Professional Documents
Culture Documents
Stack14 IBM Cloud Runbook
Stack14 IBM Cloud Runbook
Contents
1 About this Runbook .................................................................................. 5
1.1 Scope ................................................................................................................................................ 5
1.2 Audience ........................................................................................................................................... 5
1.3 Skills and knowledge......................................................................................................................... 6
1.4 Legal ................................................................................................................................................. 6
1.5 History ............................................................................................................................................... 8
2 Introduction .............................................................................................. 9
2.1 Architecture overview ........................................................................................................................ 9
2.2 Architecture diagram ......................................................................................................................... 9
2.3 Terminology .................................................................................................................................... 10
2
Stack 14 IBM Cloud Runbook 1.0
3
Stack 14 IBM Cloud Runbook 1.0
4
Stack 14 IBM Cloud Runbook 1.0
This runbook also covers connecting Temenos Transact to IBM Cloud Hyper Protect
DBaaS for PosgreSQL, and connecting Holdings Microservices to IBM Cloud Hyper
Protect DBaaS for MongoDB.
This runbook does not tell you how to install third -party software. For more
information, see the relevant vendor's documentation.
1.1 Scope
This runbook covers:
Creating the required infrastructure and databases on IBM Cloud (IKS, VNet,
Hyper Protect DBaaS for PostgreSQL/ MongoDB).
1.2 Audience
This document is aimed at those who are deploying Temenos Transact App and Web,
Temenos DES, Temenos APIs, Temenos Holdings Microservices on IBM Cloud
5
Stack 14 IBM Cloud Runbook 1.0
connecting to DBaaS Services defined on IBM Cloud for Transact (PostgreSQL) and
Holdings (MongoDB).
Kubernetes
Transact
DES
Holdings Microservices
PostgreSQL
MongoDB
Helm charts
1.4 Legal
© Copyright 2021 Temenos Headquarters SA. All rights reserved.
While all reasonable attempts have been made to ensure accuracy, currency, and
reliability of the content in this guide, all information is provided "as is".
In no event will TEMENOS be liable to you or anyone else for any decision made or
action taken in reliance on the information in this document or for any consequential,
special or similar damages, even if advised of the possibility of such damages.
6
Stack 14 IBM Cloud Runbook 1.0
TEMENOS does not accept any responsibility for any errors or omissions, or for the
results obtained from the use of this information. Information obtained from this guide
should not be used as a substitute for consultation with TEMENOS.
References and links to external sites and documentation are provided as a service.
TEMENOS is not endorsing any provider of products or services by facilitating access
to these sites or documentation from this guide.
The content of this guide is protected by copyright and trademark law. Apart from fair
dealing for the purposes of private study, research, criticism, or review, as permitted
under copyright law, no part may be reproduced or reused for any commercial
purposes whatsoever without the prior written permission of the copyright owner. All
trademarks, logos and other marks shown in this guide are the property of their
respective owners.
7
Stack 14 IBM Cloud Runbook 1.0
1.5 History
Version Date Change
1.2 Feb 2021 Updated infra related screen shots, Ingress definition, ROKS
infra, Details, Removed/Updated screen shots for Temenos
products. Updated details on pre-images kits and TAFJ specific
variables required for Transact.
1.3 Mar 2021 Added sections to cover infrastructure setup for API gateway,
key management and certificate management. Added sections
to cover configuration of encryption for Transact application
secrets, Kubernetes data, and persistent volumes. Updated
section to include configuring and exposing Transact APIs
through API gateway.
1.4 April 2021 Updated VPC and Kubernetes cluster sections, and added a
section for IBM Financial Services Cloud considerations.
8
Stack 14 IBM Cloud Runbook 1.0
2 Introduction
2.1 Architecture overview
In this Runbook we have explained the benefits you receive from using the managed
services hosted in IBM Cloud which ranges from Kubernetes to Hyper Protect
Databases for Transact and Microservices. We have also detailed the security
elements available in IBM Cloud which could be used when accessing the hosted
applications.
The resources we have utilised in this exercise are all managed services. The IBM
Cloud UI provides you with a Web UI interface allowing the user to create and manage
the resources. IBM Cloud also provides you with logging and monitoring solutions to
monitor the resources installed using different dashboards.
9
Stack 14 IBM Cloud Runbook 1.0
2.3 Terminology
10
Stack 14 IBM Cloud Runbook 1.0
WildFly 20.0.0.Final
Helm V3.2.4
BrowserWeb 202009
TAFJ 202009
11
Stack 14 IBM Cloud Runbook 1.0
browser-iris.war
Authenticator.war
UXP-Browser.zip
3.2 Assumptions
At the time of writing this guide, the available release of Transact and TAFJ was
202009 and these artefacts were used for installation and configuration. Most of the
Temenos software was for release 202009, except the UXPB Browser for which the
202101 version was used.
This runbook assumes that all third-party software has been installed. Also that all
required Temenos artefacts have been obtained from Distribution before the stack is
installed and configured.
12
Stack 14 IBM Cloud Runbook 1.0
https://cloud.ibm.com/docs/account?topic=account-account-getting-started
https://cloud.ibm.com/docs/cli?topic=cli-install-ibmcloud-cli
For Linux™ copy and paste the following command to a terminal and run it.
