How to Access the IBM Cloud Pak for Multicloud Management Console Using a Customized Domain

3 min read

Use your own custom domain in-line with your organization certificates to securely access the resources that are provisioned through IBM Cloud Pak® for Multicloud Management.

You can complete these easy steps to configure your domain to access the IBM Cloud Pak for Multicloud Management URL after the Cloud Pak is installed. You can choose your own domain and configure it quickly.

The IBM Cloud Pak for Multicloud Management enables the organization to securely manage applications, no matter how they are designed or where they are deployed. It is a set of open, pluggable tools built around a core application and governance model. This core architecture helps organizations model applications and application dependencies, manage the lifecycles of both applications and infrastructure, consistently govern and secure applications and their deployment models. and deliver observability for the application’s full-stack.

Prerequisites

  1. Choose a custom domain to access IBM Cloud Pak for Multicloud Management using a custom url.
  2. This custom domain must be registered in DNS.
  3. Some knowledge of IBM Cloud Pak for Multicloud Management. For more information, refer to the IBM Cloud Pak for Multicloud Management overview.

The solution

To customize the URL to access IBM Cloud Pak for Multicloud Management with a user-specific host — for example: mcm.cp4mcm.com (*.domain.com) — complete the following steps:

To customize the URL to access IBM Cloud Pak for Multicloud Management with a user-specific host — for example: mcm.cp4mcm.com (*.domain.com) — complete the following steps

Step 1: Create the self-signed certificate/use a CA-signed certificate

To create the route for your custom URL, you need a self-signed certificate. If you do not have a CA-signed certificate already, complete this step to create one (ignore this step if you already have one). You can use the existing certificate to create a route for the custom URL/host of your choice.

Run the following commands to create a self-signed certificate:

$  openssl  genrsa  -des3  -passout  pass:x  -out  server.pass.key  2048
openssl  rsa  -passin  pass:x  -in  server.pass.key  -out  server.key
$  openssl  req  -new  -key  server.key -out  server.csr

Note: When you run the third command above, it requests a common name. Enter the same custom URL/host that you used previously as a value. For example, if a user chooses a custom host mcm.cp4mcm.com, where cp4mcm.com is a domain, then you can provide the domain with a wildcard *.cp4mcm.com as the common name or use the complete host mcm.cp4mcm.com itself.

Next, run the following command to generate an SSL certificate:

$  openssl  x509  -req  -sha256  -days  365  -in  server.csr  -signkey  server.key  -out  server.crt

The four commands previously listed are displayed for your reference in the following screenshot. These commands create an SSL certificate:

$  openssl  x509  -req  -sha256  -days  365  -in  server.csr  -signkey  server.key  -out  server.crt

Step 2: Create a route using the certificate created in Step 1

A self-signed certificate has been generated, and you can use it to create a route for IBM Cloud Pak for Multicloud Management:

$ oc create route reencrypt — service=icp-management-ingress — cert=server.crt — key=server.key — dest-ca-cert=destca.crt — hostname=mcm.cp4mcm.com
noo7
  • icp-management-ingress is the service name created for the management-ingress pod in the ibm-common-services project
  • destca.crt is the destination CA certificate of (cp-console route for service icp-management-ingress) the route in ibm-common-services created for IBM Cloud Pak for Multicloud Management initially during IBM Cloud Pak Multicloud Management deployment
  • mcm.cp4mcm.com is the user-chosen custom host for the Cloud Pak

Step 3: Update the OIDC registration

After completing the previous steps, the custom URL to access the IBM Cloud Pak for Multicloud Management is registered for OIDC.

Next, complete the instructions at the Knowledge Center to configure the custom URL for OIDC.

Alternatively, you can complete the following steps to configure the custom URL for OIDC:

  • Copy the content in the registration-json configmap into the registration.yaml file:
    $  kubectl get cm registration-json -n ibm-common-services -o yaml > registration.yaml
  • Create a platform-oidc-registration.json file. Copy the contents of the data- section in the registration.yaml file into the platform-oidc-registration.json file:
    Create a platform-oidc-registration.json file. Copy the contents of the data- section in the registration.yaml file into the platform-oidc-registration.json file:
  • Add the following piece of configuration into the platform-oidc-registration.json file to allow regex with your custom URL for IBM Cloud Pak for Multicloud Management:
    "allow_regexp_redirects":"true",
    Add/append your custom URIs in the "redirect_uris" and "post_logout_redirect_uris" parameters of the platform-oidc-registration.json file and then save it:
    noo11
  • Define following variables on the command line to run the command for OIDC registration:
    • Save the client secret:
      $  OAUTH2_CLIENT_REGISTRATION_SECRET=$(kubectl -n ibm-common-services get secret   platform-oidc-credentials -o yaml | grep OAUTH2_CLIENT_REGISTRATION_SECRET | awk  '{ print $2}' | base64 --decode)
    • Save the client ID:
      $  WLP_CLIENT_ID=$(kubectl -n ibm-common-services get secret platform-oidc-credentials -o yaml | grep WLP_CLIENT_ID | awk '{ print $2}' | base64  --decode)
    • Save the access IP:
      FIP=master-node IP address
      Note: FIP is the host name for cp-console route (e.g., cp-console.*****************************.cloud).
  • Apply the changes that you made to the platform-oidc-registration.json file by running the following command:
    $  curl -kvv -X PUT -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET -H "Content-Type: application/json" -d @<installation directory>/platform-oidc-registration.json https://$FIP/idauth/oidc/endpoint/OP/registration/$WLP_CLIENT_ID
    Note: <installation directory> stands for the absolute path for the platform-oidc-registration.json file.

Step 4: Run the following command to set the alloedHostHeader parameter to your chosen custom URL

$  oc -n ibm-common-services edit  managementingress

Update as following key-value pair:

allowedHostHeader:  mcm.cp4mcm.com
noo18

Conclusion

The configuration to create your own specific custom URL/host to access the IBM Cloud Pak for Multicloud Management console is now complete. You can now use this URL to access the IBM Cloud Pak for Multicloud Management console: https://mcm.cp4mcm.com

noo19

Be the first to hear about news, product updates, and innovation from IBM Cloud