Installing the Hyper Protect hosting appliance
Use this procedure to install and start the Hyper Protect hosting appliance in a Secure Service Container partition on the IBM z or LinuxONE server.
This procedure is intended for users with the role appliance administrator.
Note:
- The Hyper Protect hosting appliance is an enhanced version of the IBM Secure Service Container software appliance.
- The Hyper Protect hosting appliance displays with the name IBM Secure Service Container on the Secure Service Container user interface.
- The Hyper Protect hosting appliance uses all of the IBM Secure Service Container documentation and techniques to install, administer, and maintain.
- The Hyper Protect hosting appliance version numbering scheme is unique to the Hyper Protect hosting appliance, as opposed to the general Secure Service Container verion numbering scheme.
- Only one appliance can be installed and run in a Secure Service Container partition at any given time; this type of partition does not support running multiple appliances simultaneously. You can define more than one Secure Service Container partitions on the same system, and run instances of the same appliance in each one. In this case, each partition must use separate storage devices.
- For Hyper Protect hosting appliance version 4.3.12, the concurrent sessions with the hosting appliance are limited to three. Ensure that you do not exceed three concurrent sessions.
Before you begin
- Check that you have the appliance image
secure-service-container-for-hpvs.appliance.<version_number>.img.gzin the installation directory. For instructions, see Downloading the installation package. - Check that you have the Secure Service Container partition created to install the hosting appliance as instructed in the Creating the Secure Service Container partition topic.
- Check that you download Secure Service Container User's Guide, SC28-6978-02a.
Procedure
Complete the following tasks through the browser of your choice.
-
Log in to the Secure Service Container installer by using the primary user ID and password in your browser. For example,
https://<secure_service_container_partition_ip_address>. -
On the main page, click the plus (+) icon to install image files from local disk. The page display changes to the Install Software Appliance page.
-
On the Install Software Appliance page, select the Upload image to target disk option, and then locate the appliance image file on your local disk under the Local Installation Image section.
-
Under Target Disk on Server, select the device type FICON DASD or FCP, and then click Apply to upload the appliance image to the target disk on the server. Note:
- You can only specify one type of disk (either DASD or FCP) during the appliance installation stage.
- Target FCP disks must be large enough to fit the uncompressed appliance, with an additional 2 GB for the Secure Service Container installer to use.
-
Click Reboot on the confirmation dialog to have the installer automatically reactivate the partition.
The Secure Service Container installer uploads the appliance image to the target disk, and prepares the partition to load the appliance after the next reboot.
- When the reboot process begins, the installer displays the Reboot window.
- If an IP address type other than DHCP is in use for the appliance page, the Secure Service Container installer redirects the browser to the software appliance page.
-
The Secure Service Container installer and fresh installations of Secure Service Container appliances are using self-signed certificates for TLS connections to its web server – For the Web UI and REST API. To enable a client to verify the authenticity of the connection to the Secure Service Container installer or Secure Service Container appliance, consumers must perform the following steps every time a new connection is initiated to the server, until a Certificate Authority signed certificate is uploaded and actively used:
- Check the operating system messages printed as part of the installation on HMC/SE, for the fingerprint and CN of the active self signed certificates used. For example:
... subject=C = US, O = IBM, OU = zACI, CN = *.test098 ... SHA1 Fingerprint= B5:1D:05:65:8C:.....:E0 ... - Verify the fingerprint and the CN values obtained from the previous step with the actual certificate when trying to connect to the appliance.
- Check the operating system messages printed as part of the installation on HMC/SE, for the fingerprint and CN of the active self signed certificates used. For example:
-
On the appliance page, accept the self-signed certificate for the SSL connection, and log in to the Secure Service Container user interface by using the primary user ID and password.
For more detailed instructions, see the following topic after you download Secure Service Container User's Guide, SC28-6978-02a.
- Chapter 13 - Installing a new software appliance in a Secure Service Container partition
Next
You can configure the storage on the Secure Service Container partition as instructed in the Configuring the storage on the Secure Service Container partition topic.