We will do this initial configuration in two parts: create access groups for specific user
roles, and then add users to specific groups.
13
Stack 14 IBM Cloud Runbook 1.0
3. Click Create.
Account administrators
Kubernetes administrators
14
Stack 14 IBM Cloud Runbook 1.0
1. While still in the IAM section, click Users on the left-hand side.
4. Click the Add button next to each group to add these users.
5. Click Invite.
15
Stack 14 IBM Cloud Runbook 1.0
6. Repeat the above steps for different sets of users, to be added to different
groups. Specific service access for each group will be added as services are
instantiated later.
16
Stack 14 IBM Cloud Runbook 1.0
Procedure
2. Click Account settings from the left menu (see the above illustration).
3. Under Virtual Routing and Forwarding, click the button to create a case.
4. Create and submit the support case, asking for VRF to be enabled, and specify
for it to happen ASAP.
17
Stack 14 IBM Cloud Runbook 1.0
In the example used, we are choosing to deploy into the Frankfurt Multi-Zone Region
(MZR). This region has three Availability Zones (AZ) to allow for regional failures. The
VPC we create will consist of three subnets, one per AZ.
Procedure
1. From the IBM Cloud hamburger menu top-left, choose VPC Infrastructure.
18
Stack 14 IBM Cloud Runbook 1.0
4. Click Create.
5. Name the VPC, e.g., temenos-vpc. Leave most of the fields on this page as
default.
19
Stack 14 IBM Cloud Runbook 1.0
20
Stack 14 IBM Cloud Runbook 1.0
10. Click Subnets, from the left-hand menu, on the VPC Infrastructure page.
21
Stack 14 IBM Cloud Runbook 1.0
13. Leave the other fields as default. The prior-created VPC will be named in the
dropdown.
17. Repeat steps 11 to 16, creating a third subnet fra3 in location Frankfurt 3.
22
Stack 14 IBM Cloud Runbook 1.0
4. Under Infrastructure, choose VPC, then choose the VPC instance previously
created (temenos-vpc).
23
Stack 14 IBM Cloud Runbook 1.0
5. Ensure all subnets are chosen. Workers will be spread across the subnets, and
thus the regional datacentres.
6. Define the number of worker nodes per zone, depending on the environment you
are creating.
24
Stack 14 IBM Cloud Runbook 1.0
9. Click Create.
10. Once taken to the cluster page, follow the access steps in the Access tab to
install the ibmcloud CLI, if not already done. Then use it to pull the kubeconfig
file, and then use kubectl as with any other Kubernetes cluster.
11. Finally, connect the cluster to the logging and monitoring services. Click the
Overview item on the left of the page, then click Connect to connect the cluster
to the logging and monitoring systems (LogDNA and Sysdig respectively).
Either connect the cluster to existing systems, or define new ones if the account
has not been used before.
12. Click the Worker nodes menu item on the left to see the workers created in the
prior steps.
25
Stack 14 IBM Cloud Runbook 1.0
Procedure
26
Stack 14 IBM Cloud Runbook 1.0
An instance of the Cloud Object Storage service is all that’s required, so we can now
move on to creating a ROKS cluster.
Procedure
1. Click the IBM Cloud menu at the top left, and then Kubernetes and then
Cluster.
27
Stack 14 IBM Cloud Runbook 1.0
28
Stack 14 IBM Cloud Runbook 1.0
29
Stack 14 IBM Cloud Runbook 1.0
5. Choose the Virtual Private Cloud previously defined, and ensure all three zones,
with three subnets, are selected. Also choose the Cloud Object Storage instance
previously created.
6. Select one worker node per zone, and change the flavour to one suitable for the
environment being created. Here we chose b2.8x32, i.e., 8 vCPU, 32 GB RAM,
16 GiB network speed.
30
Stack 14 IBM Cloud Runbook 1.0
9. Wait while the cluster is created for you. While this is being done, follow the
getting started instructions to download the IBM Cloud CLI (if not already done),
and the oc CLI to interact with the cluster.
10. Once the local tooling is installed and the cluster is ready, click the oauth token
request page link to generate a command to log in to the cluster.
31
Stack 14 IBM Cloud Runbook 1.0
11. Copy and paste the oc login command to log in to the cluster.
32
Stack 14 IBM Cloud Runbook 1.0
12. Finally, connect the cluster to the logging and monitoring services. Click the
connect item on the left of the page, then click Connect to connect the cluster to
the Logging and Monitoring systems (LogDNA and Sysdig respectively).
13. For each cluster, if there is an instance available select it. Alternatively, define a
new one.
33
Stack 14 IBM Cloud Runbook 1.0
34
Stack 14 IBM Cloud Runbook 1.0
https://cloud.ibm.com/docs/cis?topic=cis-about-ibm-cloud-internet-services-cis
https://cloud.ibm.com/docs/dns?topic=dns-getting-started
1. From the IBM Cloud catalog select Domain Name Registration and click
Create.
35
Stack 14 IBM Cloud Runbook 1.0
3. From the IBM Cloud catalog select Internet Services, select the required plan
(Standard was used for testing) and click Create.
5. Press Skip the on the DNS records page. On the Delegate domain
management page, copy the name server hostnames from the New NS
records field and click Create.
