Stack14 IBM Cloud Runbook

Stack 14 IBM Cloud
Customer Runbook 1.4 April 2021

All post 202009 releases
Stack 14 IBM Cloud Runbook 1.0
Contents
1 About this Runbook .................................................................................. 5
1.1 Scope ................................................................................................................................................ 5
1.2 Audience ........................................................................................................................................... 5
1.3 Skills and knowledge......................................................................................................................... 6
1.4 Legal ................................................................................................................................................. 6
1.5 History ............................................................................................................................................... 8
2 Introduction .............................................................................................. 9
2.1 Architecture overview ........................................................................................................................ 9
2.2 Architecture diagram ......................................................................................................................... 9
2.3 Terminology .................................................................................................................................... 10
3 Prerequisites and assumptions .............................................................. 11

3.1 Software prerequisites .................................................................................................................... 11
3.1.1 Temenos software and containers ....................................................................................... 11
3.2 Assumptions.................................................................................................................................... 12
4 Before you start ...................................................................................... 13

4.1 Accessing IBM Cloud ...................................................................................................................... 13
4.1.1 Account setup ....................................................................................................................... 13
4.1.2 Installing CLI tools ................................................................................................................ 13
4.2 Required IBM Cloud IAM Policies ................................................................................................... 13
4.2.1 Creating access groups ........................................................................................................ 13
4.2.2 Adding users to groups......................................................................................................... 15
4.3 Considerations for deployment to the Financial Services Cloud ..................................................... 16
5 Enabling virtual routing tables ................................................................ 17

6 Creating and configuring the VPC network for the Kubernetes cluster . 18
6.1 Creating the VPC and Subnets ....................................................................................................... 18
7 Deploying and configuring the Kubernetes cluster ................................ 23

7.1 Deploying an IBM Kubernetes Service cluster ................................................................................ 23
7.2 Deploying a Red Hat OpenShift Kubernetes Service cluster .......................................................... 25
8 Exposing Transact Services on a Secured Public Domain .................... 35

8.1 IBM Cloud Internet Services ........................................................................................................... 35
8.2 IBM Cloud Domain Name Registration ........................................................................................... 35
8.3 Registering for a public domain and configuring domain management through Cloud
Internet Services ............................................................................................................................. 35
8.4 Creating DNS records to proxy traffic to the Transact web service through Cloud Internet
Services .......................................................................................................................................... 38
9 Creating the infrastructure for securing and managing Transact

encryption keys and certificates ............................................................. 41
9.1 IBM Cloud Hyper Protect Crypto Services ...................................................................................... 41
2
9.2 IBM Cloud Certificate Manager ....................................................................................................... 41

9.3 Creating the key management infrastructure and master key for encrypting Transact ................... 42
9.4 Creating the certificate management infrastructure for the Transact public domain ....................... 46
10 Creating an API gateway for Transact services ..................................... 49

10.1 IBM Cloud API connect ................................................................................................................... 49
10.2 Creating and configuring an API connect instance for API gateway/management ......................... 50
10.3 Configuring the API gateway to be exposed through the secured public domain ........................... 52
11 Configuring TLS/SSL encryption to Transact services with managed CA

certificates .............................................................................................. 55
11.1 Ordering TLS/SSL root and subdomain certificates through Certificate Manager for
Transact .......................................................................................................................................... 55
11.2 Configuring the TLS/SSL certificates on the origin endpoint for the Transact APIs ........................ 59
11.3 Configuring the TLS/SSL certificates on the origin endpoints for the Transact web service ........... 60
12 Configuring encryption of Transact application secrets and Kubernetes

cluster data............................................................................................. 61
12.1 Encrypting IKS secrets in the etcd key-value store, using Hyper Protect Crypto Services.............. 61
13 Creating the Transact database ............................................................. 64

13.1 Restoring the Transact database .................................................................................................... 67
13.2 Accessing the Transact database ................................................................................................... 76
14 Creating and configuring the container registry for Transact container

images.................................................................................................... 78
14.1 Creating the container registry ........................................................................................................ 78
14.2 Configuring storage space for the container registry ....................................................................... 80
14.3 Pushing images to the container registry ........................................................................................ 80
14.4 Verifying the images........................................................................................................................ 81
15 Deploying Transact ................................................................................ 82

15.1 Creating the Transact image ........................................................................................................... 82
15.2 Modifying Tafj.properties ................................................................................................................. 82
15.3 Transact Ingress ............................................................................................................................. 83
15.4 Transact Deployment ...................................................................................................................... 84
15.5 Transact UI Access ......................................................................................................................... 87
16 Deploying Data Event Streaming (DES) ................................................ 89

16.1 Creating IBM Event Streams ........................................................................................................... 89
16.2 Creating Service Credentials .......................................................................................................... 91
16.3 Creating Topics on IBM Event Streams .......................................................................................... 93
16.4 Obtaining the bootstrap server details............................................................................................. 95
16.5 Configuring the DES properties ...................................................................................................... 96
16.6 Building the DES component build .................................................................................................. 99
16.7 Enabling Event capture in Transact .............................................................................................. 101
16.8 Deploying DES .............................................................................................................................. 101
17 Deploying the Holdings microservice ................................................... 102

17.1 Creating a Mongo Database ......................................................................................................... 102
3
17.2 Connecting to the Mongo database .............................................................................................. 103

17.2.1 Selecting the database ....................................................................................................... 103
17.2.2 Connecting with Shell ......................................................................................................... 104
17.2.3 Connecting with the Mongo Compass tool ......................................................................... 104
17.3 Creating a Mongo database .......................................................................................................... 106
17.4 Building the Holdings package ...................................................................................................... 106
17.5 Deploying Holdings ....................................................................................................................... 107
18 Deploying and exposing APIs .............................................................. 113

18.1 Testing Transact API service deployments inside the Kubernetes cluster .................................... 113
18.2 Importing Transact OpenAPI definitions into API Connect and managing them as API
products ........................................................................................................................................ 115
19 Technical approval ............................................................................... 120
4
1 About this Runbook

This Stack 14 IBM Cloud runbook describes how to deploy Temenos Transact,
BrowserWeb UI, Temenos API's, Temenos DES (Data Event Streaming), and
Temenos Holdings Microservices on IBM Cloud, using either IBM Kubernetes Service
(IKS), or Red Hat OpenShift Kubernetes Service (ROKS).
This runbook also covers connecting Temenos Transact to IBM Cloud Hyper Protect
DBaaS for PosgreSQL, and connecting Holdings Microservices to IBM Cloud Hyper
Protect DBaaS for MongoDB.
This runbook does not tell you how to install third -party software. For more
information, see the relevant vendor's documentation.
1.1 Scope
This runbook covers:
 Creating the required infrastructure and databases on IBM Cloud (IKS, VNet,
Hyper Protect DBaaS for PostgreSQL/ MongoDB).
 Creating access policies for accessing the installed resources.
 Creating endpoints to access the deployed applications.
 Deploying Transact Web and App Containers using helm charts.
 Deploying Temenos DES using helm charts.
 Deploying Temenos API’s using Helm charts.
 Deploying Temenos Holdings Microservices using Helm charts.
1.2 Audience
This document is aimed at those who are deploying Temenos Transact App and Web,
Temenos DES, Temenos APIs, Temenos Holdings Microservices on IBM Cloud
5
connecting to DBaaS Services defined on IBM Cloud for Transact (PostgreSQL) and
Holdings (MongoDB).
1.3 Skills and knowledge

Readers with a basic understanding of the following will find the steps contained in
this guide much easier to follow.
 IBM Cloud Access and Resources
 Kubernetes
 Transact
 DES
 Holdings Microservices
 PostgreSQL
 MongoDB
 Helm charts
1.4 Legal
© Copyright 2021 Temenos Headquarters SA. All rights reserved.
The information in this guide relates to TEMENOSTM information, products, and

services. It also includes information, data and keys developed by other parties.
While all reasonable attempts have been made to ensure accuracy, currency, and
reliability of the content in this guide, all information is provided "as is".
There is no guarantee as to the completeness, accuracy, timeliness, or the results

obtained from the use of this information. No warranty of any kind is given, expressed
or implied, including, but not limited to warranties of performance, merchantability, and
fitness for a particular purpose.
In no event will TEMENOS be liable to you or anyone else for any decision made or
action taken in reliance on the information in this document or for any consequential,
special or similar damages, even if advised of the possibility of such damages.
6
TEMENOS does not accept any responsibility for any errors or omissions, or for the
results obtained from the use of this information. Information obtained from this guide
should not be used as a substitute for consultation with TEMENOS.
References and links to external sites and documentation are provided as a service.
TEMENOS is not endorsing any provider of products or services by facilitating access
to these sites or documentation from this guide.
The content of this guide is protected by copyright and trademark law. Apart from fair
dealing for the purposes of private study, research, criticism, or review, as permitted
under copyright law, no part may be reproduced or reused for any commercial
purposes whatsoever without the prior written permission of the copyright owner. All
trademarks, logos and other marks shown in this guide are the property of their
respective owners.
7
1.5 History
Version Date Change
1.0 Dec 2020 Draft Release
1.1 Jan 2021 Updated details on Infrastructure, DB creation, DB restoration,

