Post-installation tasks

Consider the following tasks after installing Event Endpoint Management.

Verifying an installation

To verify that your Event Endpoint Management installation deployed successfully, you can check the status of your instance either by using the command line (CLI), or if running on OpenShift Container Platform, by using the web console (UI).

Using the OpenShift Container Platform UI

  1. Log in to the OpenShift Container Platform web console using your login credentials.
  2. Expand the Operators dropdown and select Installed Operators to open the Installed Operators page.
  3. Expand the Project dropdown and select the project the instance is installed in. Click the operator called IBM Event Endpoint Management.
  4. Select the Event Endpoint Management tab.
  5. The Status column will display the current state of the EventEndpointManagement custom resource. When the Event Manager instance is ready, the status will display Phase: Running.

Using the CLI

After all the components of an Event Manager instance are active and ready, the EventEndPointManagement custom resource will have a Running phase in the status.

To verify the status:

  1. Run the kubectl get command as follows:

    kubectl get eventendpointmanagement <instance-name> -n <namespace> -o jsonpath='{.status.phase}'
    

    An example output for a successful deployment:

    $ kubectl get eventendpointmanagement development -n eem -o jsonpath='{.status.phase}'
    Running
    

Note: It might take several minutes for all the resources to be created and the instance to become ready.

Setting up access

After the Event Manager instance is successfully created, set up user authentication and authorization for your chosen implementation. Event Endpoint Management supports locally defined authentication for testing purposes and OpenID Connect (OIDC) authentication for production purposes.

  • If you have selected LOCAL authentication, ensure you create user credentials before you access the Event Manager instance. For more information, see managing access.
  • After setting up LOCAL or OIDC authentication, assign users to roles. For more information, see managing roles.

Verifying the Event Gateway configuration

To verify the gateway configuration:

  1. Login to your Event Manager instance with your configured credentials
  2. Navigate to the Gateways page on the toolbar on the left side of the page.
  3. The Gateways page displays all the Event Gateway instances registered with the Event Manager instance and their configuration status. Verify that the Event Gateway you have configured is present in the table.

Backup the data encryption key

The secret <instance-name>-ibm-eem-mek contains an important key for decrypting the data stored by Event Endpoint Management. Ensure you back up and store the key safely outside your cluster.

To save the key to a file, complete the following steps.

  1. Run the following command to retrieve the encryption secret.

    kubectl get secret <instance-name>-ibm-eem-mek -n <namespace>
    
  2. Create a backup of the encryption secret with the command:

    kubectl get secret <instance-name>-ibm-eem-mek -n <namespace> -o yaml > encryption-secret.yaml
    

    This command retrieves the encryption secret in YAML format and redirects the output to a file named encryption-secret.yaml.

  3. Ensure that the backup file (encryption-secret.yaml) is stored in a secure location outside the cluster.

Validating a usage-based deployment

You can confirm if a usage-based deployment is operating as expected by checking the logs and the /ready endpoint of a running Event Manager instance.

When starting, verify the Event Manager logs if it is operating in usage-based mode. If it is, the Manager will perform an initial test of the provided configuration settings. The following is an example of a successful check:

...
<DATETIME> INFO  com.ibm.ei.eim.ubp.UBPCollector (UBP Collector) - [configReceived:181] Usage Based Pricing enabled : License Service reporting usage to: <ENDPOINT>
...
<DATETIME> INFO  com.ibm.ei.eim.ubp.UBPCollector (UBP Collector) - [lambda$configReceived$8:188] Usage Based Pricing configuration test successful..
...

If at any time an issue occurs when reporting metrics, including the initial test, a message is written to the logs, detailing the cause of the error, and the payload which was being sent. The following is an example of an error message:

...
<DATETIME> WARN  com.ibm.ei.eim.ubp.UBPCollector (UBP Collector) - [lambda$sendMetrics$18:295] Failed to send data to the license service : <ENDPOINT> : <ERROR> : <PAYLOAD>

Note: If an error occurs when submitting the number of API calls to the Licensing Service, the actual number of API calls made is not lost. They will be reported, in addition to any new API calls, in the next submission.