36
Stack 14 IBM Cloud Runbook 1.0
7. On the target domain listed, select Unlocked from the Lock Domain field, click
the dropdown and click Add / Edit NS from the Custom Name Servers section.
37
Stack 14 IBM Cloud Runbook 1.0
8. On the panel provided, paste the two name server hostnames previously copied
from Internet Services and click Associate to finish.
38
Stack 14 IBM Cloud Runbook 1.0
a. Obtain the Ingress Subdomain from the Kubernetes Service (IKS) cluster.
This is the hostname for the default public Ingress Application Load
Balancer (ALB) that is used by the Transact Web and API services. Run the
following command using the IBM Cloud CLI with your cluster name
specified:
2. Create a CNAME DNS entry in Internet Services for the Transact web service.
b. Click Add on the DNS records section to open the Add record panel. Select
Type CNAME, enter the name of your chosen subdomain for the Transact
web service in the Name field and enter the Ingress Subdomain address
from the previous step in to the Alias Domain Name. Click Add to complete
adding the DNS entry for the Transact web service.
c. Click the Proxy switch next to each added DNS record to enable Cloud
Internet Services to proxy traffic for those subdomains.
39
Stack 14 IBM Cloud Runbook 1.0
3. Add a page rule to enforce HTTPS traffic for all resources under the domain
managed by Cloud Internet Services, including the Transact Web and Transact
API subdomains.
b. Click Create rule, leave the URL match to the default wildcard entry to
cover the whole domain, select Always use HTTPS from the Setting
dropdown, and click Create.
40
Stack 14 IBM Cloud Runbook 1.0
Specifically in this runbook, this is used for encryption of Transact application secrets,
TLS/SSL certificates, Kubernetes persistent volumes for Transact application data, and
Transact database data.
https://cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-overview
Specifically, in this runbook, certificates are encrypted at rest with customer managed
keys in Hyper Protect Crypto Services.
https://cloud.ibm.com/docs/certificate-manager?topic=certificate-manager-about-
certificate-manager
41
Stack 14 IBM Cloud Runbook 1.0
1. From the IBM Cloud catalog select Hyper Protect Crypto Services, select a
location (Frankfurt eu-de was used for testing), select the number of crypto units
(2 were used for testing) and select Public and private (default) as the allowed
network. Click Create to create the Hyper Protect Crypto Services service
instance.
2. From your local machine, install the TKE (Trusted Key Entry) plugin for the IBM
Cloud CLI and set a directory to use for TKE files. This will be used for master
key part files and your signature key.
$ export CLOUDTKEFILES="$HOME/Testing/hpcs"
3. Select the crypto units to manage from the previously created Hyper Protect
Crypto Services instance, by running the following command and entering the
crypto unit numbers in the prompt (as illustrated below).
42
Stack 14 IBM Cloud Runbook 1.0
4. Create a signature key by running the following command, specifying your name
as an administrator and entering a password (as illustrated below).
43
Stack 14 IBM Cloud Runbook 1.0
6. Add an administrator for the target crypto unit by running the following command
and entering the KEYNUM value for your signature key and the corresponding
password.
7. You must now set the quorum authentication threshold for the target crypto units
(i.e. the required number of admin signatures to authorize and perform
operations). Run the following command, and enter the value for new signature
threshold and revocation signature threshold (for testing purposes these were
set to 1).
44
Stack 14 IBM Cloud Runbook 1.0
4. Create 2 or more randomly generated master key parts by running the following
command twice and entering a password for the key part. These will form the
master encryption key that will be used to wrap root encryption keys for Transact
and related infrastructure.
5. You must now load the master key parts and create a new master key register
on the crypto units. Run the following command, entering the KEYNUM values
for the master key parts and the associated passwords. Note that all master key
parts files and signature key files need to be on a common workstation to
perform this operation.
45
Stack 14 IBM Cloud Runbook 1.0
6. Commit the new master kye register to the crypto units by running the following
command, and entering your password for the signature key file.
1. Navigate to your Hyper Protect Crypto Service instance from the IBM Cloud
console. This will be used to create/manage a root key for encrypting all
certificates stored in a Certificate Manager instance.
46
Stack 14 IBM Cloud Runbook 1.0
2. From the Manage keys page click Add Key and select Root key. Enter a name
for the key (e.g. Certificate Manager Root Key) in the Key name field and click
Create key.
3. Select the Certificate Manager service from the IBM Cloud catalog and select a
location (Frankfurt eu-de was used for testing). From the Select a key
management service field select the Hyper Protect Crypto Services instance
previously used, and then select the root key from the Select a root key field.
Choose the Public and private (default) option from the Endpoints field and
click Create.
47
Stack 14 IBM Cloud Runbook 1.0
48
Stack 14 IBM Cloud Runbook 1.0
https://cloud.ibm.com/docs/apiconnect?topic=apiconnect-about_apic_overview
There are multiple plan and deployment options available, which could support a
Transact deployment. For the purpose of testing we have used the Enterprise plan
detailed below for cost effectiveness and support for a custom domain. The following
table shows a subset of plans available at the time of writing, with comments:
49
Stack 14 IBM Cloud Runbook 1.0
1. Create a Cloud Foundry space inside your org for the API Connect service
instance.