Internet Services, API’s
1.2 Feb 2021 Updated infra related screen shots, Ingress definition, ROKS
infra, Details, Removed/Updated screen shots for Temenos
products. Updated details on pre-images kits and TAFJ specific
variables required for Transact.
1.3 Mar 2021 Added sections to cover infrastructure setup for API gateway,
key management and certificate management. Added sections
to cover configuration of encryption for Transact application
secrets, Kubernetes data, and persistent volumes. Updated
section to include configuring and exposing Transact APIs
through API gateway.
1.4 April 2021 Updated VPC and Kubernetes cluster sections, and added a
section for IBM Financial Services Cloud considerations.
8
2 Introduction
2.1 Architecture overview
In this Runbook we have explained the benefits you receive from using the managed
services hosted in IBM Cloud which ranges from Kubernetes to Hyper Protect
Databases for Transact and Microservices. We have also detailed the security
elements available in IBM Cloud which could be used when accessing the hosted
applications.
The resources we have utilised in this exercise are all managed services. The IBM
Cloud UI provides you with a Web UI interface allowing the user to create and manage
the resources. IBM Cloud also provides you with logging and monitoring solutions to
monitor the resources installed using different dashboards.
2.2 Architecture diagram
9
2.3 Terminology
VPC Infrastructure All infrastructure elements related to your

Kubernetes cluster, including Load
Balancers, Persistent volumes, VPC
(Virtual Private Cloud) details.
Cloud Foundry Services API Connect configurations.
Services Services like Event Streams, Hyper

Protect databases for PostgreSQL,
MongoDB, Internet services definitions
and, certificate definitions.
10
3 Prerequisites and assumptions

This chapter describes the technical prerequisites and assumptions for installing and
configuring Stack 14 IBM Cloud.
3.1 Software prerequisites

Component Version
Transact Application Container Image 202009
Transact Web Container Image 202009
WildFly 20.0.0.Final
Helm V3.2.4
T24 Model Bank Data 202009
Temenos DES 202010
Temenos Holdings December Dev version [SSL Fix]
Open JDK required for DES Build 1.8
Apache Active MQ 5.15.9
BrowserWeb 202009
UXPB Browser 202101
TAFJ 202009
Temenos API (artefacts) 202009
3.1.1 Temenos software and containers

To build your own Temenos containers, you need to request them from your account
manager.
11
Artefact File Description
MB.202009.PostgreSQL MB.202009.PostgreSQL_11.8. The database.

_11.8.TAFJ202009.30-SEP- TAFJ202009.30-SEP-2021.sql
2021.sql.tar.gz
T24 MB.202009.TAFJ202009.bnk.tar.gz The bnk directory that

holds the T24 libraries.
TAFJ TAFJ.DEV.202009.tar The TAFJ runtime .jar

file, TAFJ patch script and
TAFJ setup script.
T24 Browser BrowserWeb.war Old browser components.
UXPBrowser Browser.war New browser components.
browser-iris.war
Authenticator.war
UXP-Browser.zip
3.2 Assumptions
At the time of writing this guide, the available release of Transact and TAFJ was
202009 and these artefacts were used for installation and configuration. Most of the
Temenos software was for release 202009, except the UXPB Browser for which the
202101 version was used.
This runbook assumes that all third-party software has been installed. Also that all
required Temenos artefacts have been obtained from Distribution before the stack is
installed and configured.
12
4 Before you start

The user should have an account created in IBM Cloud to access the resources to be
created. It is also recommended to have a Linux machine created either on-prem or in
the Cloud to access the Kubernetes cluster and databases created in IBM Cloud.
4.1 Accessing IBM Cloud
4.1.1 Account setup

Either use an existing IBM ID or create a new one by following the details in this link.
https://cloud.ibm.com/docs/account?topic=account-account-getting-started
4.1.2 Installing CLI tools

Follow in instructions in this link to install the IBM Cloud CLI.
https://cloud.ibm.com/docs/cli?topic=cli-install-ibmcloud-cli
For Linux™ copy and paste the following command to a terminal and run it.
curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
4.2 Required IBM Cloud IAM Policies

Most services being instantiated in this document use IBM Cloud’s Identity and Access
Management service to control access. This section describes the initial configuration
required, before specific services are set up in the sections later for each service.
We will do this initial configuration in two parts: create access groups for specific user
roles, and then add users to specific groups.
4.2.1 Creating access groups

Procedure
1. Click Manage, Access (IAM).
13
2. Click Access groups on the left-hand side.
3. Click Create.
4. Assign a name to the group.
5. Repeat steps 3 and 4 for each group required, e.g.,
 Account administrators
 Kubernetes administrators
14
It is recommended to define an overall account administration group, populated

minimally; a separate group for the Hyper Protect Crypto Services instance; and
further group(s) for the remaining infrastructure components, e.g., the
Kubernetes cluster.
4.2.2 Adding users to groups

Procedure
1. While still in the IAM section, click Users on the left-hand side.
2. Click Invite users.
3. Enter email addresses for users to be added to a specific group, or set of

groups.
4. Click the Add button next to each group to add these users.
5. Click Invite.
15
6. Repeat the above steps for different sets of users, to be added to different
groups. Specific service access for each group will be added as services are
instantiated later.
4.3 Considerations for deployment to the Financial Services

Cloud
This document describes how to deploy Temenos Transact into IBM Cloud into a
defined architecture. If the user is intending to deploy these applications as part of an
IBM Cloud for Financial Services deployment, contact Temenos or your IBM rep for the
latest considerations.
16
5 Enabling virtual routing tables

Before you begin, enable the virtual routing function for the IBM Cloud account. This
will allow the creation of services with private only interfaces, e.g., to only allow
connection to the PostgreSQL database from within the IBM Cloud account.
Procedure
1. From the top menu, click Manage, and Account.
2. Click Account settings from the left menu (see the above illustration).
3. Under Virtual Routing and Forwarding, click the button to create a case.
4. Create and submit the support case, asking for VRF to be enabled, and specify
for it to happen ASAP.
5. Once completed, follow any instructions requested in the support ticket

response. Then go back to the page in step 3 above, and click the button to
enable service endpoints (see the above illustration).
17
6 Creating and configuring the VPC

network for the Kubernetes cluster
6.1 Creating the VPC and Subnets
The Kubernetes cluster will be deployed into a Virtual Private Cloud (VPC)
environment. Before creating the cluster, first create the VPC environment.
In the example used, we are choosing to deploy into the Frankfurt Multi-Zone Region
(MZR). This region has three Availability Zones (AZ) to allow for regional failures. The
VPC we create will consist of three subnets, one per AZ.
Procedure
1. From the IBM Cloud hamburger menu top-left, choose VPC Infrastructure.
18
2. From the left menu, choose VPCs.
3. Choose the region to deploy into e.g., Frankfurt.
4. Click Create.
5. Name the VPC, e.g., temenos-vpc. Leave most of the fields on this page as
default.
19
6. Under New subnet for VPC, name it fra1.
7. Under location, change the selection to Frankfurt 1, to match the name.
8. Select to enable an attached public gateway. This allows pods, or other

workloads within the VPC, to access the Internet.
20
9. Click Create virtual private cloud.
10. Click Subnets, from the left-hand menu, on the VPC Infrastructure page.
11. Click Create to create another subnet.
21
12. Give the new subnet a name of fra2.
13. Leave the other fields as default. The prior-created VPC will be named in the
dropdown.
14. For Location, select Frankfurt 2.
15. Attach a public gateway.
16. Click Create subnet.
17. Repeat steps 11 to 16, creating a third subnet fra3 in location Frankfurt 3.
22
7 Deploying and configuring the

Kubernetes cluster
Two Kubernetes cluster variants are possible: IBM Kubernetes Service (IKS) and Red
Hat OpenShift Kubernetes Service (ROKS). Follow sections 7.1 or 7.2, depending on
which cluster variant you need to deploy.
7.1 Deploying an IBM Kubernetes Service cluster

