Installing Stark & Wayne SHIELD™ for PCF

Install Redis for PCF

Before you install Stark & Wayne SHIELD, install Redis for PCF. Installation instructions are available at http://docs.pivotal.io/redis/1-9/

installation-redis-pcf

Upload Tile

Download the product file from the Pivotal Network.

Click “Import a Product” on the left hand side of your Ops Manager dashboard. Select the starkandwayne-shield-x.y.z.pivotal file to upload.

The Stark & Wayne SHIELD™ product will appear in the “Available Products” list. Click “Add” to move it to the Installation Dashboard.

The first time you upload/install the tile it will appear with a red lower border. This means it is not yet ready to be installed - there are mandatory configuration that you will need to provide. Notably, the default archiving configuration.

installation-shield-tile

Configuration

There are several panels of configuration for Stark & Wayne SHIELD that you need to configure.

Assign AZs and Networks

If you have configured more than one network at your Ops Manager Director you will be required to select which network must be used when installing this tile:

installation-shield-azs-networks

Archiving

Stark & Wayne SHIELD product needs an external Storage system to store the backup archives. It also needs to know when to backup the different targets and how long should maintain the backup archives.

  1. In Stark & Wayne SHIELD™ > Settings, select Archiving.

    installation-shield-archiving

  2. Enter an Environment name for your SHIELD installation (ie: production).

  3. Enter a daemon Name for your SHIELD installation (ie: pcf-SHIELD).

  4. Enter the default Schedule (when it should run which backup jobs).

  5. Enter the default Retention Policy in days (how long archived data is kept).

  6. Choose the default Central Archiving Storage (where to store the backup archives).

Amazon AWS S3 Bucket

If you want to use an Amazon AWS S3 Bucket to store your backup archives, perform the following steps:

  1. At the Amazon AWS console, navigate to the S3 service and create a S3 Bucket:

    installation-shield-s3-bucket

  2. Navigate to the IAM service and create an AWS IAM User with Programmatic access type:

    installation-shield-s3-iam-user

    NOTE: Make sure you save the Secret Access Key somewhere secure, like 1Password. Amazon AWS will be unable to give you it again if you misplace it – your only recourse at that point is to generate a new set of keys and start over.

  3. Select the user, take note of the User ARN value, then click on Add permissions and select Attach existing policies directly. Click on Create policy and then Create Your Own Policy. Give the Policy a name like Stark & WayneSHIELDPolicy and in the Policy Document field add the following, substituting the User ARN and Bucket Name values with your values:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "s3:ListAllMyBuckets",
                "Resource": "arn:aws:iam::xxxxxxxxxxxx:user/zzzzz"
            },
            {
                "Effect": "Allow",
                "Action": "s3:*",
                "Resource": [
                    "arn:aws:s3:::your-bucket-name",
                    "arn:aws:s3:::your-bucket-name/*"
                ]
            }
        ]
    }
    
  4. In Stark & Wayne SHIELD > Settings, select Amazon AWS S3 bucket.

    installation-shield-archiving-s3

  5. Complete the following fields:

    Field Notes
    AWS Access Key Specify the Access Key for AWS S3
    AWS Secret Access Key Specify the Secret Access Key for AWS S3
    AWS S3 Bucket Name Specify the shared AWS S3 Bucket for all backup files
    AWS S3 Bucket Path Prefix Optionally, specify if all backup files should be stored under this common path prefix

    NOTE: Ensure that the Bucket has been created before clicking Save.

  6. Click Save.

Amazon AWS S3 Compatible Bucket

If you want to use a compatible AWS S3 Bucket (like Ceph) to store your backup archives, perform the following steps:

  1. At your compatible Amazon AWS S3 system, create a new user (and access keys) and a new bucket.

  2. In Stark & Wayne SHIELD > Settings, select Amazon AWS S3 Compatible Bucket.

    installation-shield-archiving-s3-compatible

  3. Complete the following fields:

    Field Notes
    S3 API Hostname Specify the hostname for the S3 compatible API
    S3 API Port Specify the port for the S3 compatible API
    Skip SSL validation Check if SSL validation must be skipped when connecting to the S3 compatible API
    S3 Access Key Specify the Access Key for the S3 compatible API
    S3 Secret Access Key Specify the Secret Access Key for the S3 compatible API
    S3 Signature Version Select the signature version for the S3 compatible API
    S3 Bucket Name Specify the shared S3 Bucket for all backup files
    S3 Bucket Path Prefix Optionally, specify if all backup files should be stored under this common path prefix
    SOCKS5 proxy Optionally, specify the defined SOCKS5 proxy to use for the S3 compatible API connection

    NOTE: Ensure that the Bucket has been created before clicking Save.

