IBM Security Guardium Insights on AWS

Partner Solution Deployment Guide

QS

September 2022
Joshua Klahn, Devan Shah, Manoj Nanjala, Divya Dinesan, Bhavana R, Samrika Singh, and Shinu Shaju, IBM
Vinod Shukla, AWS Integration & Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by IBM in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This Quick Start deploys IBM Security Guardium Insights on the AWS Cloud. This guide covers the steps necessary to deploy this Quick Start.

Costs and licenses

There is no cost to use this Quick Start, but you will be billed for any AWS services or resources that this Quick Start deploys. For more information, refer to the AWS Quick Start General Information Guide.

This Quick Start requires an IBM entitlement license for Guardium Insights from the IBM Container Library, which includes a subscription to RedHat OpenShift. For IBM Security Guardium Insights product and pricing information, or to use your existing entitlements, contact your IBM sales representative or schedule a meeting online at IBM Security Guardium Insights. For more information about licensing terms, see the IBM Security Guardium Insights software license agreement.

Architecture

Deploying this Quick Start with default parameters builds the following Guardium Insights environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Guardium Insights on AWS

As shown in Figure 1, this Quick Start sets up the following:

  • A single-AZ reference architecture.

  • A virtual private cloud configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*

  • In the public subnet:

    • A managed network address translation (NAT) gateway to allow outbound internet access for resources in the private subnet.*

    • An Amazon Elastic Compute Cloud (Amazon EC2) instance for a boot node and bastion host to allow inbound internet access to resources in the private subnet.

  • In the private subnet, a Red Hat OpenShift Container Platform (OCP) cluster deployed to Amazon EC2 instances. The cluster contains the following nodes:

    • Control plane nodes to manage the cluster and run the OpenShift web console.

    • Compute nodes in an OpenShift autoscaling group. Guardium Insights runs as a containerized application on the compute nodes.

  • Network Load Balancers for routing internal and external OpenShift API traffic to control plane nodes.

  • A Classic Load Balancer for accessing Guardium Insights on compute nodes from a web browser.

  • Amazon Elastic Block Storage (Amazon EBS) for volumes attached to compute nodes to persist container data.

  • Amazon Route 53 for the public Domain Name System (DNS) for resolving domain names of the Guardium Insights console and deployed applications.

  • Amazon Simple Storage Service (Amazon S3) to store the OpenShift pull secret, TLS certificate and key, and OpenShift image registry.

  • AWS Secrets Manager to encrypt, store, and retrieve credentials and secrets for the Guardium Insights deployment.

* The template that deploys this Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Deployment options

This Quick Start provides the following deployment options:

This Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Guardium Insights settings.

Predeployment steps

Before deploying the Quick Start, complete the following:

  1. Create an Amazon S3 bucket in the AWS Region you want to use for the deployment.

  2. Obtain an IBM entitlement key from the IBM Container Library, which includes a Red Hat OpenShift subscription. During deployment, enter the IBM entitlement key for the Repository password (RepositoryPassword) parameter.

  3. Create a Red Hat account if you don’t have one.

  4. Log into your Red Hat account and download your OpenShift pull secret from Red Hat.

  5. Upload your pull secret to the S3 bucket. During deployment, enter the IBM entitlement key for the Repository password (RepositoryPassword) parameter. The Quick Start uses the pull secret to provision the OpenShift cluster.

  6. Register a domain name in Amazon Route 53 to use for OpenShift.

  7. (Optional) To create your own fully-qualified domain name (FQDN), add a DNS record to your hosted zone in Amazon Route 53. Refer to (Optional) Create your own FQDN, later in this guide.

(Optional) Create your own FQDN

To create your own fully qualified domain name (FQDN) for the IBM Security Guardium Insights, add a DNS record to your hosted zone in Amazon Route 53.