Procedure
1. Click the hamburger menu icon in IBM Cloud, then Kubernetes.
2. Click Create cluster.
3. Choose Kubernetes version 1.19.x, or the latest supported version.
4. Under Infrastructure, choose VPC, then choose the VPC instance previously
created (temenos-vpc).
23
5. Ensure all subnets are chosen. Workers will be spread across the subnets, and
thus the regional datacentres.
6. Define the number of worker nodes per zone, depending on the environment you
are creating.
7. Click Change flavour to choose an appropriate worker flavour for the

environment. Here we use virtual Ubuntu 18 instance, sized to 8 vCPUs, 32GB
RAM, 100GB block primary storage, 16Gbps network speed (bx2.8x32).
24
8. Name the cluster, e.g. temenos-iks.
9. Click Create.
10. Once taken to the cluster page, follow the access steps in the Access tab to
install the ibmcloud CLI, if not already done. Then use it to pull the kubeconfig
file, and then use kubectl as with any other Kubernetes cluster.
11. Finally, connect the cluster to the logging and monitoring services. Click the
Overview item on the left of the page, then click Connect to connect the cluster
to the logging and monitoring systems (LogDNA and Sysdig respectively).
Either connect the cluster to existing systems, or define new ones if the account
has not been used before.
12. Click the Worker nodes menu item on the left to see the workers created in the
prior steps.
7.2 Deploying a Red Hat OpenShift Kubernetes Service

cluster
Ahead of creating the Red Hat OpenShift Kubernetes Service (ROKS) cluster, we must
create an IBM Cloud Object Storage instance. This is used by the ROKS cluster for
persistence of assets, e.g. images.
25
Procedure
1. Once logged in, search for Object Storage.
2. Choose Standard, and then click Create.
26
An instance of the Cloud Object Storage service is all that’s required, so we can now
move on to creating a ROKS cluster.
Procedure
1. Click the IBM Cloud menu at the top left, and then Kubernetes and then
Cluster.
27
2. Click the Create cluster button.
28
3. Choose the Red Hat OpenShift cluster variant.
4. Choose the latest version of OpenShift, purchase additional licenses as OCP

entitlement, and select VPC infrastructure.
29
5. Choose the Virtual Private Cloud previously defined, and ensure all three zones,
with three subnets, are selected. Also choose the Cloud Object Storage instance
previously created.
6. Select one worker node per zone, and change the flavour to one suitable for the
environment being created. Here we chose b2.8x32, i.e., 8 vCPU, 32 GB RAM,
16 GiB network speed.
7. Choose public and private endpoints.
8. Name the cluster, e.g. temenos-roks, and click Create.
30
9. Wait while the cluster is created for you. While this is being done, follow the
getting started instructions to download the IBM Cloud CLI (if not already done),
and the oc CLI to interact with the cluster.
10. Once the local tooling is installed and the cluster is ready, click the oauth token
request page link to generate a command to log in to the cluster.
31
11. Copy and paste the oc login command to log in to the cluster.
32
12. Finally, connect the cluster to the logging and monitoring services. Click the
connect item on the left of the page, then click Connect to connect the cluster to
the Logging and Monitoring systems (LogDNA and Sysdig respectively).
13. For each cluster, if there is an instance available select it. Alternatively, define a
new one.
33
Cluster configuration is now complete.
34
8 Exposing Transact Services on a

Secured Public Domain
To expose all deployed Transact services to the Internet through a common secured
domain, it is recommended to use the following IBM Cloud services. Alternatively,
external services can be used, but without the end-to-end control, integration and
automation under IBM Cloud.
8.1 IBM Cloud Internet Services

This provides Internet proxying for managed public DNS domains, with DDoS
protection, TLS enforcement, Web Application Firewall and other features.
For further information, please refer to the following documentation:
https://cloud.ibm.com/docs/cis?topic=cis-about-ibm-cloud-internet-services-cis
8.2 IBM Cloud Domain Name Registration

This provides public domain name registration and DNS infrastructure.
https://cloud.ibm.com/docs/dns?topic=dns-getting-started
8.3 Registering for a public domain and configuring domain

management through Cloud Internet Services
Procedure
1. From the IBM Cloud catalog select Domain Name Registration and click
Create.
2. Register a domain in the Domain Name Registration service. Type in the

required domain and click Check Availability. If the Domain is available click
Continue to register it.
35
3. From the IBM Cloud catalog select Internet Services, select the required plan
(Standard was used for testing) and click Create.
4. Connect the registered domain to your Internet Services instance by clicking

Add domain from the Overview page, typing your domain name in the Domain
name field and clicking Next.
5. Press Skip the on the DNS records page. On the Delegate domain
management page, copy the name server hostnames from the New NS
records field and click Create.
36
6. Navigate back to the Domain Registration service through the Classic

Infrastructure navigation panel as illustrated below.
7. On the target domain listed, select Unlocked from the Lock Domain field, click
the dropdown and click Add / Edit NS from the Custom Name Servers section.
37
8. On the panel provided, paste the two name server hostnames previously copied
from Internet Services and click Associate to finish.
8.4 Creating DNS records to proxy traffic to the Transact web

service through Cloud Internet Services
Procedure
1. Collect information on the origin endpoint for the Transact services.
38
a. Obtain the Ingress Subdomain from the Kubernetes Service (IKS) cluster.
This is the hostname for the default public Ingress Application Load
Balancer (ALB) that is used by the Transact Web and API services. Run the
following command using the IBM Cloud CLI with your cluster name
specified:
$ ibmcloud ks cluster get --cluster temenos-iks | grep "Ingress

Subdomain"
Ingress Subdomain: temenos-iks-

aab383d72572813949d6108ae3e31375-0000.eu-
de.containers.appdomain.cloud
2. Create a CNAME DNS entry in Internet Services for the Transact web service.
a. Navigate to the Reliability page of your Internet Services instance.
b. Click Add on the DNS records section to open the Add record panel. Select
Type CNAME, enter the name of your chosen subdomain for the Transact
web service in the Name field and enter the Ingress Subdomain address
from the previous step in to the Alias Domain Name. Click Add to complete
adding the DNS entry for the Transact web service.
c. Click the Proxy switch next to each added DNS record to enable Cloud
Internet Services to proxy traffic for those subdomains.
39
3. Add a page rule to enforce HTTPS traffic for all resources under the domain
managed by Cloud Internet Services, including the Transact Web and Transact
API subdomains.
a. Navigate to the Performance page of your Internet Services instance and

click on the Page rules tab.
b. Click Create rule, leave the URL match to the default wildcard entry to
cover the whole domain, select Always use HTTPS from the Setting
dropdown, and click Create.
40
9 Creating the infrastructure for securing

and managing Transact encryption keys
and certificates
There are multiple services and integrations that will provide key and certificate
management for Transact. For testing purposes we have simplified the process for
creating and managing encryption keys. Please consult IBM Cloud experts for best
practice guidance specific to your enterprise.
9.1 IBM Cloud Hyper Protect Crypto Services

This service provides a Cloud Hardware Security Module (HSM) and integrated key
management, that is used to store and manage encryption keys throughout the
Transact deployment on IBM Cloud. The FIPS 140-2 Level 4 certified HSM provides
the highest level of certified tamper proof protection, which at the time of writing is not
available in any other major Public Cloud.
Specifically in this runbook, this is used for encryption of Transact application secrets,
TLS/SSL certificates, Kubernetes persistent volumes for Transact application data, and
Transact database data.
https://cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-overview
9.2 IBM Cloud Certificate Manager

