In this post we are going to lay the groundwork for the data tier software installation for IBM Security software products. Generally there are two dependencies: a database (usually DB2) and a directory (LDAP) server (usually IBM Security Directory Server – ISDS).

To give you a bit of background, before Ansible I would have done the installation and configuration of the software using shell scripts on Linux/Unix or batch files with Microsoft Windows platforms. While Ansible supports automation of tasks on Windows platforms with Powershell modules, I will only cover Linux (specifically the minimal CentOS installation described in my CentOS 7 Minimal Install article) in this post.

The roles, modules and playbooks described in this article can be downloaded from the companion GitHub repository. The GSKit, JavaSDK, DB2 and TDS roles automate the tasks involved in performing their respective software installations while the DB2Instance, DB2Database, and TDSInstance modules simplify the process of configuring those components. I will cover the configuration of DB2 and ISDS in my next post.

Roles

• setup – a role that lays down the directory structure and creates required users and groups on the target server.
• gskit – a role that deploys and installs the IBM Global Security Kit.
• javasdk – a role that deploys the latest IBM Security Java SDK for ISDS and DB2.
• db2 – a role that deploys and installs IBM DB2 software and licenses.
• tds – a role that deploys and installs IBM Security Directory Server (formally known as Tivoli Directory Server).

Modules

The DB2 and ISDS (TDS) modules are based on ideas that Bernado Vale contributed to Ansible Galaxy a couple of years ago. I have deconstructed the module into installation and configuration, then added additional functionality to enable idempotent settings for the configuration parameters of the components. The default settings follow the ISAM tuning guide and ISDS tuning guide for the most part.

• db2instance.py – Ansible module that provides an interface to the DB2 instance commands and configuration parameters.
• db2database.py – Ansible module that provides an interface to the DB2 database commands and configuration parameters
• tdsinstance.py – Ansible module that provides an interface to the ISDS server commands and configuration parameters.

Playbooks

I built the first playbook in my lab environment which was running a newer version of Ansible than my customer at the time. This meant that the last task in the playbook, rebooting the server, failed in their Ansible 2.6 environment because the module was not available. Fortunately Jeff Geerling had a elegantly simple solution on his blog.

• isds_installation.yml – Ansible playbook to install the ISDS software and dependencies for Ansible 2.7 or newer. This playbook uses the Ansible reboot module.
• isds_software.yml – Ansible playbook to install the ISDS software and dependencies for Ansible 2.6 or older. This playbook uses an asyncronous shell command and the Ansible wait_for module to reboot the server.

The software installation roles can stage the software from either the Ansible control server (default), any web server that the target host can reach, or it can be pre-staged on the target host. If you are using Artifactory to store your software binaries, be sure to define the optional <component_name}_download_headers variables with the API Key to access the repository.

ISDS v6.4.0.16 or later supports DB2 v11.1.3.3 or later. Using this version of DB2 requires a modified installation procedure which these playbooks automate.

Templates

I use templates to build response, configuration and service files for the software installation and component configuration. The templates will work with DB2 v10.5 and v11.1, ISDS v6.4 and the service releases in 2019 on RHEL 7 or CentOS 7. I have not tested on any other platforms.

• db2server.rsp.j2 – Template response file for the DB2 software installation. Reasonable defaults are provided by the db2 role for DB2 v10.5.0.9 which ships with ISDS v6.4. Override the defaults for your environment and version.
• db2fmcd.service.j2 – Template service file for the DB2 Fault Monitor Daemon on RHEL 7 on CentOS 7.
• ldapdb.properties.j2 – Template properties file for the DB2 version used with ISDS v6.4. This file ensures that the version of DB2 installed can be found by the ISDS 6.4 server and is required when using DB2 v11.1 with ISDS v6.4.
• isamdiradmin.service.j2 – Template service file for the ISDS Administration server of the ISAM LDAP instance.
• isamldap.service.j2 – Template service file for the ISDS ISAM LDAP instance.

Installing

On the ansible host clone the companion GitHub repository
git clone https://github.com/kevinjeffery/isam-automation.git
to the /ansible directory. If you already done this, pull the updated content from the repository.

Create the .vault_pass file in the /ansible directory. This file contains the password you want to use to encrypt your inventory passwords.
echo 'vault_password' > /ansible/.vault_pass

Use the ansible_vault command to encrypt your inventory passwords:

[ansible@ansible ansible]$ ansible-vault encrypt_string 'Passw0rd' -n ansible_ssh_pass
ansible_ssh_pass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31613466316331393539396135643965613331613530353734613863346536656633336336333430
          3037653539643861323237353963663630653832383632320a653262363964613337346564616666
          36303034376135633033616366326530313335323863363335303738633332653862393465333733
          6334353238346432330a636664383437343938656461656432303564336332646634353932303865
          3662
Encryption successful

Copy the sample inventory file to a new name (so it won’t get over-written by future pulls) and update the passwords with the output of the ansible_vault command.

