Cloud Proof of Concept
Making use of the Cloud, a PoC example
Recently Chilli IT has conducted a Proof of Concept for PowerSC on AIX using the IBM Cloud offering. The AIX VM set up effort required was minimal and it is much cheaper and faster to deploy than a traditional on-prem solution.
Something like this makes an ideal candidate for a short term fixed use project, so why not try Cloud for yourself? We think it’s a very useful option for businesses to test new OS features and functions, develop in the latest code base, perform application upgrade tests or as in our case for a Proof of Concept.
So firstly, what is PowerSC?
It’s IBM’s answer to security policy enforcement and monitoring across your Power infrastructure. For more information see here.
After signing up to the IBM Cloud we first used the Cost Estimator to determine the charge for a small AIX VM for our PowerSC PoC, at the time of writing a very reasonable £38.91 per month for the example here.
It should be noted that although an IBM i VM is more expensive it comes with almost the entire software stack, excluding the four exceptions here.
From the Resource list we first created an AIX Workspace, search for Power and choose Workspace for Power Systems Virtual Server.
Click on Create Workspace and give it a name. Then we proceeded to the build AIX VM’s by clicking on Create Instance, in each case choosing the options in the estimator screenshot above with OS versions needed.
So back to our PoC, after creating the PowerSC server two further VM’s were created on different OS versions to act as PowerSC end points. As part of the VM creation you need to choose whether you require a public or private IP address, because this was a technical exercise and there was no sensitive data involved we chose public IP on all VM’s for ease of set up. Then using ssh-keygen we created an ssh key pair and via secure copy (scp) uploaded the public key to the VM’s and made the necessary changes to allow passwordless login using ssh.
Installing PowerSC Software
On the Server, install the following:
installp -agXYd <directory location> powerscStd.ice powerscStd.license powerscStd.uiServer
On the Agent, install the following:
installp -agXYd <directory location> powerscStd.ice powerscStd.license powerscStd.uiAgent
Adding AIX Admin Groups
On the PowerSC GUI server, change the directory to /opt/powersc/uiServer/bin/
Run the pscuiserverctl command to specify one or more UNIX groups in which a user must be a member to log in to the PowerSC GUI. The user needs only to be a member of one of the groups.
The groups that are written to the /etc/security/powersc/uiServer/uiServer.conf.properties file. The following example command specifies group1 and group2 as the UNIX groups:
pscuiserverctl set logonGroupList <group1>,<group2>
Run the pscuiserverctl command to specify the UNIX groups that are allowed to perform administrator functions by using the PowerSC GUI:
pscuiserverctl set administratorGroupList <group1>,<group2>
Adding User Endpoint Managers
On the PowerSC GUI server, change the directory to /opt/powersc/uiServer/bin/
Run the following command to specify the UNIX groups in which a user must be a member to run commands on specific endpoints. You must provide host names of the endpoints or a wildcard . The groups that you specify are written to the /etc/security/powersc/uiServer/groups.txt file.
pscuiserverctl setgroup <group> “*”
Manually Copy the Truststore File to Endpoints
Copy the endpoint truststore /etc/security/powersc/uiServer/endpointTruststore.jks file to the /etc/security/powersc/uiAgent/endpointTruststore.jks file on each endpoint.
scp endpointTruststore.jks <user>@<hostname>:/etc/security/powersc/uiAgent
Restart the endpoint agents after installing the security certificate:
stopsrc -s pscuiagent
startsrc -s pscuiagent
Add Endpoints to PowerSC
Log in via the PowerSC server URL
Click the “Settings” icon in the menu bar of the main page.
Click Endpoint Admin and the Endpoint – All Systems administration page opens. Each known endpoint is listed in the System Name column.
Click Keystore Requests to verify if any keystore requests are pending. The Endpoint Admin Keystore Requests page opens.
All endpoints waiting for keystore verification are displayed in the endpoint table. To extend a keystore to the endpoint, select the check box for the endpoint and click Verify. (Currently not working as not using PowerVC).
Click Generate Keystore to generate the keystore. After completion, the value in the Keystore generated column changes from no to yes. Note: If you have not verified the endpoint using PowerVC, a message asking whether to proceed with the verification is displayed. Click Proceed if you recognize the endpoint and if you want to generate the keystore.
It may take a few minutes for the PowerSC agent to discover that the keystore has been generated. After the agent installs the keystore, the new endpoint is listed as a fully managed endpoint in the Endpoint Admin – all systems, Compliance, Security, and Reports pages of the PowerSC GUI.
If you do not want to generate a keystore for the endpoint, you can remove the request. Select the check box for the endpoint that you want to remove and click the Delete icon.
Summary
As demonstrated above it’s a straightforward process to build VM’s and install and configure whatever software you want to test. The Cloud specific documentation provided by IBM is very useful and should answer most questions. There is also a virtual assistant but should you need more help a support case can be opened from the Cloud Dashboard. Having opened a couple of support cases we found IBM to be very responsive so you should be able to resolve any issues quickly.
Something else worth noting is that once you finish your testing you can reduce your monthly charge by deleting the VM only but not the storage volume. This is useful if you are unsure whether the environment will be needed again as the VM can be quickly rebuilt using the original storage.
For our example the costs of compute vs storage are, £0.05/hr vs £0.01/hr. In our case keeping the storage only would cost around £7.44 a month instead of £38.91, so it’s certainly worth considering.
Using the IBM Cloud for our PoC was ideal for us, it allowed for a very fast deployment with the base AIX VM environments being built and configured in less than a day. This gave us more time to configure and test the PowerSC product on a number of AIX versions, gather useful information for future deployments and to create baseline documentation.
So with reasonable prices Cloud offerings for specific use cases such as this should definitely be explored, it’s a good fit for many scenarios and avoids any on-prem capacity provisioning issues you may have. It also eliminates the need for the traditional infrastructure design and build phases of projects saving both time and money. So before committing to potentially costly on-prem solution for an upcoming project why not first use the Cloud for your own proof of concept to ensure it can satisfy the business needs?
As the above is AIX we thought a similar example for IBM i would be useful. Just recently we decided to move a test/dev IBM i system into the cloud, to do this was very similar to the example above except in this instance we intend to keep the VM active instead of for a finite time period.
From the resource list we first created a separate IBM i Workspace to keep the two architectures apart in the Web UI view.
The build proceeded in much the same way as for the AIX VM’s, once this completed and we could boot the system it was a case of going through the process to secure the 5250 sessions via the IBM i Digital Certificate Manager, see the IBM Cloud documentation on how to achieve this.
Here at our offices we saved our IBM i libraries to a save file and uploaded it to the new Cloud VM and restored the data we wanted, after creating a few user profiles we were done and the technical staff could test and develop in the cloud.