3. From the Create page select a location (Frankfurt eu-de was used for testing).
Select a pricing plan (the Enterprise plan was used for testing), select an
organization and space, then click Create.
4. Create a catalog for all Transact APIs by clicking Add and selecting Catalog
from the API Connect Dashboard.
50
Stack 14 IBM Cloud Runbook 1.0
5. Type a name for the catalog in Display Name and if necessary, edit the
generated Name. Then click Add to create the catalog.
6. Click on the Navigate to button (the two chevrons), and click on Drafts from the
navigation menu. This will take you to the Drafts page for creating new API
products and importing/creating new APIs.
7. To create an API Product that will be used for all Transact APIs, click Add from
the Products page and select New Product. Then, on the New Product window,
enter a name in the Title field and click Create product.
51
Stack 14 IBM Cloud Runbook 1.0
Procedure
1. Gather the endpoint URL for the API gateway by navigating to the Dashboard,
clicking the catalog created for Transact APIs, navigating to the Settings tab and
navigating to the Gateways item on the side navigation panel (as shown below).
Copy the URL listed in the ENDPOINT field.
2. Raise a support case, following the guidelines in the support document linked
below. This must reference the URL that was copied in the previous step. Please
ignore the instruction for CNAME entries as this is covered in the next step.
The TLS/SSL certificates will need to be sent over after they have been ordered in
the next section of this runbook.
https://www.ibm.com/support/pages/how-do-you-use-custom-domain-api-
connect-apis-and-portal-branding
3. Create a CNAME DNS entry in Internet Services for the API gateway.
52
Stack 14 IBM Cloud Runbook 1.0
b. Click Add on the DNS records section to open the Add record panel. Select
a Type of CNAME. Enter the name of your chosen subdomain for the
Transact web service in the Name field and enter the API Gateway
Endpoint address (just the domain name with no path) from the previous
step in to the Alias Domain Name. Click Add to complete adding the DNS
entry for the Transact API services.
c. (Optional) Click Add on the DNS records section to open the Add record
panel. Select Type CNAME, enter the name of your chosen subdomain for
your API portal in the Name field and enter the API Portal address from the
previous step in to the Alias Domain Name. Click Add to complete adding
the DNS entry for the API portal.
d. Click the Proxy switch next to each added DNS record to enable Cloud
Internet Services to proxy traffic for those subdomains.
e. Once the support case has been closed/fulfilled, navigate to the Dashboard,
click the catalog created for Transact APIs, navigate to the Settings tab and
navigate to the Gateways item on the side navigation panel. Enter the custom
domain for the API gateway in the ENDPOINT field (as shown below).
53
Stack 14 IBM Cloud Runbook 1.0
54
Stack 14 IBM Cloud Runbook 1.0
b. Select Authorizations from the side navigation bar and click Create on the
Manage authorizations page.
d. Select the Target service as Internet Services and the Service instance as
the corresponding instance configured for Transact.
55
Stack 14 IBM Cloud Runbook 1.0
e. Select the Reader and Manager access from the Service access list in
order to fully automate the certificate ordering process.
It is advised that only read access is granted. This will change the certificate
ordering process.
2. Order a root TLS/SSL certificate from the Certificate Manager service for the
Top Level Domain for our Transact services. For testing we used transact-ic-
test.com as the Top Level Domain.
b. Click Order from the Your certificates page and click Continue from the
IBM Cloud Internet Services (CIS) section.
c. In the Certificate details tab enter a name for the certificate under the Name
field and click the switch to enable Automatic certificate renewal.
56
Stack 14 IBM Cloud Runbook 1.0
d. In the Domains tab select the Internet Services instance used for the
Transact domain in the IBM Cloud Internet Services (CIS) instance
dropdown. Then in the Certificate domains table, select Add Domain and
Add Wildcard for the Top Level Domain that is listed.
e. Click Order on the Order summary section and then wait for Status on the
Your certificates page to change from Order Pending to Valid.
57
Stack 14 IBM Cloud Runbook 1.0
3. Order a TLS/SSL certificate from the Certificate Manager service for a specific
subdomain that will be used for Transact APIs and the API gateway. For testing
we used api.transact-ic-test.com as the API subdomain.
a. Click Order from the Your certificates page and click Continue from the
IBM Cloud Internet Services (CIS) section.
b. In the Certificate details tab enter a name for the certificate under the Name
field and click the switch to enable Automatic certificate renewal.
c. In the Domains tab select the Internet Services instance used for the
Transact domain in the IBM Cloud Internet Services (CIS) instance
dropdown. Then in the Certificate domains table, click Subdomains next to
the target domain name. From the Select Subdomains panel, click the Add
Domain box next to the subdomain for Transact API services (for testing this
was api.transact-ic-test.com) and click Apply.
58
Stack 14 IBM Cloud Runbook 1.0
d. Click Order on the Order summary section and then wait for Status on the
Your certificates page to change from Order Pending to Valid.
1. Navigate to the Your certificates page, click the Options button on the line for
the API certificate and click Download Certificate.
2. Send the certificate bundle as requested in the support case previously raised
for the API gateway custom domain. This is so that it is configured for TLS
termination on the API Connect gateway. This is documented in the support
page below.
https://www.ibm.com/support/pages/how-do-you-use-custom-domain-api-
connect-apis-and-portal-branding
59
Stack 14 IBM Cloud Runbook 1.0
1. Navigate to the Your certificates page and click on the line item for the
Transact root certificate.
