Post-installation tasks

Consider the following tasks after installing Event Endpoint Management.

Verifying an installation

To verify that your Event Endpoint Management installation deployed successfully, you can check the status of your instance either by using the command line (CLI), or if you are running on OpenShift Container Platform, by using the web console (UI).

Using the OpenShift Container Platform UI

1. Log in to the OpenShift Container Platform web console using your login credentials.
2. Expand the Operators dropdown and select Installed Operators to open the Installed Operators page.
3. Expand the Project dropdown and select the project the instance is installed in. Click the operator called IBM Event Endpoint Management.
4. Select the Event Endpoint Management tab.
5. The Status column displays the current state of the EventEndpointManagement custom resource. When the Event Manager instance is ready, the status displays Phase: Running.

Using the CLI

After all the components of an Event Manager instance are active and ready, the EventEndPointManagement custom resource will have a Running phase in the status.

To verify the status:

1. Run the kubectl get command as follows:

    Copy Copykubectl get eventendpointmanagement <instance-name> -n <namespace> -o jsonpath='{.status.phase}'
   

   An example output for a successful deployment:

    Copy Copy$ kubectl get eventendpointmanagement development -n eem -o jsonpath='{.status.phase}'
   Running
   

Note: It might take several minutes for all the resources to be created and the instance to become ready.

Setting up access

After the Event Manager instance is successfully created, set up user authentication and authorization for your chosen implementation. Event Endpoint Management supports locally defined authentication for testing purposes and OpenID Connect (OIDC) authentication for production purposes.

• If you selected LOCAL authentication, ensure that you create user credentials before you access the Event Manager instance. For more information, see managing access.
• After you set up LOCAL or OIDC authentication, assign users to roles. For more information, see managing roles.

Backup the data encryption key

The secret <instance-name>-ibm-eem-mek contains an important key for decrypting the data that is stored by Event Endpoint Management. Ensure you back up and store the key safely outside your cluster.

To save the key to a file, complete the following steps.

1. Run the following command to retrieve the encryption secret.

    Copy Copykubectl get secret <instance-name>-ibm-eem-mek -n <namespace>
   

2. Create a backup of the encryption secret with the command:

    Copy Copykubectl get secret <instance-name>-ibm-eem-mek -n <namespace> -o yaml > encryption-secret.yaml
   

   This command retrieves the encryption secret in YAML format and redirects the output to a file named encryption-secret.yaml.

3. Ensure that the backup file (encryption-secret.yaml) is stored in a secure location outside the cluster.

Validating a usage-based deployment

You can confirm if a usage-based deployment is operating as expected by checking the logs and the /ready endpoint of a running Event Manager instance.

When you start the Event Manager instance, verify in the Event Manager logs if it is operating in usage-based mode. If it is, the Manager performs an initial test of the provided configuration settings. The following example shows a successful check:

 Copy Copy...
<DATETIME> INFO  com.ibm.ei.eim.ubp.UBPCollector (UBP Collector) - [configReceived:181] Usage Based Pricing enabled : License Service reporting usage to: <ENDPOINT>
...
<DATETIME> INFO  com.ibm.ei.eim.ubp.UBPCollector (UBP Collector) - [lambda$configReceived$8:188] Usage Based Pricing configuration test successful..
...

If at any time an issue occurs when reporting metrics, including the initial test, a message is written to the logs, detailing the cause of the error, and the payload that was being sent. The following example shows an error message:

 Copy Copy...
<DATETIME> WARN  com.ibm.ei.eim.ubp.UBPCollector (UBP Collector) - [lambda$sendMetrics$18:295] Failed to send data to the license service : <ENDPOINT> : <ERROR> : <PAYLOAD>

Note: If an error occurs when submitting the number of API calls to the Licensing Service, the actual number of API calls made is not lost. They will be reported, in addition to any new API calls, in the next submission.

This message and status is also available in the Event Manager instance /ready endpoint on port 8081, under the UBP.Reporting.Status ID. This endpoint can be queried at any time. The following example shows a query:

 Copy Copykubectl exec $(kubectl get pod -l app.kubernetes.io/instance=<INSTANCE_NAME> -n <NAMESPACE> -o name) -n <NAMESPACE> curl http://localhost:8081/ready

The result returns the current status of the gateway. The following example shows the result from a healthy system with usage-based licensing configured:

 Copy Copy{
  "code" : 200,
  "body" : {
    "components" : [ {
      "id" : "GatewayServices",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "FileStorageProvider",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "UBP.Reporting.Status",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "EEMUI",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "OperatorServices",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    } ],
    "readyComponentCount" : 5,
    "notReadyComponentCount" : 0,
    "code" : 200,
    "status" : "ok"
  }
}

The following example shows the result of a system that has usage-based licensing configured, but is running with errors:

