Skip to main contentIBM Cloud Pak Playbook

Red Hat CloudForms Installation Guide

This section covers installing Red Hat CloudForms 5.0 for Cloud Pak for Multicloud Management.

Required files

The files from Passport Advantage site for RedHat CloudForms 5 are:

  • Red Hat CloudForms 5 for for IBM Cloud App Management 20.0.1 Multiplatform English eAssembly (CJ78FEN)

It contains the disk image for the Red Hat CloudForms 5 appliance for various platforms and the integration to IBM Cloud Pak for MultiCloud Management 1.3. Other formats such as AWS and Azure disk images are available from Red Hat in https://access.redhat.com/products/red-hat-cloudforms/.

    Initialize CloudForms server

    Follow the instructions for restoring Red Hat CloudForms 5 appliance from: https://access.redhat.com/documentation/en-US/Red_Hat_CloudForms/5.0/.

    The following summary steps demonstrate configuring Red Hat CloudForms 5 appliance on Amazon AWS.

    1. Using the image cfme-ec2-5.11.4.2-1.x86_64.zip extract the vhd file:

      unzip cfme-ec2-5.11.4.2-1.x86_64.zip

      Store the VHD file into an S3 bucket, (such as rh-cloudforms5).

      aws s3 cp cfme-ec2-5.11.4.2-1.x86_64.vhd s3://rh-cloudforms5
    2. Create the vmimport role for loading an disk snapshot to AWS. Create trust-policy.json and role-policy.json as outlined below.

      trust-policy.json

      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Principal": { "Service": "vmie.amazonaws.com" },
      "Action": "sts:AssumeRole",
      "Condition": {
      "StringEquals":{

      role-policy.json (change the S3 bucket name to the name you used before).

      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Action": [
      "s3:ListAllMyBuckets"
      ],
      "Resource": "*"

      Create the vmimport role:

      aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json
      aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json
    3. Load the snapshot using the file container.json:

      {
      "Description": "RedHat CloudForms 5",
      "Format": "vhd",
      "UserBucket": {
      "S3Bucket": "BUCKET WITH UPLOADED .VHD IMAGE",
      "S3Key": "cfme-ec2-5.11.4.2-1.x86_64.vhd"
      }
      }

      Run the load:

      aws ec2 import-snapshot --disk-container file://containers.json
    4. Check that the load has completed.

      aws ec2 describe-import-snapshot-tasks --import-task-ids < task id >

      Use the Web UI to create a new AMI from the Snapshot that you uploaded, or run the following command.

      aws ec2 register-image
    5. Create a Security group that will allow access to port 22 (ssh) and port 443 (https). Use the security group for launching an instance of Red Hat CloudForms 5. Make sure you allocate an additional disk for the PostgreSQL database.

    6. Use a terminal window to SSH into the CloudForms instance. Initialize the server. The process below uses an embedded PostgreSQL database for a standalone CloudForms server.

      • Login to the appliance
      • Run the appliance_console command
      • Select the options [5] Configure Database > [1] Create key > [1] Create Internal Database > [1] /dev/xvdb
      • Answer N for Should this appliance run as a standalone database server?
      • Assign a postgreSQL password and verify
      • Answer 0 for the database region number
      • Wait until the database is initialized
      • Back in the main menu, select [14] Start CFME server and then [19] Exit
    7. Try logging into the CloudForms server using port 443. Login as admin and password of smartvm.

    Configure LDAP Authentication in MCM Console

      Integrate CloudForms server with Cloud Pak for MultiCloud Management

      For this configuration we will use the following variables. Replace them with yours.

      • CLOUDFORMS_CLIENT_ID: a string with your cloudforms client id. Can be anything randomly generated.
      • CLOUDFORMS_CLIENT_SECRET: a string with your cloudforms client secret. Can be anything randomly generated.
      • ICP_CONSOLE: FQDN for the MCM icp-console.
      • CLOUDFORMS_HOST: IP Address or FQDN of your CloudForms server
      • CLOUDFORMS_PASSPHRASE: a string with a cloudforms passphrase. Can be anything randomly generated.
        1. Create a file registration.json:

          {
          "token_endpoint_auth_method":"client_secret_basic",
          "client_id": "$CLOUDFORMS_CLIENT_ID",
          "client_secret": "$CLOUDFORMS_CLIENT_SECRET",
          "scope":"openid profile email",
          "grant_types":[
          "authorization_code",
          "client_credentials",
          "password",

          Then run this command.

          cloudctl iam oauth-client-register -f registration.json

          Collect the client secret that is generated.

        2. Extract the MCM certificate and save it as a TRUSTED certificate.

          kubectl get secret -n kube-public ibmcloud-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 --decode | sed 's/CERTIFICATE/TRUSTED CERTIFICATE/' > ibm-mcm-ca.crt
        3. Copy the ibm-mcm-ca.crt file to the CloudForms machine in the path of /etc/pki/ca-trust/source/anchors. Run the following command.

          update-ca-trust
        4. Restart the CloudForms engine.

          systemctl restart evmserverd
        5. Run the following commands to copy oidc configurations:

          TEMPLATE_DIR="/opt/rh/cfme-appliance/TEMPLATE"
          cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-remote-user-openidc.conf /etc/httpd/conf.d/
          cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb /etc/httpd/conf.d/manageiq-external-auth-openidc.conf
        6. Update the /etc/httpd/conf.d/manageiq-external-auth-openidc.conf file as follows.

          LoadModule auth_openidc_module modules/mod_auth_openidc.so
          ServerName https://$CLOUDFORMS_HOST
          OIDCCLientID $CLOUDFORMS_CLIENT_ID
          OIDCClientSecret $CLOUDFORMS_CLIENT_SECRET
          OIDCRedirectURI https://$CLOUDFORMS_HOST/oidc_login/redirect_uri
          OIDCCryptoPassphrase $CLOUDFORMS_PASSPHRASE
          OIDCOAuthRemoteUserClaim sub
          OIDCRemoteUserClaim name
        7. Restart httpd.

          systemctl restart httpd
        8. Open the CloudForms Web UI and log in as admin, then select the Configuration by clicking the gear icon.

        9. Select Settings, then select the Authentication tab.

        10. In the Authentication section, set the Mode to External (httpd).

        11. In the External Authentication (httpd) Settings section, set the Provider Type to Enable OpenID-Connect.

        12. In the Role Settings section, select the Get User Groups from External Authentication (httpd) setting.

        13. Select Access Control. Make sure the user’s groups are created on the Appliance and appropriate roles are assigned to those groups.

        14. Click Save.

        15. Log out from CloudForms, and refresh your browser. If you enabled SSO, it will redirect you to the ICP Console logon screen. If not, click on Log in to Corporate System