This service provides ordering, management and storage of TLS/SSL certificates for
Transact services. This supports integration in to Let’s Encrypt for Certificate Authority
certificates and Cloud Internet Services for DNS services.
Specifically, in this runbook, certificates are encrypted at rest with customer managed
keys in Hyper Protect Crypto Services.
https://cloud.ibm.com/docs/certificate-manager?topic=certificate-manager-about-
certificate-manager
41
9.3 Creating the key management infrastructure and master

key for encrypting Transact
Procedure
1. From the IBM Cloud catalog select Hyper Protect Crypto Services, select a
location (Frankfurt eu-de was used for testing), select the number of crypto units
(2 were used for testing) and select Public and private (default) as the allowed
network. Click Create to create the Hyper Protect Crypto Services service
instance.
2. From your local machine, install the TKE (Trusted Key Entry) plugin for the IBM
Cloud CLI and set a directory to use for TKE files. This will be used for master
key part files and your signature key.
$ ibmcloud plugin install tke
$ export CLOUDTKEFILES="$HOME/Testing/hpcs"
3. Select the crypto units to manage from the previously created Hyper Protect
Crypto Services instance, by running the following command and entering the
crypto unit numbers in the prompt (as illustrated below).
$ ibmcloud tke cryptounit-add
42
4. Create a signature key by running the following command, specifying your name
as an administrator and entering a password (as illustrated below).
$ ibmcloud tke sigkey-add
43
5. Select the administrator to sign commands/operations with by running the

following command and entering the KEYNUM value for your signature key and
then entering the corresponding password.
$ ibmcloud tke sigkey-sel
6. Add an administrator for the target crypto unit by running the following command
and entering the KEYNUM value for your signature key and the corresponding
password.
$ ibmcloud tke cryptounit-admin-add
7. You must now set the quorum authentication threshold for the target crypto units
(i.e. the required number of admin signatures to authorize and perform
operations). Run the following command, and enter the value for new signature
threshold and revocation signature threshold (for testing purposes these were
set to 1).
$ ibmcloud tke cryptounit-thrhld-set
44
4. Create 2 or more randomly generated master key parts by running the following
command twice and entering a password for the key part. These will form the
master encryption key that will be used to wrap root encryption keys for Transact
and related infrastructure.
$ ibmcloud tke mk-add --random
5. You must now load the master key parts and create a new master key register
on the crypto units. Run the following command, entering the KEYNUM values
for the master key parts and the associated passwords. Note that all master key
parts files and signature key files need to be on a common workstation to
perform this operation.
45
$ ibmcloud tke cryptounit-mk-load
6. Commit the new master kye register to the crypto units by running the following
command, and entering your password for the signature key file.
$ ibmcloud tke cryptounit-mk-commit
7. Activate the master key by running the following command.
$ ibmcloud tke cryptounit-mk-setimm
9.4 Creating the certificate management infrastructure for the

Transact public domain
Procedure
1. Navigate to your Hyper Protect Crypto Service instance from the IBM Cloud
console. This will be used to create/manage a root key for encrypting all
certificates stored in a Certificate Manager instance.
46
2. From the Manage keys page click Add Key and select Root key. Enter a name
for the key (e.g. Certificate Manager Root Key) in the Key name field and click
Create key.
3. Select the Certificate Manager service from the IBM Cloud catalog and select a
location (Frankfurt eu-de was used for testing). From the Select a key
management service field select the Hyper Protect Crypto Services instance
previously used, and then select the root key from the Select a root key field.
Choose the Public and private (default) option from the Endpoints field and
click Create.
47
48
10 Creating an API gateway for Transact

services
To manage and secure APIs for Transact services, it is recommended to use the IBM
Cloud API Connect service. For testing purposes we have simplified the process for
creating, managing and exposing Transact APIs. Please consult Temenos and IBM
Cloud SMEs for best practice guidance specific to your enterprise.
10.1 IBM Cloud API connect

This service provides API management, API gateway and API portal capabilities.
Specifically for this runbook, all Transact and microservice APIs were managed under a
single API catalog and associated gateway.
https://cloud.ibm.com/docs/apiconnect?topic=apiconnect-about_apic_overview
There are multiple plan and deployment options available, which could support a
Transact deployment. For the purpose of testing we have used the Enterprise plan
detailed below for cost effectiveness and support for a custom domain. The following
table shows a subset of plans available at the time of writing, with comments:
Plan Features Comments
Lite  Free service Will not support use of a

custom domain for an API
 50K API calls per month
gateway, as needed for
exposing Transact APIs over
a custom secured domain.
Enterprise  Billed per 100K API calls per

month
Reserved  A dedicated instance of API Provides dedicated API

Connect for customers gateway hardware, which is
working with an IBM sales reserved on a yearly basis.
representative.
49
10.2 Creating and configuring an API connect instance for

API gateway/management
Procedure
1. Create a Cloud Foundry space inside your org for the API Connect service
instance.
2. From the IBM Cloud catalog select API Connect.
3. From the Create page select a location (Frankfurt eu-de was used for testing).
Select a pricing plan (the Enterprise plan was used for testing), select an
organization and space, then click Create.
4. Create a catalog for all Transact APIs by clicking Add and selecting Catalog
from the API Connect Dashboard.
50
5. Type a name for the catalog in Display Name and if necessary, edit the
generated Name. Then click Add to create the catalog.
6. Click on the Navigate to button (the two chevrons), and click on Drafts from the
navigation menu. This will take you to the Drafts page for creating new API
products and importing/creating new APIs.
7. To create an API Product that will be used for all Transact APIs, click Add from
the Products page and select New Product. Then, on the New Product window,
enter a name in the Title field and click Create product.
51
10.3 Configuring the API gateway to be exposed through

the secured public domain
In order to expose and route Transact API services through the API gateway (API
Connect) with a custom domain, you must configure IBM Cloud SRE2 through a
support case. If necessary, the same has to be done for the API Developer Portal in
API Connect.
Procedure
1. Gather the endpoint URL for the API gateway by navigating to the Dashboard,
clicking the catalog created for Transact APIs, navigating to the Settings tab and
navigating to the Gateways item on the side navigation panel (as shown below).
Copy the URL listed in the ENDPOINT field.
2. Raise a support case, following the guidelines in the support document linked
below. This must reference the URL that was copied in the previous step. Please
ignore the instruction for CNAME entries as this is covered in the next step.
The TLS/SSL certificates will need to be sent over after they have been ordered in
the next section of this runbook.
https://www.ibm.com/support/pages/how-do-you-use-custom-domain-api-
connect-apis-and-portal-branding
3. Create a CNAME DNS entry in Internet Services for the API gateway.
a. Navigate to the Reliability page of your Internet Services instance.
52
b. Click Add on the DNS records section to open the Add record panel. Select
a Type of CNAME. Enter the name of your chosen subdomain for the
Transact web service in the Name field and enter the API Gateway
Endpoint address (just the domain name with no path) from the previous
step in to the Alias Domain Name. Click Add to complete adding the DNS
entry for the Transact API services.
c. (Optional) Click Add on the DNS records section to open the Add record
panel. Select Type CNAME, enter the name of your chosen subdomain for
your API portal in the Name field and enter the API Portal address from the
previous step in to the Alias Domain Name. Click Add to complete adding
the DNS entry for the API portal.
d. Click the Proxy switch next to each added DNS record to enable Cloud
Internet Services to proxy traffic for those subdomains.
e. Once the support case has been closed/fulfilled, navigate to the Dashboard,
click the catalog created for Transact APIs, navigate to the Settings tab and
navigate to the Gateways item on the side navigation panel. Enter the custom
domain for the API gateway in the ENDPOINT field (as shown below).
53
54
11 Configuring TLS/SSL encryption to

Transact services with managed CA
certificates
11.1 Ordering TLS/SSL root and subdomain certificates
through Certificate Manager for Transact
Procedure
1. Configure your existing Certificate Manager instance to have authorization to

your Internet Services instance, so that automatic verification can occur with
the Certificate Authority through DNS.
a. Navigate to Access (IAM) through the Manage dropdown on the top

navigation bar in the IBM Cloud console.
b. Select Authorizations from the side navigation bar and click Create on the
Manage authorizations page.
c. Select Source service as Certificate Manager and from the Source

service instance select the name of the Certificate Manager instance
previously created.
d. Select the Target service as Internet Services and the Service instance as
the corresponding instance configured for Transact.
55
e. Select the Reader and Manager access from the Service access list in
order to fully automate the certificate ordering process.
It is advised that only read access is granted. This will change the certificate
ordering process.
2. Order a root TLS/SSL certificate from the Certificate Manager service for the
Top Level Domain for our Transact services. For testing we used transact-ic-
test.com as the Top Level Domain.
a. Navigate to the Certificate Manager instance, by searching and selecting

the service instance from the Resource Results section.
b. Click Order from the Your certificates page and click Continue from the
IBM Cloud Internet Services (CIS) section.
c. In the Certificate details tab enter a name for the certificate under the Name
field and click the switch to enable Automatic certificate renewal.
56
d. In the Domains tab select the Internet Services instance used for the
Transact domain in the IBM Cloud Internet Services (CIS) instance
dropdown. Then in the Certificate domains table, select Add Domain and
Add Wildcard for the Top Level Domain that is listed.
e. Click Order on the Order summary section and then wait for Status on the
Your certificates page to change from Order Pending to Valid.
57
3. Order a TLS/SSL certificate from the Certificate Manager service for a specific
subdomain that will be used for Transact APIs and the API gateway. For testing
we used api.transact-ic-test.com as the API subdomain.
a. Click Order from the Your certificates page and click Continue from the
IBM Cloud Internet Services (CIS) section.
b. In the Certificate details tab enter a name for the certificate under the Name
field and click the switch to enable Automatic certificate renewal.
c. In the Domains tab select the Internet Services instance used for the
Transact domain in the IBM Cloud Internet Services (CIS) instance
dropdown. Then in the Certificate domains table, click Subdomains next to
the target domain name. From the Select Subdomains panel, click the Add
Domain box next to the subdomain for Transact API services (for testing this
was api.transact-ic-test.com) and click Apply.
58
d. Click Order on the Order summary section and then wait for Status on the
Your certificates page to change from Order Pending to Valid.
11.2 Configuring the TLS/SSL certificates on the origin