3. Create a secret in the Kubernetes cluster, which will be used by the ingress
definition in the Transact deployment. Run the following command replacing the
cert-crn option with the Certificate CRN value from the previous step. Specify a
name with the name option, specify the target Kubernetes cluster name with the
cluster option and specify the target namespace with the namespace
optionYyy.
60
Stack 14 IBM Cloud Runbook 1.0
1. Navigate to your Hyper Protect Crypto Services instance from the IBM Cloud
web console.
2. From the Key management service keys page, create a root key for IKS
secrets and etcd key-value store by clicking Add key, typing the key name and
clicking Create key.
3. Run the following commands to gather the ID of your Hyper Protect Crypto
Service instance and the ID of the previously created root key. This will be used
for the key management integration in to IKS.
61
Stack 14 IBM Cloud Runbook 1.0
4. Enable the key management integration in the IKS cluster by running the
following command with the IKS cluster name. The Hyper Protect Crypto
Services ID as the instance-id value, and the root key ID as the crk value.
Be aware that there will be disruption to the management of the IKS cluster during
this operation, so please plan carefully.
5. Monitor the status of enabling the key management integration by running the
following command and checking the Status value under Master. Once
completed the Status value will show Ready and a new parameter called Key
Protect will be set with a value of enabled (as shown in the screenshots below).
62
Stack 14 IBM Cloud Runbook 1.0
63
Stack 14 IBM Cloud Runbook 1.0
Procedure
1. Log into IBM Cloud. Search for Hyper Protect using the top search bar, selecting
Hyper Protect DBaaS for PostgreSQL in the Catalog Results.
2. Choose a multi zone region matching the rest of the environment configuration.
For deployment of the database: we chose Frankfurt.
64
Stack 14 IBM Cloud Runbook 1.0
a. Define the Service name. The default name can be accepted (this will only
be present in the catalog page).
f. Select an initial disk allocation, per node. This can only be scaled up. During
testing we chose 24 GB
65
Stack 14 IBM Cloud Runbook 1.0
Once the database is created you should be able to check the properties as well as
information on the connection string and details about the certificate from the IBM
Cloud Web UI.
66
Stack 14 IBM Cloud Runbook 1.0
The connection string to connect to the instance as well as the certificate for connection
can be obtained from the Manage pane view as show in the illustration above.
The steps below were followed when restoring the Transact Database on to the
PostgreSQL database instance. For testing we installed psql on an Ubuntu Linux box in
Temenos Data Centre, to establish the connectivity to the PostgreSQL instance on IBM
cloud, via a bastion host, to be configured immediately.
Procedure
1. From the IBM Cloud top-left menu, choose VPC Infrastructure, then Virtual
server instances.
67
Stack 14 IBM Cloud Runbook 1.0
3. Name the instance, and choose a location that matches the location of the rest
of the infrastructure. Which subnet is selected is not important.
68
Stack 14 IBM Cloud Runbook 1.0
69
Stack 14 IBM Cloud Runbook 1.0
ssh-keygen -b 4096
7. Name the key and paste the public key generated into the IBM Cloud interface.
70
Stack 14 IBM Cloud Runbook 1.0
71
Stack 14 IBM Cloud Runbook 1.0
9. Ensure this SSH key is selected, and click Create virtual server instance.
72
Stack 14 IBM Cloud Runbook 1.0
12. Select a name for the floating IP, and select the jump server resource to bind it
to.
73
Stack 14 IBM Cloud Runbook 1.0
74
Stack 14 IBM Cloud Runbook 1.0
13. Verify you can connect to the jump server via SSH, with root@floating_ip.
14. Install and use Teleport on the bastion host to connect through the bastion jump
server to backend private network systems (such as the Postgres instance).
Now, we may continue by connecting to the Postgres instance, via the bastion jump
host. In the below example strings the initial part of the instance is masked for security
reasons.
Procedure
1. Use the following connection string by giving the username as admin and
password provided and also the path to the certificate.
2. Once the above command is successfully executed the user will be logged into
the admin prompt . From there execute the following steps.
3. The database backup received from Temenos Distribution will have a format like
the example illustrated below.
MB.202009.PostgreSQL_11.8.TAFJ202009.30-SEP-2021.sql.tar
In this example, MB stands for Model Bank. Normally the database backup will
be for either Model Bank (MB) or Initial System Build (ISB).
5. From the admin prompt the user can issue \c t24db to change to t24db to
execute the following steps. In the below example the
plsqlfunctions_postgresql.sql resides in the same directory from where the
75
Stack 14 IBM Cloud Runbook 1.0
t24db=> \i 'plsqlfunctions_postgresql.sql'
6. You can check whether the functions were installed properly using the following
SQL command
7. Once the above steps are successfully completed, exit back to the shell prompt
and issue the following command to restore the database.
The restoration process and run for some time depending on the Size of the
database. You are advised to check the Restore-Log file for any errors and correct
accordingly.
