System requirements and prerequisites

Before you can install IBM® Guardium Insights, ensure that you have the required hardware, software, and storage. System requirements for IBM Security Guardium® Insights are described in this topic.

Guardium Insights is installed on a Red Hat® OpenShift® Container Platform cluster. The requirements for your cluster depends on several factors:
  • The shared cluster components that you need to install
  • The number of Guardium Insights instances you plan to install on your cluster
  • The services that you plan to install on top of Guardium Insights
  • The types of workloads that you plan to run
Important: Work with your IBM Sales representative to size your cluster.

Review the following information to accurately size and configure your cluster:

Software prerequisites

  • Red Hat OpenShift Container Platform Version 4.8.x and 4.10.x
    Note: If you have purchased IBM Security Guardium Insights for IBM Cloud Pak for Security, you are automatically entitled to install its OpenShift Container Platform. See IBM Security Guardium Insights for IBM Cloud Pak for Security software requirements for more information.
  • IBM Cloud Pak foundational services Version 3.19.x (where x is the latest released version)
    Note: Guardium Insights only supports Cloud Pak foundational servicesVersion 3.19.x (where x is the latest released version). If you install Cloud Pak foundational services using a method other than these instructions, you may need to adjust your Cloud Pak foundational services installation so that it does not upgrade automatically to a version that is not supported by Guardium Insights. To do this, issue these commands:
    oc project <namespace_cloud_pak>
for i in $( oc get sub --no-headers | awk ‘{print $1}’ | sort -r )
do
   oc patch subscription/$i --type=merge --patch=‘{“spec”:{“installPlanApproval”:“Manual”}}’
done

    where <namespace_cloud_pak> is the namespace where Cloud Pak foundational services is located (typically, this is ibm-common-services).

  • Data mart support: Guardium Insights supports these v3 and v4 data marts from Guardium Data Protection:
    • v4 data marts:
      • Version 11.0.p370 for Version 11.3
      • Version 11.0.p450 for Version 11.4
      • Version 11.0.p500 for Version 11.5
    • v3 data marts:
      • Version 11.0.p360 for Version 11.3
      • Version 11.0.p430 for Version 11.4
    Note: Mixing Guardium Data Protection versions with v3 and v4 data marts in the same central manager is not recommended.
  • Prerequisites for connecting Guardium Data Protection for z/OS® to Guardium Insights are:
    • Guardium STAP for z/OS Version 10.1.3 and above
  • If you will connect to Amazon Web Services (AWS) Aurora PostgreSQL, Amazon Kinesis is required.
  • If you will connect to Azure, Azure Event Hubs is required.

IBM Security Guardium Insights for IBM Cloud Pak for Security software requirements

IBM Security Guardium Insights for IBM Cloud Pak for Security supports IBM Cloud Pak for Security Version 1.10, which includes the version of OpenShift Container Platform that is required by Guardium Insights.

Note: When installing IBM Cloud Pak for Security, the repository will default to its most recent product version. Since Guardium Insights only supports IBM Cloud Pak for Security Version 1.10, you will need to manually set the download tags and release to Version 1.10. Alternatively, you can download the Version 1.10 by issuing this:
cloudctl case save --case https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-cp-security-1.0.7.tgz --outputdir <working_directory> --tolerance=1

The requirements for IBM Security Guardium Insights and IBM Security Guardium Insights for IBM Cloud Pak for Security are the same - however, if you purchase IBM Security Guardium Insights for IBM Cloud Pak for Security, you are automatically entitled to install its OpenShift Container Platform.

Container Application Software for Enterprises (CASE) version support

When installing Guardium Insights, use the CASE versions that are supported for the version of Guardium Insights that you are installing. These versions are outlined in https://github.com/IBM/cloud-pak/blob/master/repo/case/ibm-guardium-insights/index.yaml - where the Version listed is the CASE version, and the corresponding appVersion is the version of Guardium Insights that supports it.

Security context constraints (SCC) requirements

OpenShift provides security construct constraints that control the actions that a pod can perform and what it has the ability to access. Guardium Insights requires SCC to be bound to the target namespace prior to installation. To meet this requirement, you may need to take actions to prepare your cluster and namespace.

