLS certificate.

Cloud Pak for Data exposes one HTTPS port as the primary access point for the web client and for APIrequests. On Red Hat OpenShift, the port is exposed as an OpenShift route.

Before you begin

To complete this task, you must have your own certificate and private key file that meet the followingrequirements:

• Both files are in PEM format.• The certificate is named cert.crt.

The certificate can be a bundle that contains your server, intermediates, and root certificatesconcatenated (in the proper order) into one file. The necessary certificates must be enabled as trustedcertificates on the clients that connect to the cluster.

• The private key is named cert.key.

Procedure

To replace the default TLS certificate with your custom TLS certificate:1. Place the cert.crt and cert.key files in the same directory on your local file system.2. Change to the directory where the files are located.3. Connect to your OpenShift cluster:



4. Set the context to the project where Cloud Pak for Data is deployed:

oc project PROJECT-NAME

The default project name is zen.5. Locate an ibm-nginx pod in the deployment:

ibm_nginx_pod=$(oc get pods | grep ibm-nginx | head -1 | cut -f1 -d\ )echo $ibm_nginx_pod

6. Create a directory called customer-certs inside the pod in the user-home/_global_ directory:

oc exec ${ibm_nginx_pod} -- mkdir -p "/user-home/_global_/customer-certs"

7. Copy the certificate and key files into the customer-certs directory:

oc cp cert.crt ${ibm_nginx_pod}:/user-home/_global_/customer-certs/oc cp cert.key ${ibm_nginx_pod}:/user-home/_global_/customer-certs/

8. Restart all of the ibn-nginx pods:

for i in `oc get pods | grep ibm-nginx | cut -f1 -d\ `; do oc exec ${i} -- /scripts/reload.sh; done

The output should be similar to the following output:

reloading nginx confsetting up ssl using customer certsnginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successfulTIMESTAMP [notice] 132#132: signal process startedreloading nginx confsetting up ssl using customer certsnginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successfulTIMESTAMP [notice] 51#51: signal process startedreloading nginx confsetting up ssl using customer certsnginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successfulTIMESTAMP [notice] 52#52: signal process started

Configuring single sign-onYou can use Security Assertion Markup Language (SAML) for single sign-on (SSO) to the IBM Cloud Pak™

for Data web client.

Before you beginYou must have an existing SAML identity provider (IdP). Work with your IdP administrator to gather thefollowing information:

Parameter Description Value

entryPoint The URL of the login page foryour identity provider.

fieldToAuthenticate The name of the parameter youuse to authenticate with theidentity provider, such asemailAddress or username.

spCert The certificate used to sign SAMLrequests to the identity provider.

Remove the "BEGINCERTIFICATE" and "ENDCERTIFICATE" lines and providethe certificate as a single line.


Parameter Description Value

The same certificate needs to beset when you register Cloud Pakfor Data with your identityprovider so that the SAMLrequests can be verified by youridentity provider.

If you do not specify a certificate,the requests won't be signed.

idpCert The certificate provided by theidentity provider to verify SAMLresponses from the identityprovider.

If you do not specify a certificate,the responses won't be verified.

Remove the "BEGINCERTIFICATE" and "ENDCERTIFICATE" lines and providethe certificate as a single line.

issuer The name that you want to use toregister Cloud Pak for Data withyour identity provider.

If you do not specify a value, thedefault (ibm_privatecloud) isused.

identifierFormat The format of requests fromCloud Pak for Data to the identityprovider. The format must besupported by the identityprovider.

If you do not specify a format, thedefault format(urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) isused

About this task

To configure SSO, you must specify information about your Identity Provider in a configuration file. Usethe preceding table to gather the required information that you need to supply in the configuration file.

Important: It is strongly recommended that you complete this task before you add users to Cloud Pak forData. If you have already added users to Cloud Pak for Data you must re-add the users with their SAML IDto enable them to use SSO.

Procedure

1. Log in to your Red Hat OpenShift cluster as a project administrator:


2. Enable SAML by running the following command:

oc exec -it -n namespace \$(oc get pod -n namespace -l component=usermgmt | tail -1 | cut -f1 -d\ ) \-- bash -c "vi /user-home/_global_/config/saml/samlConfig.json"


Replace namespace with the namespace where Cloud Pak for Data is deployed.3. In the samlConfig.json file, specify the appropriate values for your environment.

{ "entryPoint": "", "fieldToAuthenticate": "", "spCert": "", "idpCert": "", "issuer": "", "identifierFormat": ""}

4. Save your changes to samlConfig.json.a) Press Esc.b) Press :.c) Enter :x.d) Press Enter.

5. Run the following command to delete the usermgmt pods:

oc delete pods -l component=usermgmt

What to do next

Wait several minutes before you attempt to log in to the web client. The instructions restart theusermgmt pods. If the pods are not running, you will not be able to log in.

If you previously added users to Cloud Pak for Data, you must re-add the users with their SAML ID toenable them to use SSO. For more information on adding users, see Managing users.

Disabling SAML

Procedure

1. Disable SAML by running the following command:

oc exec -it -n namespace \$(oc get pod -n namespace -l component=usermgmt | tail -1 | cut -f1 -d\ ) \-- bash -c "rm /user-home/_global_/config/saml/samlConfig.json"

Replace namespace with the namespace where Cloud Pak for Data is deployed.2. Run the following command to delete the usermgmt pods:

oc delete pods -l component=usermgmt

Enabling email notificationsYou can configure a connection to your SMTP server so that Cloud Pak for Data can send email to usersand admins.