This message and status is also available in the Event Manager instance /ready endpoint on port 8081, under the UBP.Reporting.Status ID. This endpoint can be queried at any time. The following is an example query:

kubectl exec $(kubectl get pod -l app.kubernetes.io/instance=<INSTANCE_NAME> -n <NAMESPACE> -o name) -n <NAMESPACE> curl http://localhost:8081/ready

The result will return the current status of the gateway. The following is an example result of a healthy system with usage-based licensing configured:

{
  "code" : 200,
  "body" : {
    "components" : [ {
      "id" : "GatewayServices",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "FileStorageProvider",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "UBP.Reporting.Status",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "EEMUI",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "OperatorServices",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    } ],
    "readyComponentCount" : 5,
    "notReadyComponentCount" : 0,
    "code" : 200,
    "status" : "ok"
  }
}

The following is an example result of a system that has usage-based licensing configured, but is running with errors:

{
  "code" : 503,
  "body" : {
    "components" : [ {
      "id" : "GatewayServices",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "FileStorageProvider",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "UBP.Reporting.Status",
      "description" : "Failed to send data to the license service : https://ibm-licensing-service-instance.ibm-common-services.svc.cluster.local:8089/v2/metric_upload?token=cEDdqE9sodSl8n87Vz82Im39 : No route to host: ibm-licensing-service-instance.ibm-common-services.svc.cluster.local/172.30.42.210:8089 : {\"cloudpakId\":\"279abae6bfe647eca1f0efcbf136099c\",\"cloudpakName\":\"IBM Cloud Pak for Integration - API Calls\",\"productId\":\"3af7dda8ce3e4369b1c461c2982719c8\",\"productName\":\"IBM Event Endpoint Management Non Production\",\"productMetric\":\"MONTHLY_API_CALL\",\"productCloudpakRatio\":\"2:1\",\"cloudpakMetric\":\"RESOURCE_VALUE_UNIT\",\"aggregationPolicy\":\"ADD\",\"metricValue\":0}",
      "code" : 500,
      "conditions" : [ ]
    }, {
      "id" : "EEMUI",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "OperatorServices",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    } ],
    "readyComponentCount" : 4,
    "notReadyComponentCount" : 1,
    "code" : 503,
    "status" : "Not ready"
  }
}

Renewing certificates

After installing Event Endpoint Management, you can manage your certificates with the Cert Manager operator.

Important: When renewing certificates, it is important to also update the spec.tls.caSecretName configuration (or ca.pem if deployed as a stand-alone gateway) of any Event Gateway in step with updates made to the Event Manager instance they are registered with. Communication between the Event Gateway and Manager will fail until the certificate configuration is updated.

Using the OpenShift Container Platform web console

If running on the OpenShift Container Platform, you can renew a certificate by deleting the existing secret in the OpenShift web console as follows:

  1. Log in to the OpenShift Container Platform web console using your login credentials.
  2. Expand the Operators dropdown and select Installed Operators to open the Installed Operators page.
  3. Expand the Project dropdown and select the project the instance is installed in. Click the operator called IBM Event Endpoint Management.
  4. Click the Event Endpoint Management tab and search the Name column for the installed instance and click the name.
  5. In the EventEndpointManagement details dashboard, scroll down and locate the Ca Secret Name field, and then click the linked secret.
  6. Click the Actions menu, and select Delete secret.

Note: Following deleting the secret, you will be navigated back to the Secrets page. Your deleted secret will have been regenerated with a new value, which will be used for your certificate in your chosen certificate manager.

Using the CLI

You can renew a certificate by deleting the existing secret in the CLI. You can do this by using the kubectl command as follows:

  1. Log in to your Kubernetes cluster as a cluster administrator by setting your kubectl context.
  2. Ensure you are in the namespace where your Event Manager instance is installed:

    kubectl config set-context --current --namespace=<namespace>
    
  3. Run the following command to display the Event Manager instances:

    kubectl get eventendpointmanagement
    
  4. Run the following command to display the name of the secret representing the certificate for Event Endpoint Management:

    kubectl get eventendpointmanagement <instance_name> --template '{ {.spec.manager.tls.caSecretName} }'
    
  5. Run the following command to delete and regenerate the value of the certificate:

    kubectl delete secret <secret_name>