Deploying a PostgreSQL Database on an IBM Z Virtual server instance(zVSI) in order to move to IBM Hyper Protect

Dr. Clemen Chiang
Dr. Clemen Chiang

*CTO’s Notes: In our inaugural blog, we ventured into deploying a PostgreSQL database on an IBM Z Virtual Server Instance, aiming to leverage its robust capabilities. This journey, albeit insightful, led us to a crucial realization – our approach of running PostgreSQL directly on the zVSI without Docker was not the most effective path. This article unfolds our initial steps, the challenges we faced, and the valuable lessons we learned about database deployment in a virtualized environment.

Datasets are crucial for fine-tuning and training AI models. Storing the dataset in a secure environment is equally important. Today, I will show you how to host a PostgreSQL database on an IBM Z Virtual server instance(zVSI), before eventually hosting the same on a IBM Hyper Protect Virtual Server.

LinuxONE zVSI and Hyper Protect Virtual Server for VPC are two different service offerings available in IBM Cloud. The former provides a simple virtual server as a service capability of zSystems, that is easy and quick to try out while the latter provides container support on a Confidential Computing capable virtual server (on zSystems), using IBM Secure Execution (hardware level security), thus providing pervasive encryption and security for data in use along with data at rest and in motion.

This blog demonstrates how you can get started with bringing up workloads on IBM LinuxONE zVSI instance, before exploring using Hyper Protect Virtual Server for VPC (in another blog post).

Step 1: Launch an IBM Z Virtual server instance(zVSI) on IBM Cloud

Go to the IBM Cloud catalog and select "Virtual Server for VPC"

Under the Architecture section, select "IBM Z, LinuxONE."

Choose your preferred location. For example, if you are in Singapore, select "Asia Pacific," and then choose the "Tokyo" region.

Give your instance a name.

Select your preferred OS and instance profile.

Choose an SSH key to use for accessing the instance. If you don't have an SSH key, you can follow the instructions to generate one.

Optionally, add data volumes on top of the boot volume.

Configure your VPC (Virtual Private Cloud).

Click the "Create virtual server" button. Your new virtual server will be provisioned and available for use shortly.

Step 2: Access Your Virtual Server Instance

Once your instance is provisioned, you can access it by SSH using the public IP address and the SSH key you selected during the setup.

ssh -i your-ssh-key.pem root@your-public-ip-address

Step 3: Set Up a PostgreSQL Database on Your Virtual Server

After accessing your virtual server, you can proceed to set up the PostgreSQL database. Here are the commands to install and start PostgreSQL on a Linux server:

sudo apt-get update sudo apt-get install postgresql postgresql-contrib sudo systemctl start postgresql sudo systemctl enable postgresql

Step 4: Secure Your PostgreSQL Database

Next, you should secure your PostgreSQL database by setting a password for the default PostgreSQL user and creating a new database user with limited privileges.

sudo -u postgres psql \password 
Enter new password: your-password 
\q createuser --interactive --pwprompt 
Enter name of role to add: your-database-user 
Enter password for new role: your-database-password 
Shall the new role be a superuser? (y/n) n 
Shall the new role be allowed to create databases? (y/n) n 
Shall the new role be allowed to create more new roles? (y/n) n

Step 5: Create a New Database

Now, create a new database and grant privileges to your new database user.

createdb your-database-name psql GRANT ALL PRIVILEGES ON DATABASE your-database-name TO your-database-user;

Step 6: Connect to Your PostgreSQL Database

Now, you can connect to your PostgreSQL database using the following command:

psql -U your-database-user -d your-database-name -h localhost -W

Currently, we've successfully set up a Postgres instance running on a zVSI. This environment serves as a testing ground for our product development before the actual deployment. Our next step is to convert this into a Contract for deploying as an IBM Hyper Protect Virtual Server. Stay tuned for detailed coverage in our next post.

Why IBM Hyper Protect Ensures Enhanced Security

IBM Hyper Protect is renowned for its advanced security measures, providing a robust shield for data and applications. With its unique hardware-level security features, IBM Hyper Protect ensures the utmost privacy and protection against both internal and external threats. It provides comprehensive protection for data at rest, in transit, and in use. Let's delve deeper into why IBM Hyper Protect Virtual Servers is an ideal choice for hosting a PostgreSQL database:

Encryption at Rest, in Transit and in Use

IBM Hyper Protect offers protection for data at Rest, in Transit and in Use. Data at rest is encrypted using industry-standard algorithms, ensuring that even if an attacker gains physical access to the storage media, they cannot decipher the data. Data in transit is encrypted using secure protocols like TLS, protecting data from eavesdropping and man-in-the-middle attacks. Data in use is achieved by deploying the service as a contract that is immutable (not changeable), preventing alterations to the production execution code by restricting SSH access and data modifications. It's essential to avoid developing using contracts to minimize extensive teardowns and reinstallation.

Isolation Techniques

One of the key features of IBM Hyper Protect Virtual Server is its isolation techniques. Each virtual server instance runs in an isolated environment, preventing one instance from affecting another. This isolation is achieved through the use of secure containers and microservices architecture. This ensures that even if one instance is compromised, the attacker cannot access other instances or the underlying infrastructure.

Hardware-Level Security

IBM Hyper Protect Virtual Server leverages the security features of IBM Z and LinuxONE, which are designed with security as a core principle. These systems provide hardware-level security features such as secure boot, cryptographic acceleration, and tamper-resistant hardware. These features ensure that the integrity of the system is maintained, and any attempts to tamper with the hardware are detected and prevented.

Compliance and Regulatory Requirements

IBM Hyper Protect helps organizations meet their compliance and regulatory requirements by providing a secure and auditable environment. The hardware-level security features, combined with the encryption and isolation techniques, ensure that data is protected from unauthorized access and tampering.

Resources on IBM Hyper Protect and PostgreSQL

IBM provides a wealth of resources to help organizations understand how IBM Hyper Protect Virtual Server complements and strengthens the security measures for PostgreSQL. Some of the resources include:

These resources provide detailed information on the security features of IBM Hyper Protect Virtual Server, how it integrates with PostgreSQL, and how organizations can leverage these features to meet their security and compliance requirements.

In conclusion, IBM Hyper Protect Virtual Server offers a comprehensive suite of security features that make it an ideal choice for hosting a PostgreSQL database. With its hardware-level security, encryption, and isolation techniques, IBM Hyper Protect Virtual Server ensures the privacy and protection of data, making it a trusted choice for organizations looking to secure their datasets in the cloud.

Discover how we refined our approach in the next article, where we delve into deploying PostgreSQL on IBM Hyper Protect Virtual Servers using Docker.