You can also source your binaries from a Web server if you prefer that method over staging from the Ansible control server.

Run the playbook:
ansible-playbook -i inventory/sample.yml playbooks/isds_installation.yml

 
    PLAY [Install TDS] **
    TASK [Gathering Facts] 
    ok: [datatier.sample.com]
    TASK [setup : Install epel-release - RedHat] ****
    changed: [datatier.sample.com]
    TASK [setup : Install some useful packages - RedHat] **
    changed: [datatier.sample.com]
    TASK [setup : Install some useful packages - Debian] **
    skipping: [datatier.sample.com]
    TASK [setup : Create ibm Directory] *
    changed: [datatier.sample.com]
    TASK [setup : Create IBM Symlink] *
    changed: [datatier.sample.com]
    TASK [setup : Create the Software repository] ***
    changed: [datatier.sample.com]
    TASK [setup : Creating DB2 Fenced Groups] *
    skipping: [datatier.sample.com]
    TASK [setup : Creating DB2 Instance Groups] *
    skipping: [datatier.sample.com]
    TASK [setup : Creating TDS Instance Groups] *
    changed: [datatier.sample.com] => (item=idsldap)
    TASK [setup : Create the ISAM LDAP Data Directory] 
    skipping: [datatier.sample.com]
    TASK [setup : Create the ISIM LDAP Data Directory] 
    skipping: [datatier.sample.com]
    TASK [setup : Create the ISAM DB2 Data Directory] *
    skipping: [datatier.sample.com]
    TASK [setup : Create the ISIM DB2 Data Directory] *
    skipping: [datatier.sample.com]
    TASK [setup : Create the IGI DB2 Data Directory] 
    skipping: [datatier.sample.com]
    TASK [gskit : Download the GSKit archive] *
    skipping: [datatier.sample.com]
    TASK [gskit : Stage the GSKit archive] **
    changed: [datatier.sample.com]
    TASK [gskit : Decompressing GSKit Package] 
    changed: [datatier.sample.com]
    TASK [gskit : Install 32 bit packages] **
    changed: [datatier.sample.com] => (item=gskcrypt32-8.0.55.4.linux.x86.rpm)
    changed: [datatier.sample.com] => (item=gskssl32-8.0.55.4.linux.x86.rpm)
    TASK [gskit : Install 64 bit packages] **
    changed: [datatier.sample.com] => (item=gskcrypt64-8.0.55.4.linux.x86_64.rpm)
    changed: [datatier.sample.com] => (item=gskssl64-8.0.55.4.linux.x86_64.rpm)
    TASK [javasdk : Download the JAVA SDK Archive] **
    skipping: [datatier.sample.com]>
    TASK [javasdk : Stage the JAVA SDK Archive] *
    changed: [datatier.sample.com]
    TASK [javasdk : Decompressing Java SDK Package] *
    changed: [datatier.sample.com]
    TASK [db2 : Download DB2 Binary] **
    skipping: [datatier.sample.com]
    TASK [db2 : Stage DB2 Binary] *
    changed: [datatier.sample.com]
    TASK [db2 : Download DB2 License] *
    skipping: [datatier.sample.com]
    TASK [db2 : Stage DB2 License] ****
    changed: [datatier.sample.com]
    TASK [db2 : Download DB2 High volume] ***
    skipping: [datatier.sample.com]
    TASK [db2 : Stage DB2 High volume] 
    changed: [datatier.sample.com]
    TASK [db2 : Decompressing DB2 Server] ***
    changed: [datatier.sample.com]
    TASK [db2 : Decompress DB2 License] *
    changed: [datatier.sample.com]
    TASK [db2 : Decompress DB2 High Volume] *
    changed: [datatier.sample.com]
    TASK [db2 : Installing DB2 pre requisites packages - RedHat] **
    changed: [datatier.sample.com]
    TASK [db2 : Adding i386 packages on Apt] 
    skipping: [datatier.sample.com]
    TASK [db2 : Installing DB2 pre requisites packages - Debian] **
    skipping: [datatier.sample.com]
    TASK [db2 : Fixing Libpam] 
    skipping: [datatier.sample.com]
    TASK [db2 : Creating DB2 Instance Users] 
    skipping: [datatier.sample.com]
    TASK [db2 : Creating DB2 Fenced Users] **
    skipping: [datatier.sample.com]
    TASK [db2 : Disabling SELinux] ****