endpoint for the Transact APIs
Procedure
1. Navigate to the Your certificates page, click the Options button on the line for
the API certificate and click Download Certificate.
2. Send the certificate bundle as requested in the support case previously raised
for the API gateway custom domain. This is so that it is configured for TLS
termination on the API Connect gateway. This is documented in the support
page below.
https://www.ibm.com/support/pages/how-do-you-use-custom-domain-api-
connect-apis-and-portal-branding
59
11.3 Configuring the TLS/SSL certificates on the origin

endpoints for the Transact web service
Procedure
1. Navigate to the Your certificates page and click on the line item for the
Transact root certificate.
2. Copy the string from the Certificate CRN field.
3. Create a secret in the Kubernetes cluster, which will be used by the ingress
definition in the Transact deployment. Run the following command replacing the
cert-crn option with the Certificate CRN value from the previous step. Specify a
name with the name option, specify the target Kubernetes cluster name with the
cluster option and specify the target namespace with the namespace
optionYyy.
$ ibmcloud ks ingress secret create --name transact-root-cert --cluster

temenos-iks --cert-crn crn:v1:bluemix:public:cloudcerts:eu-
de:a/15d4684d10e44e0ab8292eff215095ce:e97ae7b6-d403-4f92-8ffb-
e9991c22e415:certificate:8419e8250e99fb1a46d142048cb4a646 --namespace
default
60
12 Configuring encryption of Transact

application secrets and Kubernetes
cluster data
12.1 Encrypting IKS secrets in the etcd key-value store,
using Hyper Protect Crypto Services
Procedure
1. Navigate to your Hyper Protect Crypto Services instance from the IBM Cloud
web console.
2. From the Key management service keys page, create a root key for IKS
secrets and etcd key-value store by clicking Add key, typing the key name and
clicking Create key.
3. Run the following commands to gather the ID of your Hyper Protect Crypto
Service instance and the ID of the previously created root key. This will be used
for the key management integration in to IKS.
$ ibmcloud ks kms instance ls
61
$ ibmcloud ks kms crk ls --instance-id <KMS_instance_ID>
4. Enable the key management integration in the IKS cluster by running the
following command with the IKS cluster name. The Hyper Protect Crypto
Services ID as the instance-id value, and the root key ID as the crk value.
$ ibmcloud ks kms enable -c <cluster_name_or_ID> --instance-id

<kms_instance_ID> --crk <root_key_ID>
Be aware that there will be disruption to the management of the IKS cluster during
this operation, so please plan carefully.
5. Monitor the status of enabling the key management integration by running the
following command and checking the Status value under Master. Once
completed the Status value will show Ready and a new parameter called Key
Protect will be set with a value of enabled (as shown in the screenshots below).
$ ibmcloud ks cluster get -c <cluster_name_or_ID>
62
63
13 Creating the Transact database

In this chapter we will create a managed, encrypted PostgreSQL database, with no
admin access. Three nodes will be created across the three Availability Zones in the
MZR.
Procedure
1. Log into IBM Cloud. Search for Hyper Protect using the top search bar, selecting
Hyper Protect DBaaS for PostgreSQL in the Catalog Results.
2. Choose a multi zone region matching the rest of the environment configuration.
For deployment of the database: we chose Frankfurt.
3. Choose the Flexible plan.
4. Configure the database.
64
a. Define the Service name. The default name can be accepted (this will only
be present in the catalog page).
b. Define a Cluster name, e.g. temenos.
c. Define an Admin name, e.g. admin.
d. Define an Admin password.
e. Choose the per node RAM configuration. During testing we chose 16 GB

RAM per node. This can be scaled up and down at any time.
f. Select an initial disk allocation, per node. This can only be scaled up. During
testing we chose 24 GB
g. Select an initial vCPU allocation appropriate for the environment. During

testing we chose 2 vCPU per node. This can be scaled up or down at any
time.
65
h. Under Endpoints, choose Private network. Only compute infrastructure

within this IBM Cloud account will be able to access the database, so later we
will need to create a bastion server to enable access.
5. Click Create to create the instance.
Once the database is created you should be able to check the properties as well as
information on the connection string and details about the certificate from the IBM
Cloud Web UI.
Later resizing of its resource allocation is performed in the Resources section.
66
13.1 Restoring the Transact database

The user can request the T24 Version of the PostgreSQL database from Temenos and
restore the database using psql client from a Linux machine or using PostgreSQL tools
like pgAdmin.
The connection string to connect to the instance as well as the certificate for connection
can be obtained from the Manage pane view as show in the illustration above.
The steps below were followed when restoring the Transact Database on to the
PostgreSQL database instance. For testing we installed psql on an Ubuntu Linux box in
Temenos Data Centre, to establish the connectivity to the PostgreSQL instance on IBM
cloud, via a bastion host, to be configured immediately.
Procedure
1. From the IBM Cloud top-left menu, choose VPC Infrastructure, then Virtual
server instances.
67
2. Click Create to create a new instance.
3. Name the instance, and choose a location that matches the location of the rest
of the infrastructure. Which subnet is selected is not important.
68
4. Choose a public multi-tenant instance, unless a dedicated tenant is specifically

required. Here we choose an Ubuntu base image, and the minimal specification
instance, with no storage.
69
5. Click New key to add a new SSH key.
6. On a Mac or Linux terminal, generate an SSH key to be used by this jump

server, e.g.
ssh-keygen -b 4096
7. Name the key and paste the public key generated into the IBM Cloud interface.
70
71
8. Click Add SSH key.
9. Ensure this SSH key is selected, and click Create virtual server instance.
10. Click Floating IPs on the left-hand side menu.
72
11. Click Create.
12. Select a name for the floating IP, and select the jump server resource to bind it
to.
73
74
13. Verify you can connect to the jump server via SSH, with root@floating_ip.
14. Install and use Teleport on the bastion host to connect through the bastion jump
server to backend private network systems (such as the Postgres instance).
Now, we may continue by connecting to the Postgres instance, via the bastion jump
host. In the below example strings the initial part of the instance is masked for security
reasons.
Procedure
1. Use the following connection string by giving the username as admin and
password provided and also the path to the certificate.
psql 'host=xxxxxx.hyperp-dbaas.cloud.ibm.com port=29313 sslmode=verify-

full sslrootcert=$CAFilePath user=$Username'
2. Once the above command is successfully executed the user will be logged into
the admin prompt . From there execute the following steps.
admin=> CREATE USER t24 WITH PASSWORD 't24' ;
admin=> ALTER ROLE t24 CREATEDB CREATEROLE;
admin=>CREATE DATABASE t24db WITH OWNER = t24 TEMPLATE = template0

ENCODING = 'UTF8' CONNECTION LIMIT = -1;
admin=>GRANT ALL ON DATABASE "t24db" TO t24;
admin=> Alter type numeric owner to t24;
admin=> CREATE CAST (varchar AS numeric) WITH INOUT AS IMPLICIT;
3. The database backup received from Temenos Distribution will have a format like
the example illustrated below.
MB.202009.PostgreSQL_11.8.TAFJ202009.30-SEP-2021.sql.tar
In this example, MB stands for Model Bank. Normally the database backup will
be for either Model Bank (MB) or Initial System Build (ISB).
4. You need to make sure to have plsqlfunctions_postgresql.sql which is part of

the TAFJ Runtime pack.
5. From the admin prompt the user can issue \c t24db to change to t24db to
execute the following steps. In the below example the
plsqlfunctions_postgresql.sql resides in the same directory from where the
75
psql command was executed to login to the database instance. If the

plsqlfunctions_postgresql.sql is under a different directory, please provide the
full path. The following sql file will install the required TAFJ function on to the
database instance.
t24db=> \i 'plsqlfunctions_postgresql.sql'
6. You can check whether the functions were installed properly using the following
SQL command
SELECT proname FROM pg_catalog.pg_namespace n JOIN pg_catalog.pg_proc p

ON pronamespace = n.oid WHERE nspname = 'public';
7. Once the above steps are successfully completed, exit back to the shell prompt
and issue the following command to restore the database.
psql -h xxxxx.hyperp-dbaas.cloud.ibm.com -p 29422 -U t24 -d t24db -f