The predefined ibm-restricted-scc, ibm-privileged-scc, and restricted SecurityContextConstraints have been verified for this chart. If your target namespace is bound to these SecurityContextConstraints, you can proceed with chart installation. This is the custom SecurityContextConstraints definition:

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: "[DEPRECATED] This policy is the most restrictive,
      requiring pods to run with a non-root UID, and preventing pods from accessing the host.
      The UID and GID will be bound by ranges specified at the Namespace level."
    cloudpak.ibm.com/version: "1.2.0"
    cloudpak.ibm.com/deprecated: true
  name: ibm-restricted-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowPrivilegeEscalation: false
allowedCapabilities: null
allowedFlexVolumes: null
allowedUnsafeSysctls: null
defaultAddCapabilities: null
defaultAllowPrivilegeEscalation: false
forbiddenSysctls:
  - "*"
fsGroup:
  type: MustRunAs
  ranges:
  - max: 65535
    min: 1
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsNonRoot
seccompProfiles:
- docker/default
# This can be customized for seLinuxOptions specific to your host machine
seLinuxContext:
  type: RunAsAny
# seLinuxOptions:
#   level:
#   user:
#   role:
#   type:
supplementalGroups:
  type: MustRunAs
  ranges:
  - max: 65535
    min: 1
# This can be customized to host specifics
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

Command line tools

Tools for command line administration of the cluster and Guardium Insights can be accessed from the Red Hat OpenShift Container Platform and IBM Cloud Pak foundational services web consoles. This table details the tools and versions that are required for Guardium Insights:

Table 1. Tools and versions that required for Guardium Insights
Tool Download Version
oc

oc login <OCP endpoint> (Workstation must be logged in to the OpenShift cluster)

 https://www.okd.io/download.html 4.4.6 or later
kubectl https://kubernetes.io/docs/tasks/tools/install-kubectl/ 1.16 or later
cloudctl https://github.com/IBM/cloud-pak-cli/releases 3.17.0 or later
openssl https://www.openssl.org/source/ 1.1.1
python with PyYAML installed (must have a symbolic link to python)   3.x or later
docker (or podman) https://hub.docker.com/?overlay=onboarding 17.03 or later
skopeo

(Offline installations only)

 https://github.com/containers/skopeo/blob/master/install.md 1.0.0
  • ssh-keygen CLI tool
  • base64
  • cat
  • echo
  • grep
  • awk
  • rm
  • tr
  • cut
  • tar
    
htpasswd

(Offline installations only)

    
Cluster administrator privileges to run the setup scripts    
Your login credentials to cp.icr.io    
Note: Some operating systems have SSL by default that is not OpenSSL. Ensure that the correct version of OpenSSL is set to default on your machine.

Data source platform streaming support

Guardium Insights allows you to connect to data sources on these platforms:

  • Guardium (IBM Security Guardium Data Protection) - these Guardium versions are supported:
  • Guardium Data Protection for z/OS - with these prerequisites:
    • Guardium STAP for z/OS Version 10.1.3 and above
  • Amazon Web Services (AWS) Aurora PostgreSQL through Amazon Kinesis
  • Azure Event Hubs
Note: When streaming from Guardium, Guardium Insights supports the same database platforms that Guardium supports. To learn more, consult the list of supported database platforms for the version of Guardium that you are streaming from.

When connecting to streams of data in the Guardium Insights user interface, choose from one of these sources:

Ticketing support

Guardium Insights allows you to connect to these ticketing services:

  • IBM Cloud Pak for Security Cases
  • IBM Resilient®
  • ServiceNow

Browser support

Guardium Insights is supported on Google Chrome, Mozilla Firefox, and Microsoft Edge.

Display resolution

Guardium Insights is best viewed on screen display resolutions of 1024x768 pixels or higher.

External storage allocation for backups

Requirements: The Network File System (NFS) needs to be able to communicate with the cluster running GI.

  • If you will be placing backups in a remote destination, a Network File System (NFS) is required.
  • The NFS storage class must be installed prior to installing Guardium Insights.
  • A PersistentVolume (PV) and a PersistentVolumeClaim (PVC) need to be created with the NFS storage class before Guardium Insights is installed.

Before installing Guardium Insights, consider allocating and attaching temporary storage for backups. The size of the additional space should be roughly 10% larger than the size of data you would expect to collect in one month.

Set the flag for backup support in the installation YAML file for Insights. The backup data is stored on the PV designated by the storageClassName.

Example:
guardiumInsightsGlobal:
    backupsupport:
      enabled: "true"
      name: backup-pvc-support
      size: 500Gi
      storageClassName: nfs-client
Warning: You cannot add external storage after deploying Guardium Insights.

If the flag for backup support is not set before deployment of Guardium Insights, the backup data is stored internally on the backup POD and you might run out of internal storage space.