 Copy Copy{
  "code" : 503,
  "body" : {
    "components" : [ {
      "id" : "GatewayServices",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "FileStorageProvider",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "UBP.Reporting.Status",
      "description" : "Failed to send data to the license service : https://ibm-licensing-service-instance.ibm-common-services.svc.cluster.local:8089/v2/metric_upload?token=cEDdqE9sodSl8n87Vz82Im39 : No route to host: ibm-licensing-service-instance.ibm-common-services.svc.cluster.local/172.30.42.210:8089 : {\"cloudpakId\":\"279abae6bfe647eca1f0efcbf136099c\",\"cloudpakName\":\"IBM Cloud Pak for Integration - API Calls\",\"productId\":\"3af7dda8ce3e4369b1c461c2982719c8\",\"productName\":\"IBM Event Endpoint Management Non Production\",\"productMetric\":\"MONTHLY_API_CALL\",\"productCloudpakRatio\":\"2:1\",\"cloudpakMetric\":\"RESOURCE_VALUE_UNIT\",\"aggregationPolicy\":\"ADD\",\"metricValue\":0}",
      "code" : 500,
      "conditions" : [ ]
    }, {
      "id" : "EEMUI",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    }, {
      "id" : "OperatorServices",
      "description" : "ok",
      "code" : 200,
      "conditions" : [ ]
    } ],
    "readyComponentCount" : 4,
    "notReadyComponentCount" : 1,
    "code" : 503,
    "status" : "Not ready"
  }
}

Renewing certificates

After Event Endpoint Management is installed, you can manage your certificates with the Cert Manager operator.

Important: When you renew certificates, it is important to also update the Event Gateway certificates in step with updates that are made to the Event Manager instance that they are registered with. Communication between the Event Gateway and Manager fails if the certificates are mismatched.

Using the OpenShift Container Platform web console

If you are running on the OpenShift Container Platform, you can renew a certificate by deleting the existing secret in the OpenShift web console as follows:

1. Log in to the OpenShift Container Platform web console using your login credentials.
2. Expand the Operators dropdown and select Installed Operators to open the Installed Operators page.
3. Expand the Project dropdown and select the project the instance is installed in. Click the operator called IBM Event Endpoint Management.
4. Click the Event Endpoint Management tab and search the Name column for the installed instance and click the name.
5. In the EventEndpointManagement details dashboard, scroll down and locate the Ca Secret Name field, and then click the linked secret.
6. Click the Actions menu, and select Delete secret.

Note: Following deleting the secret, you are returned to the Secrets page. Your deleted secret is regenerated with a new value, which is used for your certificate in your chosen certificate manager.

Using the CLI

You can renew a certificate by deleting the existing secret in the CLI with the kubectl command as follows:

1. Log in to your Kubernetes cluster as a cluster administrator by setting your kubectl context.

2. Ensure that you are in the namespace where your Event Manager instance is installed:

    Copy Copykubectl config set-context --current --namespace=<namespace>
   

3. Run the following command to display the Event Manager instances:

    Copy Copykubectl get eventendpointmanagement
   

4. Run the following command to display the name of the secret that contains the certificate for Event Endpoint Management:

    Copy Copykubectl get eventendpointmanagement <instance_name> --template '{ {.spec.manager.tls.caSecretName} }'
   

5. Run the following command to delete and regenerate the value of the certificate:

    Copy Copykubectl delete secret <secret_name>
   

Renewing Event Gateway certificates

Renewing operator-managed and Kubernetes Deployment Event Gateway certificates

If your Event Manager and Event Gateway use the same certificate manager instance then the Event Gateway picks up the updated certificate automatically.

If your Event Manager and Event Gateway use different certificate manager instances, then you must copy the updated certificate to the Event Gateway environment. Copy the contents of the updated secret that contains your new certificate:

1. In the Event Manager environment, export the secret that contains the certificate to a YAML file:

    Copy Copykubectl -n <namespace> get secret <secret-name> -o yaml > <secret-name>.yaml
   

2. Edit the <secret-name>.yaml file to remove all labels, annotations, creationTimestamp, resourceVersion, uid, and selfLink.
3. Copy the <secret-name>.yaml file to your Event Gateway environment.

4. Apply the <secret-name>.yaml on your Event Gateway environment:

    Copy Copykubectl -n <namespace> apply -f <secret-name>.yaml
   

If you changed the secret names, then you must update the EventGateway custom resource or Kubernetes Deployment with the new names in the spec.tls section.

Renewing Docker Event Gateway certificates

For each secret that you updated, you must update the corresponding certificate PEM files in your Docker environment.

If you change the file name or path of your PEM files, then you must restart the Docker gateway with the updated file name in the Docker run arguments, for example: docker run -v "path:/certs/certname.pem" -v "path:/certs/keyname.key"