MB.202009.PostgreSQL_11.8.TAFJ202009.30-SEP-2021.sql -L Restore-Log
The restoration process and run for some time depending on the Size of the
database. You are advised to check the Restore-Log file for any errors and correct
accordingly.
13.2 Accessing the Transact database

Once restored the database can be accessed using psql client or pgAdmin.
76
77
14 Creating and configuring the container

registry for Transact container images
14.1 Creating the container registry
Procedure
1. You need to complete the container registry setup before images can be pushed
to it. This involves created a namespace and a repository. To create the
namespace login to user can use the Web UI or Install the IBM CLI tools. The
information will be available in the Quick start tab under Kubernetes and
Registry in IBM Cloud.
2. Click the Namespaces tab and click Create.
You can create the repo using Web UI or CLI.
 If using Web UI then follow the instructions in the Quick Start page to set the
access to push the docker images.
78
 If using CLI, see the illustrations below for details of the steps required to
push the images to the IBM Cloud registry from a Linux box.
79
14.2 Configuring storage space for the container registry

You can change the Quota for the Registry from the Web UI by clicking the Settings
tab.
14.3 Pushing images to the container registry

Procedure
1. Once the namespace and repo are available you can build the docker image and
push it to the IBM Cloud CR. You need to make sure to set the required region
and then login to the CR. The illustration below shows how to set the region and
login. In this example, since the artefacts need to be in the Frankfurt region, we
have set the region to eu-central.
2. Ensure the image is tagged to the format. The region should be included in the
tag (e.g. de.icr.io).
80
docker tag hello-world

de.icr.io/<my_namespace>/<my_repository>:<my_tag>
For example.
You can build and tag later.
docker tag 2e27598b1368

de.icr.io/temenostest/temenosrepo:202009postT24
Or specify the tag during the build time.
docker build -t de.icr.io/temenostest/temenosrepo:202009postT24
To upload , issue a docker push
docker push de.icr.io/temenostest/temenosrepo:202009postT24
14.4 Verifying the images

After pushing the images to the registry check for the image using the CLI tool or
the web UI.
81
15 Deploying Transact
15.1 Creating the Transact image
You need to request the pre-image-kit for Transact App and Web for PostgreSQL
database from Temenos distribution. The pre-image kits will be in zip format. Unzip
the kits on a machine from which you have got connectivity to the IBM Container
Registry. Follow Steps to build Transact Web container image from Preimage
kit in the README.txt in the kits.
15.2 Modifying Tafj.properties

Procedure
1. In the preimage kit there will be a tar file named preimage.tar which holds the
tafj.properties file. Set the properties as illustrated below.
temn.tafj.locking.mode=DATABASE
temn.tafj.runtime.use.df.cache=true
temn.tafj.runtime.port.database=true
temn.tafj.jdbc.fail.immediate.on.db.error=true
2. Once the required modification is done, issue the follow the below commands to
build the docker image and push to the Container registry.
To build:
docker build -t repository:tag ./preimage-transact-web-<version>
docker build -t repository:tag ./preimage-transact-app-<version>
For example:
docker build -t de.icr.io/temenostest/temenosrepo:202009postT24

./preimage-transact-app-pos-202009.1
82
docker build -t de.icr.io/temenostest/temenosrepo:202009postBW

./preimage-transact-web-pos-202009.1
To push:
docker push repository:tag
ocker push repository:tag
For example:
docker push de.icr.io/temenostest/temenosrepo:202009postT24
docker push de.icr.io/temenostest/temenosrepo:202009postBW
15.3 Transact Ingress

To enable the sticky session for Temenos BrowserWeb component the ingress.yaml
given below needs to be updated in the helm charts template folder. In the values.yaml
file, define the values as specified.
83
15.4 Transact Deployment

To deploy Temenos Transact App and Web components, along with Active MQ on
IBM Cloud, Helm charts were used.
Procedure
1. Modify values.yaml as required. The illustrations below show example

configurations of this file.
84
85
2. Ensure that the *.yaml files used for deployment are defined and present in the
templates folder.
3. Ensure that the associated service is present and defined in the templates folder.
4. Once the definitions and the values have been updated, install the chart as
illustrated below.
5. To check whether the services and pods are up and running, use the kubectl
command to list the pods.
86
15.5 Transact UI Access

Once the pods and services are up and running, configure the access end points
and then access Transact. See the illustrations below. These cover the old browser
(BrowserWeb) and the new UXPB browser.
87
88
16 Deploying Data Event Streaming

(DES)
DES is installed using Helm charts, which are described in a later part of this document.
Before building and deploying DES you need to create the following resources on the
IBM Cloud account.
16.1 Creating IBM Event Streams

Procedure
1. Log in to the IBM Cloud console.
2. Click the Event Streams service External link icon in the Catalog.
3. Select the Lite plan (or select as per user requirement) on the Service Instance
page.
4. Enter a Name for your service.
5. Choose the Data Centre where you want the Event streams.
6. Select the Resource Group.
89
Now the Event Stream has been created, you can view if from the Resource List
panel, as illustrated below.
90
16.2 Creating Service Credentials

In the IBM Event Streams Landing page you should be able to see Service Credentials
on the left pane. You need to define service credentials which will be later used in DES
configuration.
Procedure
1. Click New Credential. Set Role to Manager.
91
2. Click Add and a new service credential will be created.
3. You can view the details of the Service Credentials by clicking the dropdown
arrow next to the Key Name (as illustrated below). Do this, and then note down
the password and user values from the property. These will be used later in the
DES configuration.
92
16.3 Creating Topics on IBM Event Streams

Procedure
1. On the Event Stream main page left panel, click Manage and then click the
Topics tab.
You need to create the following topics for DES. These topics can sometimes be
slightly different depending on the release of DES being used. So please confirm
with the DES product team the topics that need to be created for the DES
release chosen for the implementation, before proceeding.
 pull-event
 pull-event-multipart
 pull-metadata
93
 eot
 error
 multi-part
 des-schema
 des-install
 if
 if-raw
 table-update
 assembled-event
2. Click the Create topic for each of the above topics. Enter the Topic name,
Partition and Message Retention. During testing we have chosen the default
values for Partition and Message Retention.
94
16.4 Obtaining the bootstrap server details

Procedure
1. After creating the required topics, click Connect to this Service on the Manage
panel.
95
This will provide you with the details of bootstrap server, which are required
during DES configuration.
16.5 Configuring the DES properties

1. Download the required DES package from the repository and extract it. You
should be able to see the following elements in the des-docker directory.
2. CD to the src/main/resources/des-config directory and edit the des-kafka-

sasl-ssl.properties file.
96
3. Set the values for:
temn.des.stream.kafka.bootstrap.servers
temn.des.stream.security.kafka.sasl.jaas.config
4. Set the bootstrap server connection details, mentioned in the previous sections.
temn.des.stream.kafka.bootstrap.servers = broker-4-
rfbgmj76njbnhc67.kafka.svc03.eu-de.eventstreams.cloud.ibm.com:9093,broker-2-
rfbgmj76njbnhc67.kafka.svc03.eu-de.eventstreams.cloud.ibm.com:9093
temn.des.stream.security.kafka.sasl.jaas.config=org.apache.kafka.common.securit
y.plain.PlainLoginModule required username="token"
password="tJnK13lf5C_0kGEBunmYReXUCuGwNfcygLnAFCXcALvf";
5. Comment out the following properties in the same file:
temn.des.stream.security.kafka.ssl.truststore.location
temn.des.stream.security.kafka.ssl.truststore.password
temn.des.security.schema.registry.ssl.truststore.location
temn.des.security.schema.registry.ssl.truststore.password
temn.des.security.schema.registry.ssl.keystore.location
temn.des.security.schema.registry.ssl.keystore.password
temn.des.security.schema.registry.ssl.key.password
6. In the same file make sure the schema registry URL is set correctly. For this
testing the schema registry was running on port 8081 under the service name
kafka-cp-schema-registry.
temn.des.schema.registry.url = http://kafka-cp-schema-registry:8081
7. In the same file enter the name of the property value event table. If the
Database used is PostgreSQL use double-quotes for the table name.
97
temn.des.epa.data-event.tables = "F_DATA_EVENTS"
8. CD to /src/main/resources/keystore/postgresql and edit the

t24.keystore.template file. Enter the jdbc connection strings for the
PostgreSQL database and the username and password.
For the stream database the jdbc URL can be the same, unless a different
database is used for the stream.
DES had an issue when the tcpKeepAlive=true&cleanupSavepoints=true

parameter was added to the jdbc connection string. This was confirmed with
the product team and it is not required for DES configuration and installation.
9. Generate the keystore file using the below command as a template. You can
change this according to the path and password used for implementation.
des-tool.sh create-keystore -keystoretype JCEKS -

keystorepassword 3jyh?=%_baT -file des.keystore -sourcefile
src/main/resources/keystore/postgresql/t24.keystore.template
10. The output of the above command will be similar to the illustration below. Verify
the output and make sure the database URLs are correct.
98
11. If the database URL is not picked up correctly then set the below environment
variables and try executing the create-keystore again. Ensure that if a previous
execution of create-keystore was performed, delete the keystore file created
before executing again. In the above example the filename is des.keystore.
16.6 Building the DES component build

