Note
To upgrade your on-premises instance, please contact your account executive to request a new installer package to ensure full compatibility of the latest available services.
-
In the installer package navigate to folder …/admin-portal/k8s-deployment/inventory_template
-
Open and edit .envs file.
-
Enter preferred namespace name and the host selected for installation:
export OT_NAMESPACE_MAIN=""
export OT_MAIN_HOST=""
-
Update the Docker registry configuration, Should get from OneTrust.
export OT_DOCKER_REGISTRY=""
export DOCKER_USER=""
-
In Self Managed section, update the values as below:
export CLUSTER_NAME="" should be blank
export EXTERNAL_LOADBALANCER="false"
-
In the LOCAL CLUSTER section, export LOCAL_CLUSTER="false" should be false
-
Select from the below steps based on the tech stack of the application is being installed, then return to Step 8.
-
Give the values for the Password Encryption:
export IS_ENCRYPTION="false"
Note
-
If we have encryption setup then the above place holder should be set true
-
If true , copy the encryptKeyStore.jks file from ...admin-portal\k8s-deployment\tools\admin-portal-keystore\keystore and place in the folder path ...admin-portal\k8s-deployment\encryption_dependencies
-
Save the changes once the above steps are completed.
-
Enter the number of replica count is set to '1' by default. Update the count as '2' during the deployment.
export OT_REPLICAS="2"
AWS Configurations
-
Make the below set of configurations specific to AWS cloud:
export CLOUD_AWS="true"
export AWS_REGION=""
export EKS_CLUSTER=""
export OT_CERT_ARN= ""
-
Update AWS Elastic File System configuration:
export OT_AWS_EFS_ID=""
export OT_AWS_EFS_REGION=""
export OT_AWS_EFS_DNS=""
Azure Configurations
Admin Portal: Setup for Encryption of Passwords & Secrets
This is an optional configuration.
-
Navigate to the …/k8s-deployment/tools/admin-portal-keystore/keystore folder path and copy the encryption.jks file and paste it in encryption dependencies folder /k8s-deployment/encryption_dependencies.
Note
Keep this file safe, this is the master key used to encrypt and decrypt passwords.
-
Navigate to /k8s-deployment/_templates/secrets and open config.properties file, add the following properties:
encrypt.key-store.location=file:/config/encryption_dependencies/encryptKeyStore.jks
encrypt.keystore.password= (get from the application.onprem)
encrypt.key-store.alias=configKey
encrypt.key-store.secret= (same as encrypt.keystore.password)
encrypt.key-store.type=JCEKS
-
Navigate to the command line terminal (WSL or bash) where we will execute the shell scripts.
-
Execute installation script by entering ./install_admin_portal.sh encrypt.
-
Enter docker registry password
-
Confirm the printed parameters are accurate.
Do these values look good? (y/n): {Enter "y" if the above enter value is good} -
Once the Deployment is done, run the below command:
kubectl get pods -n {namespace} -
Get the config pod name, run the below command to encrypt the password by modifying the value:
kubectl -n {namespace} exec -it {config pod name} -- sh -c "curl http://localhost:8100/encrypt -d {password/secret key to encrypt}" -
Encrypt below passwords in …\admin-portal\k8s-deployment\properties\services\application-onprem.properties file using the command in step 8.
SQL
db.password
MongoDB
spring.data.mongodb.password
spring.data.mongodb.admin.password
Encryption values
encryption.masterKeyStorePassword
encryption.masterKeyPassword
consentmanager.jwt.key.password
encrypt.keyStore.password
Note
If the external Redis connection is used, the Redis password should be encrypted.
-
Encrypt below SMTP password in …\admin-portal\k8s-deployment\properties\services\notification-onprem.properties file using the command in step 8.
spring.mail.password=
Installing Admin Portal Pod
-
Navigate to …/admin-portal/k8s-deployment and create a new folder called inventory.
-
Copy the updated .envs file from inventory_template folder to newly created inventory folder.
-
Open command line terminal (WSL or bash) where we will execute the shell scripts.
-
Navigate the directory to .../k8s-deployment/
-
Execute installation script by entering ./install_admin_portal.sh install command. You will be prompted to install any of the required dependencies if they do not exist.
-
Enter docker registry password
-
The values updated as part of the .envs file for the cloud selected will be displayed.
-
Confirm the printed parameters are accurate.
Do these values look good? (y/n): {Enter "y" if the above enter value is good} -
In next steps, it prints the components to be installed.
Do these values look good? (y/n): {Enter "y" if the above enter value is good} -
The installer will create the namespaces/services/deployments in the cluster based on the input values provided.
-
Check the running pods in the namespace by executing below command:
kubectl get pods -n {namespace} -
After all the services are healthy, we need to update the DNS domain name in the selected cloud provider.