76
Stack 14 IBM Cloud Runbook 1.0
77
Stack 14 IBM Cloud Runbook 1.0
1. You need to complete the container registry setup before images can be pushed
to it. This involves created a namespace and a repository. To create the
namespace login to user can use the Web UI or Install the IBM CLI tools. The
information will be available in the Quick start tab under Kubernetes and
Registry in IBM Cloud.
If using Web UI then follow the instructions in the Quick Start page to set the
access to push the docker images.
78
Stack 14 IBM Cloud Runbook 1.0
If using CLI, see the illustrations below for details of the steps required to
push the images to the IBM Cloud registry from a Linux box.
79
Stack 14 IBM Cloud Runbook 1.0
1. Once the namespace and repo are available you can build the docker image and
push it to the IBM Cloud CR. You need to make sure to set the required region
and then login to the CR. The illustration below shows how to set the region and
login. In this example, since the artefacts need to be in the Frankfurt region, we
have set the region to eu-central.
2. Ensure the image is tagged to the format. The region should be included in the
tag (e.g. de.icr.io).
80
Stack 14 IBM Cloud Runbook 1.0
For example.
81
Stack 14 IBM Cloud Runbook 1.0
15 Deploying Transact
15.1 Creating the Transact image
You need to request the pre-image-kit for Transact App and Web for PostgreSQL
database from Temenos distribution. The pre-image kits will be in zip format. Unzip
the kits on a machine from which you have got connectivity to the IBM Container
Registry. Follow Steps to build Transact Web container image from Preimage
kit in the README.txt in the kits.
1. In the preimage kit there will be a tar file named preimage.tar which holds the
tafj.properties file. Set the properties as illustrated below.
temn.tafj.locking.mode=DATABASE
temn.tafj.runtime.use.df.cache=true
temn.tafj.runtime.port.database=true
temn.tafj.jdbc.fail.immediate.on.db.error=true
2. Once the required modification is done, issue the follow the below commands to
build the docker image and push to the Container registry.
To build:
For example:
82
Stack 14 IBM Cloud Runbook 1.0
To push:
For example:
83
Stack 14 IBM Cloud Runbook 1.0
Procedure
84
Stack 14 IBM Cloud Runbook 1.0
85
Stack 14 IBM Cloud Runbook 1.0
2. Ensure that the *.yaml files used for deployment are defined and present in the
templates folder.
3. Ensure that the associated service is present and defined in the templates folder.
4. Once the definitions and the values have been updated, install the chart as
illustrated below.
5. To check whether the services and pods are up and running, use the kubectl
command to list the pods.
86
Stack 14 IBM Cloud Runbook 1.0
87
Stack 14 IBM Cloud Runbook 1.0
88
Stack 14 IBM Cloud Runbook 1.0
2. Click the Event Streams service External link icon in the Catalog.
3. Select the Lite plan (or select as per user requirement) on the Service Instance
page.
5. Choose the Data Centre where you want the Event streams.
89
Stack 14 IBM Cloud Runbook 1.0
Now the Event Stream has been created, you can view if from the Resource List
panel, as illustrated below.
90
Stack 14 IBM Cloud Runbook 1.0
Procedure
91
Stack 14 IBM Cloud Runbook 1.0
3. You can view the details of the Service Credentials by clicking the dropdown
arrow next to the Key Name (as illustrated below). Do this, and then note down
the password and user values from the property. These will be used later in the
DES configuration.
92
Stack 14 IBM Cloud Runbook 1.0
1. On the Event Stream main page left panel, click Manage and then click the
Topics tab.
You need to create the following topics for DES. These topics can sometimes be
slightly different depending on the release of DES being used. So please confirm
with the DES product team the topics that need to be created for the DES
release chosen for the implementation, before proceeding.
pull-event
pull-event-multipart
pull-metadata
93
Stack 14 IBM Cloud Runbook 1.0
eot
error
multi-part
des-schema
des-install
if
if-raw
table-update
assembled-event
2. Click the Create topic for each of the above topics. Enter the Topic name,
Partition and Message Retention. During testing we have chosen the default
values for Partition and Message Retention.
94
Stack 14 IBM Cloud Runbook 1.0
1. After creating the required topics, click Connect to this Service on the Manage
panel.
95
Stack 14 IBM Cloud Runbook 1.0
This will provide you with the details of bootstrap server, which are required
during DES configuration.