Procedure
1. Once the properties have been updated set the environment variables specified
below.
2. Execute the tools build and tools install using the commands given below.
From the ~des-docker directory
To build:
./des-tool.sh build
99
To deploy (this is a one-time activity on the database):
./des-tool.sh install
3. After successfully installing the tool, check the database table

F_EB_DES_CONFIG has the correct entries for the specified
DES_STEAM_VENDOR. For this test, the vendor specification was kafka.
In the F_EB_DES_CONFIG database table you should now see that a record is
created with all the correct values as defined in file des-
docker/src/main/resources/des-config/des-kafka-sasl-ssl.properties.
4. To build the DES issue the below command from the ~des-docker/ directory.
./des-docker.sh build
Once the build is complete you should be able to see that the images listed
below have been created. You will not be using the des-grafana, des-
prometheus or des-demo-webapp-kafka images. These are used when running
DES locally in a demo environment.
100
5. Tag each of the images separately to point to the IBM CR.
docker tag 91a514bc5b5e de.icr.io/temenostest/temenosrepo:des-event-

pull-adapter
6. Push the image to CR.
docker push de.icr.io/temenostest/temenosrepo:des-event-pull-adapter
16.7 Enabling Event capture in Transact

Before deploying DES, you must enable event capture. To find out how to do this, refer
to relevant Section in the DES user guide (located in the doc’s directory in the DES
package).
16.8 Deploying DES

DES installation on IBM IKS was done using Helm charts. Follow the README
included in the Helm chart for details of how to do specific configurations.
101
17 Deploying the Holdings microservice

Once the DES is installed and configured and is streaming events into Events Streams,
you can deploy the Holdings microservice. Holdings is comprised of two parts – the
Ingester and the API. The Ingester receives event data from the streaming platform and
writes it to the microservice database. The API then responds to user queries by
reading from the Holdings database. The database used to test the Holdings
microservice is Hyper Protect Mongo in IBM Cloud.
17.1 Creating a Mongo Database

Procedure
1. In the IBM Cloud catalog, search for Hyper Protect Mongo (as done for the
PostgreSQL database earlier). Select the Flexible plan.
2. Configure the database.
102
3. Choose appropriate sizes for the resources. vCPU and RAM can be scaled up
and down. Disk allocation size can only be scaled up. For testing we used 2 GB
RAM, 16 GB disk, and 2 vCPUs.
4. For the KMS instance, choose your Hyper Protect Crypto Services instance from
the dropdown list.
5. Select the root key for this database from the dropdown list.
17.2 Connecting to the Mongo database

There are multiple ways you can connect to the Mongo Database created in IBM
Cloud.
17.2.1 Selecting the database

Login to the IBM Cloud dashboard and select the Hyper Protect Mongo database.
On the right pane of the screen are details of the options for connecting to this
database. Note that a certificate is required to connect to the database which
could also be downloaded from the same page.
103
17.2.2 Connecting with Shell

Use the command given below.
mongo 'mongodb://dbaas250.hyperp-
dbaas.cloud.ibm.com:29137,dbaas251.hyperp-
dbaas.cloud.ibm.com:29294,dbaas252.hyperp-
dbaas.cloud.ibm.com:29344/admin?replicaSet=temenos' --ssl --username
$userID --sslCAFile $caFilePath
Once connected you can use the show dbs command to display details of the
database.
17.2.3 Connecting with the Mongo Compass tool

This tool must be downloaded and configured before it can be used to connect to
the database.
104
Procedure
1. Download the tool.
2. Execute the exe in the zip package. The following screen is displayed.
3. Click Connect. The database should now be displayed.
105
17.3 Creating a Mongo database

Connect to the Mongo shell and run the following commands to crate the required
tables and inject the sample data.
mongodb:PRIMARY> use ms_holdings
switched to db ms_holdings
db.ms_holdings_balance.insert({ "_id" : "GB0010001-123456-

1555459200", "accountId" : "GB0010001-123456", "availableBalance" :
NumberDecimal("89470"), "balanceDate" : NumberLong(1555459200),
"currencyId" : "USD", "customerId" : "100410", "extensionData" : {},
"externalIndicator" : false, "objectId" : "GB0010001-123456-
1555459200", "onlineActualBalance" : NumberDecimal("89470"),
"openingDate" : ISODate("2019-04-17T00:00:00Z"), "processingTime" :
ISODate("2020-05-18T12:23:25.759Z"), "productName" : "AC",
"workingBalance" : NumberDecimal("89470") });
db.ms_holdings_transaction.insert({ "_id" : "GB0010001-123456-

15554592000000", "accountId" : "GB0010001-123456", "accountOfficerId"
: NumberLong(79), "amountInAccountCurrency" :
NumberDecimal("12851.61"), "amountInEventCurrency" :
NumberDecimal("10000.00"), "bookingDate" : ISODate("2019-04-
17T00:00:00Z"), "categorisactionId" : NumberLong(895), "currency" :
"GBP", "customerId" : "100386", "customerReference" : "FT191070MC9L",
"exchangeRate" : NumberDecimal("1.285161000"), "extensionData" : {
}, "externalIndicator" : false, "externalReference" : "", "narrative"
: "DEMO TRANSACTION", "objectId" : "GB0010001-123456-15554592000000",
"processingDate" : ISODate("2019-04-17T00:00:00Z"), "recordId" :
"191345526039874.000002", "runningBalance" : NumberDecimal("10000"),
"sortKey" : NumberLong("15554592000000"), "transactionAmount" :
NumberDecimal("12851.61"), "transactionReference" : "FT191070MC9L",
"valueDate" : ISODate("2019-04-17T00:00:00Z") });
You can also use MongoDB Compass to connect to the instance.
17.4 Building the Holdings package

This section explains how to build the Holdings container images.
Procedure
1. In your Holdings package directory, open holdings.sh for editing.
106
2. Remove the highlighted section shown below and save the file.
3. Make sure the holdings.sh script is executable.
chmod +x holdings.sh
4. Run the script as follows.
./holdings.sh up --build --no-start
5. Once the build is finished you will see the images shown below. You need to tag
time according to your container registry and push it to the registry.
17.5 Deploying Holdings

Once the images are pushed to the registry the Holdings API and Ingester are
deployed using Helm charts. Details on the configuration are in the README file
for the holdings helm scripts.
For Holdings to connect to the Mongo database instance the certificate needs to
be used. At present the certificate the user downloads from IBM cloud will have
two parts.
Procedure
1. Before modifying it, take a copy of cert.pem.
107
2. Open cert.pem using a text editor.
3. Remove the first certificate and save the file. After the change, the example
given above will look as illustrated below.
108
4. Convert the cert.pem file to cert.jks using keytool, as illustrated below. In this
example we have executed keytool from the directory where cert.pem file is
located, so we have used ./ . If the path is different then give the full path.
keytool -importcert -trustcacerts -file ./cert.pem -keystore ./cert.jks