-
Execute the below command to get the public IP address:
kubectl get ingress –n {namespace} -
Copy the external IP address of the load balancer type.
-
Add the DNS entry in the DNS manager for the IP address obtained.
-
Navigate to …/admin-portal/k8s-deployment/tools/sql-server path.
-
Execute the below command:
Note
To run the below command Java 11.0.11 SE should be installed.
./run-translations-prod.sh -r <package-version> -dh <host> -du <username> -dp <password> -jn delta-translation-6.35.0-1 -jp "<translation file path>" -ft true
-
Navigate back to the terminal and execute the below command to restart the globalization service:
kubectl rollout restart deployment/globalization -n {name space}
Tenant Namespace Migration (applicable from 6.22.0 build and should be ran once)
Note
The following migration steps should be ran if:
-
Deploying to 6.22.0+ for the first time.
-
Upgrading from lower version to 6.22.0+.
-
Run the below command to get the globalization pod ID:
kubectl get pods -n {namespace} -
Copy the globalization pod ID and run the below command to ssh in the pod:
kubectl --namespace {namespace} exec -it pod/{globalization MS pod name} -- /bin/sh -
Run the below curl command, 202 status will be displayed on the completion:
curl -vi -X POST http://localhost:8080/globalization/v1/tenants/{tenantId}/migrate/namespaces -H "x-onetrust-local: true"
Header
x-onetrust-local: true -
Log in to SQL and execute the below query in the ZenDB. Check the above mentioned tenantID entry exists:
select * from [Globalization].[TenantMigrationHistory]
Note
To get the tenantid run the below sql query
select * from [IDENTITY].[Tenant] where name='{TenantOrganizationName}';
-
Execute the below command and get the account microservice pod name:
kubectl get pods -n <namespace>
-
Run the below command to sh into the account microservice:
kubectl --namespace <namespace> exec -it pod/< Account microservice pod name> -- /bin/sh
-
Navigate to folder ../ot-onprem-installer-main-app-lkgba/admin-portal/k8s-deployment/tools
-
Open create-tenant text file and copy the content, paste in terminal where we have sh the account microservice. This may take a few seconds to complete, after completion the created Tenant GUID will be displayed.
-
User will receive an email with a link to complete the tenant registration. After the successful account creation, navigate to SQL server and remove the dbcreator role for the Dbuser created and restart the SQL server (MSSQLSERVER) service.
Set SQL Compatibility Level
-
To check the SQL compatibility on the ZenDB and tenant DB , run the below query from the master database
SELECT name, compatibility_level
FROM sys.databases;
-
If the SQL compatibility level is less than 160 , run the below query from the master database
ALTER DATABASE <DB NAME> SET COMPATIBILITY_LEVEL = 160;
Open the registration email and launch the application using the URL in the email. You will be prompted to create a password to complete your registration and log in to the application.
Configure SAML Signing Certificate (optional)
-
Edit access-mgmt-onprem.properties in folder ..k8s-deployment\properties\services and add the following values:
onetrust.access.saml.keystore-base64=<cert base 64 jks string>
onetrust.access.saml.keystore-secret=<enter the cert password>
onetrust.access.saml.keystore-alias=<cert alias name>
-
For "onetrust.access.saml.keystore-base64= " value , Navigate to the path where pfx file is present (..\admin-portal\k8s-deployment) and run the below command in the terminal:
cat {pfxname}.pfx | base64 | tr -d " \t\n\r" -
Copy the value from above command and add to the "onetrust.access.saml.keystore-base64=" in access-mgmt-onprem property file
-
For "onetrust.access.saml.keystore-alias=" value, run the below command in the terminal
keytool -v -list -storetype pkcs12 -keystore <pfx file name>.pfx
-
Copy the value from above command and add to the "onetrust.access.saml.keystore-alias=" in access-mgmt-onprem property file
-
Execute below querey in ZenDB:
select * [Branding].[ContentResource]
-
If you see any value in the table then execute the update query:
update [Branding].[ContentResource]
set value='https://cdn.1trust.app/images/app/20210810-OneTrust-EnvironmentLogin-Box.png'
where [Key] = 'panelImage'
-
If you don't see any value in the table, then execute the below query:
INSERT INTO [Branding].[ContentResource] ([Guid], [Key], [Value], [createdBy], [CreateDt])
VALUES ('B5699599-15B9-466A-8923-462C70A52A8B','panelImage',
'https://www.onetrust.com/img/BrandingResource/onetrust_login-graphic_background.png',
'00000000-0000-0000-0000-000000000000', getUTCDATE()); -
You can now begin to customize the logo and branding from the application.