  4. Click Save.

Microsoft Azure Container

If you want to use a Microsoft Azure Container to store your backup archives, perform the following steps:

  1. At the Microsoft Azure Portal navigate to the Storage accounts tab and create an Azure Storage Account:

    installation-shield-azure-storage-account

  2. After the storage account is created, select the new storage account from the dashboard, navigate to the Blob Service section of the storage account, then click on Containers, and create a Container, setting the Access type to Private:

    installation-shield-azure-container

  3. In Stark & Wayne SHIELD > Settings, select Microsoft Azure Container.

    installation-shield-archiving-azure

  4. Complete the following fields:

    Field Notes
    Azure Account Specify the Account for Azure Storage
    Azure Account Key Specify the Account Key for Azure Storage
    Azure Storage Container Name Specify the shared Azure Storage Container for all backup files

    NOTE: Ensure that the Container has been created before clicking Save.

Google Cloud Storage Bucket

If you want to use a Google Cloud Storage Bucket to store your backup archives, perform the following steps:

  1. At the Google Cloud Platform dashboard, navigate to the IAM & Admin > Service Accounts tab, and create a Google Cloud Service Account with Storage Admin privileges and furnish a new JSON private key:

    installation-shield-google-service-account

  2. At the Google Cloud Platform dashboard, under Storage, create a Google Cloud Storage Bucket:

    installation-shield-google-bucket

  3. In Stark & Wayne SHIELD > Settings, select Google Cloud Storage Bucket.

    installation-shield-archiving-google

  4. Complete the following fields:

    Field Notes
    Google Cloud Storage Service Account JSON Key Enter the contents of the Google Cloud Storage Service Account JSON Key file
    Google Cloud Storage Bucket Name Specify the shared Google Cloud Storage Bucket for all backup files
    Google Cloud Storage Bucket Path Prefix Optionally, specify if all backup files should be stored under this common path prefix

    NOTE: Ensure that the Bucket has been created before clicking Save.

  5. Click Save.

Databases

Stark & Wayne SHIELD product needs a database in order to store the archiving configuration.

You can configure Stark & Wayne SHIELD to use the provided internal PostgreSQL database, or you can configure an external database provider for the databases (only MySQL and PostgreSQL are supported)

NOTE: If you are performing an upgrade, do not modify your existing database configuration or you may lose data. You must migrate your existing data first before changing the configuration. Contact the Stark & Wayne Tiles™ team for help.

Internal Database Configuration

WARNING: The internal PostgreSQL database provided with Stark & Wayne SHIELD™ is a single PostgreSQL instance (NOT highly-available).

If you want to use internal databases for your deployment, perform the following steps:

  1. In Stark & Wayne SHIELD > Settings, select Databases.

  2. Select Internal Databases (PostgreSQL NOT highly-available).

    installation-shield-database-internal

  3. Click Save.

External MySQL Database

NOTE: The exact procedure to create databases depends upon the database provider you select for your deployment. The following procedure uses AWS RDS as an example. You can configure a different database provider that provides MySQL support, such as Google Cloud SQL.

WARNING: Protect whichever database you use in your deployment with a password.

If you want to use external MySQL databases for your deployment, perform the following steps:

  1. Add the ubuntu account key pair from your IaaS deployment to your local SSH profile so you can access the Ops Manager VM. For example, in AWS, you add a key pair created in AWS:

    ssh-add aws-keypair.pem
    
  2. SSH in to your Ops Manager using the Ops Manager FQDN and the username ubuntu:

    ssh ubuntu@OPS_MANAGER_FQDN
    
  3. Log in to your MySQL database instance using the appropriate hostname and user login values configured in your IaaS account. For example, to log in to your AWS RDS instance, run the following MySQL command:

    mysql --host=RDSHOSTNAME --user=RDSUSERNAME --password=RDSPASSWORD
    
  4. Run the following MySQL commands to create databases for the SHIELD components that require a relational database:

    CREATE database shielddb;
    
  5. Type exit to quit the MySQL client, and exit again to close your connection to the Ops Manager VM.

  6. In Stark & Wayne SHIELD > Settings, select Databases.

  7. Select External MySQL Database.

    installation-shield-database-mysql

  8. Complete the following fields:

    Field Notes
    Hostname DNS Name Specify the hostname of the database server
    TCP Port Specify the port of the database server
    Username Specify a unique username that can access this specific database on the database server
    Password Specify a password for the provided username
    Database Name Specify the database name on the database server

    NOTE: Ensure that the Database has been created before clicking Save.