-storepass <UserChoicePassword>
5. After converting to cert.jks create a configmap in Kubernetes using the syntax

below.
kubectl create configmap truststore --from-file=cert.jks=./cert.jks
You can verify this using the commands given below.
109
6. For this there is a requirement to create Mongo database users. Below is an

example of a string to create users and set permissions.
use ms_holdings();
db.createUser(
user: "testUser",
pwd: "test", // or cleartext password
roles: [
{ role: "readWrite", db: "ms_holdings" }
7. In values.yaml update the following details for the API and the Ingester.
MONGODB_USER:
MONGODB_PASS:
temn.ms.mongo.ssl.enabled
temn.ms.mongo.ssl.truststore.file.path
temn.ms.mongo.ssl.truststore.auth
110
8. Configure the following parameters for the Ingester. They are required as we are
connecting to IBM Event Streams. . The jaas configuration can be obtained from
the IBM Event Streams configuration (also mentioned in the DES deployment
section of this document).
temn.msf.stream.security.kafka.security.protocol: SASL_SSL
temn.msf.stream.kafka.sasl.mechanism: PLAIN
temn.msf.stream.kafka.sasl.jaas.config:
org.apache.kafka.common.security.plain.PlainLoginModule required
username="token"
password="tJnK13lf5C_0kGEBunmYReXUCuGwNfcygLnAFCXcALvf";
temn.msf.stream.kafka.ssl.enabled: "true"
9. Also for the Ingester, make sure in the values.yaml file for the Helm installation
the following property is set correctly and points to the relevant schema registry
for the installation. In the below example the schema registry service is name is
kafka-cp-schema-registry and the port is 8081.
schemaregistryurl: http://kafka-cp-schema-registry:8081
10. Ensure that the connection string contains the db instance name. In the below
example it is ms_holdings.
mongodb://dbaas250.hyperp-
dbaas.cloud.ibm.com:29137/ms_holdings?replicaSet=temenos&ssl=true"
11. In the service deployment yaml files (under the templates folder in Helm for both
API and Ingester) define a volume mount to push the cert.jks from configmap
to the containers when it spins up.
For API the path is /usr/local/tomcat/conf/cert.jks
For Ingester the path is /app/cert.jks
Examples of VolumeMounts and volumes are illustrated below.
111
12. Use these URLs to access the API.
http://<EntryPoint>/ms-holdings-api/api/v1.0.0/holdings/accounts/GB0010001-
100137/balances
112
18 Deploying and exposing APIs

18.1 Testing Transact API service deployments inside the
Kubernetes cluster
Temenos API’s are installed along with Transact app and web images. The API pod
runs as a separate pod within the same cluster. Temenos API’s are installed using
the Transact Helm chart. Once installed you should be able to see the API pods and
services.
The list of APISs and the Swagger definition can be accessed using the below
URLs.
http://host:port/irf-provider-container/api/v1.0.0/meta/apis
http://host:port/
113
You can invoke a required API using any Rest tool or can make a call to the API as part
of any UI development for a specific implementation. Below is illustrated an example of
Creating a CUSTOMER Record in Temenos transact using an API POST method.
114
18.2 Importing Transact OpenAPI definitions into API

Connect and managing them as API products
Procedure
1. From a Temenos SME obtain the OpenAPI and Swagger files for the Transact
APIs.
2. You need to obtain the hostname of the Kubernetes Ingress definition for your
deployed Transact APIs and any Temenos microservices APIs. This can be
done by running the following command against the namespace that Transact
was deployed to, and copying the information from the HOSTS field for the api
ingress object.
$ kubectl get ingress -n <transact_namespace>
3. Navigate to your API Connect instance from the IBM Cloud web console.
4. Click the Navigate to button and click Drafts from the navigation menu, which
will take you to the Drafts page for managing APIs and products.
115
5. For each API definition, repeat the following to create the API from the
OpenAPI/Swagger file and configure it to invoke the backend API service
(Ingress) running in the Kubernetes cluster.
a. Click the APIs tab. Click Add and click Import API from a file or URL.
b. From the Import OpenAPI (Swagger) window click Select File. Navigate
and open one of the Temenos provide OpenAPI/Swagger files, and click
Import. This will create an API named with the title from the
OpenAPI/Swagger file.
c. From the opened API page, click the Schemes section on the left hand side
of the page and deselect http (by default only HTTPS based APIs can be
published to the catalog).
116
d. Click the Source tab and search or scroll to the x-ibm-configuration line in
the source code window. Add the following assembly code as part of the x-
ibm-configuration object, but modifying the target-url to match the
hostname captured in step 2.
assembly:
execute:
- invoke:
title: invoke
timeout: 60
verb: keep
cache-response: protocol
cache-ttl: 900
version: 1.0.0
target-url: 'https://temenos-iks-
aab383d72572813949d6108ae3e31375-0000.eu-
de.containers.appdomain.cloud/irf-provider-
container/$(request.path)'
117
e. Click the save icon above the source code panel and wait for the message
API saved to be displayed. Then click the More Actions button and select
Add to existing products.
f. On the Add to existing products window, select the API product that was
previously created (for testing we used Transact APIs) and click Add.
6. Once all the desired APIs have been added, navigate back to the Drafts page,
click on the Products tab and click the product name which the APIs were
added to.
7. To stage the API product to the catalog, click on the Stage the Product to a
chosen Catalog icon and select the catalog previously created (for testing we
used Transact APIs).
118
8. Navigate back to the Dashboard. Click the catalog that the API product was
staged to (for testing we used Transact APIs). From the Products tab click
Publish for the API product that was staged.
9. From the Edit visibility window select your desired visibility for the API portal
and click Publish. Once complete you should see the state changed to
Published.
10. Test the APIs through the public domain, which was previously configured for
the API gateway, to validate the APIs are exposed. This can be done through
your preferred method, for example through Postman using an API collection
provided by Temenos.
119
19 Technical approval
Once Transact/TAFJ has been deployed and configured on IBM Cloud a full technical
approval process was executed for the stack. The technical approval process involves
loading transaction and executing transact queries using JMeter scripts. In the example
below a set of transactions were loaded and enquiries were executed.
CUSTOMER
LOCAL & FOREIGN ACCOUNTS
LOCAL & FOREIGN DEPOSITS
FUNDS TRANSFER
BALANCE ENQUIRY
STATEMENT ENQUIRY
Below is given an example of a data injection screen.
120
121

Stack14 IBM Cloud Runbook

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Stack14 IBM Cloud Runbook

Uploaded by

Copyright:

Available Formats

Stack 14 IBM Cloud

Customer Runbook 1.4 April 2021

3 Prerequisites and assumptions .............................................................. 11

4 Before you start ...................................................................................... 13

5 Enabling virtual routing tables ................................................................ 17

7 Deploying and configuring the Kubernetes cluster ................................ 23

8 Exposing Transact Services on a Secured Public Domain .................... 35

9 Creating the infrastructure for securing and managing Transact

9.2 IBM Cloud Certificate Manager ....................................................................................................... 41

10 Creating an API gateway for Transact services ..................................... 49

11 Configuring TLS/SSL encryption to Transact services with managed CA

12 Configuring encryption of Transact application secrets and Kubernetes

13 Creating the Transact database ............................................................. 64

14 Creating and configuring the container registry for Transact container

15 Deploying Transact ................................................................................ 82

16 Deploying Data Event Streaming (DES) ................................................ 89

17 Deploying the Holdings microservice ................................................... 102

17.2 Connecting to the Mongo database .............................................................................................. 103

18 Deploying and exposing APIs .............................................................. 113

19 Technical approval ............................................................................... 120

1 About this Runbook

 Creating access policies for accessing the installed resources.

 Creating endpoints to access the deployed applications.

 Deploying Transact Web and App Containers using helm charts.

 Deploying Temenos DES using helm charts.

 Deploying Temenos API’s using Helm charts.

 Deploying Temenos Holdings Microservices using Helm charts.

1.3 Skills and knowledge

 IBM Cloud Access and Resources

The information in this guide relates to TEMENOSTM information, products, and

There is no guarantee as to the completeness, accuracy, timeliness, or the results

1.0 Dec 2020 Draft Release

1.1 Jan 2021 Updated details on Infrastructure, DB creation, DB restoration,

2.2 Architecture diagram

VPC Infrastructure All infrastructure elements related to your

Cloud Foundry Services API Connect configurations.

Services Services like Event Streams, Hyper

3 Prerequisites and assumptions

3.1 Software prerequisites

Transact Application Container Image 202009

Transact Web Container Image 202009

T24 Model Bank Data 202009

Temenos DES 202010

Temenos Holdings December Dev version [SSL Fix]

Open JDK required for DES Build 1.8

Apache Active MQ 5.15.9

UXPB Browser 202101

Temenos API (artefacts) 202009

3.1.1 Temenos software and containers

Artefact File Description

MB.202009.PostgreSQL MB.202009.PostgreSQL_11.8. The database.

T24 MB.202009.TAFJ202009.bnk.tar.gz The bnk directory that

TAFJ TAFJ.DEV.202009.tar The TAFJ runtime .jar

T24 Browser BrowserWeb.war Old browser components.

UXPBrowser Browser.war New browser components.

4 Before you start

4.1 Accessing IBM Cloud

4.1.1 Account setup

4.1.2 Installing CLI tools

curl -fsSL https://clis.cloud.ibm.com/install/linux | sh

4.2 Required IBM Cloud IAM Policies

4.2.1 Creating access groups

1. Click Manage, Access (IAM).

2. Click Access groups on the left-hand side.