     [WARNING]: SELinux state temporarily changed from 'enforcing' to 'permissive'. State change will take effect next reboot.
    changed: [datatier.sample.com]
    TASK [db2 : Adding entry to /etc/hosts] *
    changed: [datatier.sample.com]
    TASK [db2 : Running DB2 Pre Requisits Check] ****
    ok: [datatier.sample.com]
    TASK [db2 : Parse response file] **
    changed: [datatier.sample.com]
    TASK [db2 : Installing DB2] *
    changed: [datatier.sample.com]
    TASK [db2 : Setup results] 
    ok: [datatier.sample.com] => {
        "db2_setup.stdout_lines": [
            "DBI1191I  db2setup is installing and configuring DB2 according to the",
            "      response file provided. Please wait.",
            "",
            "",
            "The execution completed successfully.",
            "",
            "For more information see the DB2 installation log at \"/tmp/db2setup.14095.log\"."
        ]
    }
    TASK [db2 : Validating the current installation] 
    ok: [datatier.sample.com]
    TASK [db2 : Installation results] *
    skipping: [datatier.sample.com]
    TASK [db2 : Get License infomation] *
    ok: [datatier.sample.com]
    TASK [db2 : Add DB2 License] 
    changed: [datatier.sample.com]
    TASK [db2 : Add DB2 High Capacity] 
    changed: [datatier.sample.com]
    TASK [db2 : Deploy DB2 Service file] 
    changed: [datatier.sample.com]
    TASK [db2 : Enable DB2 FMC Service] *
    changed: [datatier.sample.com]
    TASK [tds : include_tasks] 
    included: /ansible/roles/tds/tasks/tds_instance_users.yml for datatier.sample.com
    TASK [tds : Add root to idsldap group] **
    changed: [datatier.sample.com]
    TASK [tds : Creating TDS Instance Users] 
    changed: [datatier.sample.com] => (item=idsldap)
    TASK [tds : Create TDS Install directory] *
    changed: [datatier.sample.com]
    TASK [tds : Disable DB2 Prerequisite check] *
    changed: [datatier.sample.com]
    TASK [tds : Download the  ISO Image] 
    skipping: [datatier.sample.com]
    TASK [tds : Stage the ISO Image] **
    changed: [datatier.sample.com]
    TASK [tds : Download the  Fixpack] 
    skipping: [datatier.sample.com]
    TASK [tds : Stage the Fixpack] ****
    changed: [datatier.sample.com]
    TASK [tds : Unarchive fixpack] ****
    changed: [datatier.sample.com]
    TASK [tds : Mount the ISO Image /appdata/software/sds64-linux-x86-64.iso] ***
    ok: [datatier.sample.com]
    TASK [tds : TDS License] **
    changed: [datatier.sample.com]
    TASK [tds : TDS Install] **
    changed: [datatier.sample.com]
    TASK [tds : Get TDS Version] 
    changed: [datatier.sample.com]
    TASK [tds : TDS Installed Version] 
    skipping: [datatier.sample.com]
    TASK [tds : Update the TDS license] *
    changed: [datatier.sample.com]
    TASK [tds : Install the TDS Fixpack] 
    changed: [datatier.sample.com]
    TASK [tds : Configure ldapdb.properties] 
    changed: [datatier.sample.com]
    TASK [tds : Un-mount the ISO Image] *
    ok: [datatier.sample.com]
    TASK [set_fact] *
    skipping: [datatier.sample.com]
    TASK [Sync DB2 GSKit32] ***
    changed: [datatier.sample.com]
    TASK [Sync DB2 GSKit64] ***
    changed: [datatier.sample.com]
    TASK [Sync DB2 Java SDK] **
    changed: [datatier.sample.com]
    TASK [Sync TDS Java SDK] **
    changed: [datatier.sample.com]
    TASK [Restart server if DB2 installed] **
     [WARNING]: Failed to reset connection:Control socket connect(/home/ansible/.ansible/cp/d96f20b7d9): Connection refused
    changed: [datatier.sample.com]
    PLAY RECAP **
    datatier.sample.com        : ok=7   changed=47   unreachable=0    failed=0    skipped=23   rescued=0    ignored=0

That completes the software installation. In part 2 we will configure the ISDS LDAP server and ISAM DB2 databases. Check back in January 2020 for the details.