Validating the Installation
After the deployment procedure is complete, you should validate the deployment to ensure that everything is working according to your needs. The deployment may take approximately 3-4 minutes to complete.
To validate if the Certified Container Software deployment using Helm charts is successful,
invoke the following commands to verify the status (STATUS is DEPLOYED) for a Helm chart with
release, <my-release> and namespace, my-namespace.
-
Check the Helm chart release status by invoking the following command and verify that the
STATUS
isDEPLOYED
:helm status cm-release -n my-namespace helm status engine-release -n my-namespace helm status ps-release -n my-namespace
- Wait for the pod to be ready. To verify the pods status (READY) use the dashboard or through the
command line interface by invoking the following
command:
kubectl get pods -l release=cm-release -n my-namespace -o wide kubectl get pods -l release=engine-release -n my-namespace -o wide kubectl get pods -l release=ps-release -n my-namespace -o wide
- To view the service and ports exposed to enable communication in a pod invoke the following
command:
kubectl get svc -l release=cm-release -n my-namespace -o wide kubectl get svc -l release=engine-release -n my-namespace -o wide kubectl get svc -l release=ps-release -n my-namespace -o wide
The screen output displays the external IP and exposed ports under EXTERNAL-IP and PORT(S) column respectively. If external Load Balancer is not present, refer Master node IP as external IP.
Exposed Services for Configuration Manager
If required, this chart can create a service of ClusterIP for communication within the cluster.
This type can be changed while installing chart using
service.type
key defined in
values.yaml
. There are two ports where IBM Sterling Secure Proxy Configuration
Manager processes run. Web server port (8443) and cm port (62366) whose values can be updated during
chart installation using service.jetty.servicePort
or
service.cm.servicePort
. IBM Sterling Secure Proxy Configuration Manager can be
accessed using Load Balancer external IP or mapped Jetty Port. If Load Balancer is not present, then
refer to Master node IP for communication.Note: NodePort service type is not recommended. It exposes
additional security concerns and is hard to manage from both an application and networking
infrastructure perspective.
Exposed Services for Engine
If required, this chart can create a service of ClusterIP for communication within the cluster.
This type can be changed while installing chart using
service.type
key defined in
values.yaml
. There are two ports where IBM Sterling Secure Proxy Engine processes
run, Engine port (63366) and More Secure PS port whose values can be updated during chart
installation using service.engine.servicePort
or
service.moreSecurePS.servicePort
. IBM Sterling Secure Proxy Engine can be accessed
using Load Balancer external IP or mapped Jetty Port. If Load Balancer is not present, then refer to
Master node IP for communication.Note: NodePort service type is not recommended. It exposes
additional security concerns and is hard to manage from both an application and networking
infrastructure perspective.
Exposed Services for Perimeter Server
If required, this chart can create a service of ClusterIP for communication within the cluster.
This type can be changed while installing chart using
service.type
key defined in
values.yaml
. There is a port where IBM Sterling Secure Proxy Perimeter Server
processes run, PS port whose value can be updated during chart installation using
service.psLessSecure.servicePort
. IBM Sterling Secure Proxy Perimeter Server can be
accessed using Load Balancer external IP or mapped Jetty Port. If Load Balancer is not present, then
refer to Master node IP for communication.Note: NodePort service type is not recommended. It exposes
additional security concerns and is hard to manage from both an application and networking
infrastructure perspective.
DIME and DARE Security Considerations
This topic provides security recommendations for setting up Data In Motion Encryption (DIME) and Data At Rest Encryption (DARE). It is intended to help you create a secure implementation of the application.
- All sensitive application data at rest is stored in binary format so user cannot decrypt it. This chart does not support encryption of user data at rest by default. Administrator can configure storage encryption to encrypt all data at rest.
- Data in motion is encrypted using transport layer security (TLS 1.2). For more information click here.