96
Stack 14 IBM Cloud Runbook 1.0
temn.des.stream.kafka.bootstrap.servers
temn.des.stream.security.kafka.sasl.jaas.config
4. Set the bootstrap server connection details, mentioned in the previous sections.
temn.des.stream.kafka.bootstrap.servers = broker-4-
rfbgmj76njbnhc67.kafka.svc03.eu-de.eventstreams.cloud.ibm.com:9093,broker-2-
rfbgmj76njbnhc67.kafka.svc03.eu-de.eventstreams.cloud.ibm.com:9093,broker-0-
rfbgmj76njbnhc67.kafka.svc03.eu-de.eventstreams.cloud.ibm.com:9093,broker-1-
rfbgmj76njbnhc67.kafka.svc03.eu-de.eventstreams.cloud.ibm.com:9093,broker-5-
rfbgmj76njbnhc67.kafka.svc03.eu-de.eventstreams.cloud.ibm.com:9093,broker-3-
rfbgmj76njbnhc67.kafka.svc03.eu-de.eventstreams.cloud.ibm.com:9093
temn.des.stream.security.kafka.sasl.jaas.config=org.apache.kafka.common.securit
y.plain.PlainLoginModule required username="token"
password="tJnK13lf5C_0kGEBunmYReXUCuGwNfcygLnAFCXcALvf";
temn.des.stream.security.kafka.ssl.truststore.location
temn.des.stream.security.kafka.ssl.truststore.password
temn.des.security.schema.registry.ssl.truststore.location
temn.des.security.schema.registry.ssl.truststore.password
temn.des.security.schema.registry.ssl.keystore.location
temn.des.security.schema.registry.ssl.keystore.password
temn.des.security.schema.registry.ssl.key.password
6. In the same file make sure the schema registry URL is set correctly. For this
testing the schema registry was running on port 8081 under the service name
kafka-cp-schema-registry.
temn.des.schema.registry.url = http://kafka-cp-schema-registry:8081
7. In the same file enter the name of the property value event table. If the
Database used is PostgreSQL use double-quotes for the table name.
97
Stack 14 IBM Cloud Runbook 1.0
temn.des.epa.data-event.tables = "F_DATA_EVENTS"
For the stream database the jdbc URL can be the same, unless a different
database is used for the stream.
9. Generate the keystore file using the below command as a template. You can
change this according to the path and password used for implementation.
10. The output of the above command will be similar to the illustration below. Verify
the output and make sure the database URLs are correct.
98
Stack 14 IBM Cloud Runbook 1.0
11. If the database URL is not picked up correctly then set the below environment
variables and try executing the create-keystore again. Ensure that if a previous
execution of create-keystore was performed, delete the keystore file created
before executing again. In the above example the filename is des.keystore.
1. Once the properties have been updated set the environment variables specified
below.
2. Execute the tools build and tools install using the commands given below.
To build:
./des-tool.sh build
99
Stack 14 IBM Cloud Runbook 1.0
./des-tool.sh install
In the F_EB_DES_CONFIG database table you should now see that a record is
created with all the correct values as defined in file des-
docker/src/main/resources/des-config/des-kafka-sasl-ssl.properties.
4. To build the DES issue the below command from the ~des-docker/ directory.
./des-docker.sh build
Once the build is complete you should be able to see that the images listed
below have been created. You will not be using the des-grafana, des-
prometheus or des-demo-webapp-kafka images. These are used when running
DES locally in a demo environment.
100
Stack 14 IBM Cloud Runbook 1.0
101
Stack 14 IBM Cloud Runbook 1.0
1. In the IBM Cloud catalog, search for Hyper Protect Mongo (as done for the
PostgreSQL database earlier). Select the Flexible plan.
102
Stack 14 IBM Cloud Runbook 1.0
3. Choose appropriate sizes for the resources. vCPU and RAM can be scaled up
and down. Disk allocation size can only be scaled up. For testing we used 2 GB
RAM, 16 GB disk, and 2 vCPUs.
4. For the KMS instance, choose your Hyper Protect Crypto Services instance from
the dropdown list.
5. Select the root key for this database from the dropdown list.
103
Stack 14 IBM Cloud Runbook 1.0
mongo 'mongodb://dbaas250.hyperp-
dbaas.cloud.ibm.com:29137,dbaas251.hyperp-
dbaas.cloud.ibm.com:29294,dbaas252.hyperp-
dbaas.cloud.ibm.com:29344/admin?replicaSet=temenos' --ssl --username
$userID --sslCAFile $caFilePath
Once connected you can use the show dbs command to display details of the
database.
104
Stack 14 IBM Cloud Runbook 1.0
Procedure
2. Execute the exe in the zip package. The following screen is displayed.
105
Stack 14 IBM Cloud Runbook 1.0
switched to db ms_holdings
Procedure
106
Stack 14 IBM Cloud Runbook 1.0
2. Remove the highlighted section shown below and save the file.
chmod +x holdings.sh
5. Once the build is finished you will see the images shown below. You need to tag
time according to your container registry and push it to the registry.
For Holdings to connect to the Mongo database instance the certificate needs to
be used. At present the certificate the user downloads from IBM cloud will have
two parts.
Procedure
107
Stack 14 IBM Cloud Runbook 1.0
3. Remove the first certificate and save the file. After the change, the example
given above will look as illustrated below.
108
Stack 14 IBM Cloud Runbook 1.0
4. Convert the cert.pem file to cert.jks using keytool, as illustrated below. In this
example we have executed keytool from the directory where cert.pem file is
located, so we have used ./ . If the path is different then give the full path.