About this task

The application sends emails to users when they are given access to the web client and to administratorswhen a new user signs up, an alert is triggered, or an application setting, such as the alert threshold, ischanged.

Procedure

To enable Cloud Pak for Data to send email:1. Log in to the web client as an administrator.2. From the menu, select Administer > Configure platform.3. On the SMTP settings page, specify the following information:


• Your SMTP mail server address.• The port number of your SMTP server.

Important: If you specify a secure port, you must select Use TLS connection so that WatsonStudio can communicate with your SMTP server.

• Specify the appropriate SMTP credentials for your environment:

Method of sendingcommunications

SMTP server requiresauthentication

SMTP server does not requireauthentication

My SMTP server uses a mailerdaemon to sendcommunications

You must specify the followingfields:

– SMTP username– SMTP password

You don't need to specify anyfields.

However, if you want tooverride the mailer daemon,you can specify a Fromaccount.

My SMTP server uses a defaultaccount to sendcommunications


– SMTP username– SMTP password– From account


– From account

4. Click Save. If your SMTP configuration is successful, you will receive a confirmation email.

Setting up a tethered namespaceIf you are planning to install a service that needs to provision a service instance in a different namespace,or project in Red Hat OpenShift, than the Cloud Pak for Data control plane namespace, you must set up a"tethered" namespace for that service.

Before you begin


These instructions assume that the IBM Cloud Pak™ for Data control plane is already installed on your RedHat OpenShift cluster.

You must have access to the oc command-line interface on your Red Hat OpenShift cluster.

About this task

In some cases, enterprise applications might require more isolation for the services they connect to;especially database instances. Having custom applications deployed in the same namespace as CloudPak for Data services is not desired either, because, in addition to security and privilege concerns, thisconfiguration can introduce additional variations in the operations of these system services that can bedetrimental to overall reliability. There might also be situations where these instances require specificcompute resource quotas and specific network policies that only permit access from well-definedapplications.

To support these requirements, the preference is to provision such instances in a separate Kubernetesnamespace, which could be set up with its own network policies, security contexts, and quotas. Thisnamespace would also be the namespace where applications that need access to these services could bedeployed, essentially creating an exclusive sandbox for applications and their required services tooperate in. Such a namespace is referred to as a "tethered" namespace, to depict where Cloud Pak forData service instances can be deployed into, but instantiated and managed (tethered to) from the originalKubernetes namespace where Cloud Pak for Data itself resides.

Note: At this time, not every provisionable service can be deployed in a tethered namespace.


Procedure

1. Log in to your Red Hat OpenShift cluster:


2. Create a new namespace that you want to set up as a tethered namespace.

oc new-project tethered_namespace_name

3. Define a role that allows Tiller in the Cloud Pak for Data control plane namespace to manage all theresources in the tethered namespace.

You can choose to use a role that is similar to cpd-admin-role from the Cloud Pak for Data controlplane namespace, or define a custom role for your application. In the following example, a role namedtethered-role.yaml is created.

$ oc create -f tethered-role.yaml

role "tethered-role" created

tethered-role.yaml has the following contents:

kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: tethered-role namespace: tethered_namespace_namerules:- apiGroups: ["", "batch", "extensions", "apps"] resources: ["*"] verbs: ["*"]

4. Bind the service account to the role.For example, in tethered-role.yaml:

$ kubectl create -f tethered-rb.yaml

rolebinding "tethered-rb" created

tethered-rb.yaml has the following contents:

kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: tethered-rb namespace: tethered_namespace_namesubjects:- kind: ServiceAccount name: cpd-admin-sa namespace: control_plane_namespace_nameroleRef: kind: Role name: tiller-manager apiGroup: rbac.authorization.k8s.io

Uninstalling Cloud Pak for DataTo remove Cloud Pak for Data from Red Hat OpenShift, delete the project, all cluster scoped items, andany remaining Persistent Volumes.

Procedure

To remove and clean Cloud Pak for Data from OpenShift:1. Delete the Cloud Pak for Data project and all cluster scoped items:

oc delete namespace Projectoc delete scc cpd-user-scc


oc delete scc cpd-zensys-sccoc delete crd cpdinstalls.cpd.ibm.com

Replace Project with the name of your Cloud Pak for Data project.2. Verify that all Cloud Pak for Data Persistent Volumes are gone:

oc get pv

If any still exist, delete them:

oc delete pv pv-name

Replace pv-name with each remaining Cloud Pak for Data Persistent Volume.

Related tasksInstalling Cloud Pak for Data on a Red Hat OpenShift clusterA project administrator can install IBM Cloud Pak™ for Data on a Red Hat OpenShift environment.Related referencePre-installation tasksBefore you install Cloud Pak for Data, complete the following tasks.Post-installation tasksAfter you install Cloud Pak for Data, complete the following tasks.


IBM®

Documents

Installing Cloud Pak for Data - IBM...To remove Cloud Pak for Data from Red Hat OpenShift, delete the project, all cluster scoped items, and any remaining Persistent Volumes. Related