  9. Click Save.

External PostgreSQL Database

NOTE: The exact procedure to create databases depends upon the database provider you select for your deployment. The following procedure uses AWS RDS as an example. You can configure a different database provider that provides PostgreSQL support, such as Google Cloud SQL.

WARNING: Protect whichever database you use in your deployment with a password.

If you want to use external PostgreSQL databases for your deployment, perform the following steps:

  1. Add the ubuntu account key pair from your IaaS deployment to your local SSH profile so you can access the Ops Manager VM. For example, in AWS, you add a key pair created in AWS:

    ssh-add aws-keypair.pem
    
  2. SSH in to your Ops Manager using the Ops Manager FQDN and the username ubuntu:

    ssh ubuntu@OPS_MANAGER_FQDN
    
  3. Log in to your PostgreSQL database instance using the appropriate hostname and user login values configured in your IaaS account. For example, to log in to your AWS RDS instance, run the following PostgreSQL command:

    psql --host=RDSHOSTNAME --username=RDSUSERNAME --password
    
  4. Run the following PostgreSQL commands to create databases for the SHIELD components that require a relational database:

    CREATE database shielddb;
    
  5. Type exit to quit the PostgreSQL client, and exit again to close your connection to the Ops Manager VM.

  6. In Stark & Wayne SHIELD > Settings, select Databases.

  7. Select External PostgreSQL Database.

    installation-shield-database-postgresql

  8. Complete the following fields:

    Field Notes
    Hostname DNS Name Specify the hostname of the database server
    TCP Port Specify the port of the database server
    Username Specify a unique username that can access this specific database on the database server
    Password Specify a password for the provided username
    Database Name Specify the database name on the database server

    NOTE: Ensure that the Database has been created before clicking Save.

  9. Click Save.

Stemcell

If required to upload a particular stemcell series, you can find the latest available stemcell at Pivotal Network.

installation-shield-stemcell

Installation

  1. Return to the Ops Manager dashboard via the < Installation Dashboard link at the top left.

  2. The Stark & Wayne SHIELD tile is now green and is ready to be installed. Press Apply Changes.

The install process generally requires several minutes to complete. The image shows the Changes Applied window that displays when the installation process successfully completes.

installation-shield-completed

Verification

Stark & Wayne SHIELD Web UI should now be available at the shield hostname in your system domain, https://shield.[system domain].

  1. The Stark & Wayne SHIELD Web UI is protected by a username and password. In Stark & Wayne SHIELD > Credentials, look for the SHIELD Credentials:

    installation-shield-credentials

  2. If you do not know the system domain for the deployment, then select Pivotal Elastic Runtime > Settings > Domains to locate the configured system domain.

  3. Open a browser and navigate to https://shield.[system domain]. For example, if the system domain is system.example.com, then point your browser to https://shield.system.example.com.

  4. Log in using the SHIELD credentials for the admin user. The Stark & Wayne SHIELD dashboard appears.

    installation-shield-dashboard

Confirm Default Storage

  1. At the Stark & Wayne SHIELD Web UI, go to the Storage tab.

  2. Confirm that there is a default storage:

    installation-shield-default-storage

Confirm Default Retention Policy

  1. At the Stark & Wayne SHIELD Web UI, go to the Retention tab.

  2. Confirm that there is a default retention policy:

    installation-shield-default-retention-policy

Confirm Default Schedule

  1. At the Stark & Wayne SHIELD Web UI, go to the Schedules tab.

  2. Confirm that there is a default storage:

    installation-shield-default-schedule

Confirm SHIELD Database Target and Job

NOTE: If you are NOT using the Internal Database you can omit this step.

  1. At the Stark & Wayne SHIELD Web UI, go to the Targets tab.

  2. Confirm that there is a shielddb target:

    installation-shield-shielddb-target

  3. At the Stark & Wayne SHIELD Web UI, go to the Jobs tab.

  4. Confirm that there is a shielddb job:

    installation-shield-shielddb-job

  5. Manually run the shielddb job by clicking the circular arrow to the left of shielddb.

  6. Return to the Dashboard and view the results of the running job:

    webui-dashboard

Create a pull request or raise an issue on the source for this page in GitHub