109
Stack 14 IBM Cloud Runbook 1.0
use ms_holdings();
db.createUser(
user: "testUser",
roles: [
7. In values.yaml update the following details for the API and the Ingester.
MONGODB_USER:
MONGODB_PASS:
temn.ms.mongo.ssl.enabled
temn.ms.mongo.ssl.truststore.file.path
temn.ms.mongo.ssl.truststore.auth
110
Stack 14 IBM Cloud Runbook 1.0
8. Configure the following parameters for the Ingester. They are required as we are
connecting to IBM Event Streams. . The jaas configuration can be obtained from
the IBM Event Streams configuration (also mentioned in the DES deployment
section of this document).
temn.msf.stream.security.kafka.security.protocol: SASL_SSL
temn.msf.stream.kafka.sasl.mechanism: PLAIN
temn.msf.stream.kafka.sasl.jaas.config:
org.apache.kafka.common.security.plain.PlainLoginModule required
username="token"
password="tJnK13lf5C_0kGEBunmYReXUCuGwNfcygLnAFCXcALvf";
temn.msf.stream.kafka.ssl.enabled: "true"
9. Also for the Ingester, make sure in the values.yaml file for the Helm installation
the following property is set correctly and points to the relevant schema registry
for the installation. In the below example the schema registry service is name is
kafka-cp-schema-registry and the port is 8081.
schemaregistryurl: http://kafka-cp-schema-registry:8081
10. Ensure that the connection string contains the db instance name. In the below
example it is ms_holdings.
mongodb://dbaas250.hyperp-
dbaas.cloud.ibm.com:29137/ms_holdings?replicaSet=temenos&ssl=true"
11. In the service deployment yaml files (under the templates folder in Helm for both
API and Ingester) define a volume mount to push the cert.jks from configmap
to the containers when it spins up.
111
Stack 14 IBM Cloud Runbook 1.0
http://<EntryPoint>/ms-holdings-api/api/v1.0.0/holdings/accounts/GB0010001-
100137/balances
112
Stack 14 IBM Cloud Runbook 1.0
The list of APISs and the Swagger definition can be accessed using the below
URLs.
http://host:port/irf-provider-container/api/v1.0.0/meta/apis
http://host:port/
113
Stack 14 IBM Cloud Runbook 1.0
You can invoke a required API using any Rest tool or can make a call to the API as part
of any UI development for a specific implementation. Below is illustrated an example of
Creating a CUSTOMER Record in Temenos transact using an API POST method.
114
Stack 14 IBM Cloud Runbook 1.0
1. From a Temenos SME obtain the OpenAPI and Swagger files for the Transact
APIs.
2. You need to obtain the hostname of the Kubernetes Ingress definition for your
deployed Transact APIs and any Temenos microservices APIs. This can be
done by running the following command against the namespace that Transact
was deployed to, and copying the information from the HOSTS field for the api
ingress object.
3. Navigate to your API Connect instance from the IBM Cloud web console.
4. Click the Navigate to button and click Drafts from the navigation menu, which
will take you to the Drafts page for managing APIs and products.
115
Stack 14 IBM Cloud Runbook 1.0
5. For each API definition, repeat the following to create the API from the
OpenAPI/Swagger file and configure it to invoke the backend API service
(Ingress) running in the Kubernetes cluster.
a. Click the APIs tab. Click Add and click Import API from a file or URL.
b. From the Import OpenAPI (Swagger) window click Select File. Navigate
and open one of the Temenos provide OpenAPI/Swagger files, and click
Import. This will create an API named with the title from the
OpenAPI/Swagger file.
c. From the opened API page, click the Schemes section on the left hand side
of the page and deselect http (by default only HTTPS based APIs can be
published to the catalog).
116
Stack 14 IBM Cloud Runbook 1.0
d. Click the Source tab and search or scroll to the x-ibm-configuration line in
the source code window. Add the following assembly code as part of the x-
ibm-configuration object, but modifying the target-url to match the
hostname captured in step 2.
assembly:
execute:
- invoke:
title: invoke
timeout: 60
verb: keep
cache-response: protocol
cache-ttl: 900
version: 1.0.0
target-url: 'https://temenos-iks-
aab383d72572813949d6108ae3e31375-0000.eu-
de.containers.appdomain.cloud/irf-provider-
container/$(request.path)'
117
Stack 14 IBM Cloud Runbook 1.0
e. Click the save icon above the source code panel and wait for the message
API saved to be displayed. Then click the More Actions button and select
Add to existing products.
f. On the Add to existing products window, select the API product that was
previously created (for testing we used Transact APIs) and click Add.
6. Once all the desired APIs have been added, navigate back to the Drafts page,
click on the Products tab and click the product name which the APIs were
added to.
7. To stage the API product to the catalog, click on the Stage the Product to a
chosen Catalog icon and select the catalog previously created (for testing we
used Transact APIs).
118
Stack 14 IBM Cloud Runbook 1.0
8. Navigate back to the Dashboard. Click the catalog that the API product was
staged to (for testing we used Transact APIs). From the Products tab click
Publish for the API product that was staged.
9. From the Edit visibility window select your desired visibility for the API portal
and click Publish. Once complete you should see the state changed to
Published.
10. Test the APIs through the public domain, which was previously configured for
the API gateway, to validate the APIs are exposed. This can be done through
your preferred method, for example through Postman using an API collection
provided by Temenos.
119
Stack 14 IBM Cloud Runbook 1.0
19 Technical approval
Once Transact/TAFJ has been deployed and configured on IBM Cloud a full technical
approval process was executed for the stack. The technical approval process involves
loading transaction and executing transact queries using JMeter scripts. In the example
below a set of transactions were loaded and enquiries were executed.
CUSTOMER
FUNDS TRANSFER
BALANCE ENQUIRY
STATEMENT ENQUIRY
120
Stack 14 IBM Cloud Runbook 1.0
121