  1. Sign into the AWS Management Console. Then open the Amazon Route 53 console.

  2. Choose Hosted zones from the left navigation pane.

  3. Choose the domain name you registered previously.

  4. Choose Create record.

  5. Enter a record name. This must be different from the Red Hat OpenShift Container Platform cluster FQDN or any other FQDN associated with the Red Hat OpenShift Container Platform cluster. During deployment, enter this name for the IBM Security Guardium Insights host name (HostName) parameter value.

  6. For Record type, choose CNAME.

  7. For Value, enter console-openshift-console.apps.ClusterName.DomainName. During deployment, you are prompted to enter the ClusterName and DomainName as parameters.

  8. For Routing policy, choose Simple routing.

  9. Choose Create record.

Upload the TLS certificate, TLS key, and custom TLS certificate to the S3 bucket you created for your OpenShift pull secret. During deployment, enter the TLS certificate, TLS keys, and custom TLS certificate as parameters. For more information, refer to Domain Name and TLS Certificates.

Deployment sizes

The Quick Start supports extra-small, small, medium, and large deployments of IBM Security Guardium Insights on the AWS Cloud. During deployment, specify a production size using the IBM Security Guardium Insights production size (GIProductionSize) parameter. For more information about the hardware requirements for different production sizes, refer to Hardware cluster requirements.

Deployment steps

  1. Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.

  2. Choose the correct AWS Region, and then choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.

  7. Choose Create stack. The stack takes about 2.5 hours to deploy.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the IBM Security Guardium Insights deployment is ready.

  9. To view the created resources, choose the Outputs tab.

IBM Security Guardium Insights deployment outputs
Figure 2. IBM Security Guardium Insights outputs after a successful deployment

Postdeployment steps

Logging into IBM Security Guardium Insights

  1. Sign into the AWS Management Console. Then open the AWS CloudFormation console.

  2. Choose Stacks from the left navigation pane.

  3. Choose the IBM Security Guardium Insights stack.

  4. Choose the Outputs tab. The IBM Security Guardium Insights URL is the GIWebClientURL value on the Outputs tab, as shown in Figure 2.

  5. Navigate to the GIWebClientURL and log in using the administrator username (AdminUsername) and password (AdminPassword) you entered as parameters during deployment.

    If you did not enter an administrator password during deployment, you can use the default IBM Cloud Pak foundational services password. To retrieve this, do the following:

    1. On the Resources tab of the IBM Security Guardium Insights stack, choose the GIAdminSecret.

    2. On the GIAdminSecret page in the AWS Secrets Manager console, in the Secret value section, choose Retrieve secret value. Use this secret value as the IBM Security Guardium Insights administrator password.

Logging into the Red Hat OpenShift console

  1. Navigate to the OpenshiftWebConsoleURL on the Outputs tab of the IBM Security Guardium Insights stack, as shown in Figure 2.

  2. Log in to the OpenShift console using the default administrator username kubeadmin.

  3. To obtain the OpenShift administrator password, complete the following:

    1. On the Resources tab of the IBM Security Guardium Insights stack, choose the OpenShiftSecret.

    2. On the OpenShiftSecret page in the AWS Secrets Manager console, in the Secret value section, choose Retrieve secret value. Use this secret value as the OpenShift administrator password.

Accessing Red Hat OpenShift cluster from a command line

  1. In your Red Hat OpenShift web console, choose your profile name and then choose Copy Login.

  2. Choose Display Token, copy the oc login command, and paste the command onto a command line.

Troubleshooting

The deployment generates the following standard output (stdout) log files in the output S3 bucket:

  • ocp_install.log – Standard output of Red Hat OpenShift Container Platform deployment using installer-provisioned infrastructure (IPI).

  • gi_install.log – Standard output of IBM Cloud Pak foundational services and IBM Security Guardium Insights installation, including installation validation.

  • bootstrap.log – Standard output of a high-level overview of events during deployment of Red Hat OpenShift Container Platform and IBM Security Guardium Insights.

For troubleshooting IBM Security Guardium Insights, refer to Techniques for troubleshooting problems.

For troubleshooting common Quick Start issues, refer to the AWS Quick Starts General Information Guide and Troubleshooting CloudFormation.

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.