If you want to enable the IBM® Software Hub platform to use your company's CA
certificate to validate certificates from your internal servers, you must create a secret that
contains the CA certificate. Additionally, if your internal servers use an SSL certificate that is
signed using your company's CA certificate, you must create this secret to enable the platform to
connect to the servers.
After you create the secret, the CA certificate is used in the following connections:
- Platform connections
- Connections created in a project
- Connections created in a catalog
- Connections created in DataStage
- Connections created in Data Virtualization
- Connections created in Db2 Big SQL
- Connections to an external instance of IBM OpenPages from AI Factsheets
Before you begin
Best practice: You can run many of the
commands in this task exactly as written if you set up environment variables for your installation.
For instructions, see
Setting up installation environment variables.
Ensure that you source the
environment variables before you run the commands in this task.
- Required permissions
- To complete this task, you must have one of the following roles:
- Cluster administrator
- Instance administrator
To complete this task, you must have your own certificate file in PEM format.
Procedure
To add a CA certificate to the platform:
- Place the PEM file on your local file system.
- Change to the directory where the files are located.
- Log in to Red Hat®
OpenShift® Container Platform as a
user with sufficient permissions to complete the task.
- Set the context to the project where IBM Software Hub is deployed:
oc project ${PROJECT_CPD_INST_OPERANDS}
- Create a secret named
connection-ca-certs to store the CA
certificate.
Important: The secret must be named connection-ca-certs. If you use a
different name, the platform will not be able to locate the secret.
oc create secret generic connection-ca-certs \
--from-file=<my-cert>.pem=./<my-cert>.crt
If you have more than one CA certificate, you can add multiple --from-file
entries. For example:
oc create secret generic connection-ca-certs \
--from-file=<my-cert>.pem=./<my-cert>.crt \
--from-file=<my-cert2>.pem=./<my-cert2>.crt
Wait for the command to return a message that the secret was created:
secret/connection-ca-certs created
- If the following pods are running on your cluster, restart them so that they can use the
connection-ca-certs secret:
wdp-connect pods- Run the following command to restart any
wdp-connect pods in the
project:for i in `oc get pods | grep wdp-connect- | cut -f1 -d\ `; do oc delete po ${i}; done
If
there are any wdp-connect pods in the project, the command should return output
with the following format:
pod "wdp-connect-connector-6f968c97ff-4lcxc" deleted
pod "wdp-connect-connection-77879f485d-f7cfl" deleted
pod "wdp-connect-flight-6b75df645b-ts4rg" deleted
- AI Factsheets
wkc-factsheet-service pods
- Run the following command to restart any
wkc-factsheet-service pods in the
project:for i in `oc get pods | grep wkc-factsheet-service | cut -f1 -d\ `; do oc delete po ${i}; done
If
there are any wkc-factsheet-service pods in the project, the command should return
output with the following
format:
pod "wkc-factsheet-service-5f6685bcbb-g8dx7" deleted
- DataStage
ibm-datastage-px-runtime and ibm-datastage-px-compute pods
- Run the following command to restart any
ibm-datastage-px-runtime and
ibm-datastage-px-compute pods in the
project:oc delete pod -l icpdsupport/module=px-runtime
oc delete pod -l icpdsupport/module=px-compute
If there are any
ibm-datastage-px-runtime and
ibm-datastage-px-compute pods, the
command should return output with the following
format:
pod "ds-px-default-ibm-datastage-px-runtime-854d4999f9-c9dm4" deleted
pod "ds-px-default-ibm-datastage-px-compute-0" deleted
pod "ds-px-default-ibm-datastage-px-compute-1" deleted
pod "ds-px-default-ibm-datastage-px-compute-2" deleted
The preceding pods are
associated with the default DataStage
service instance. If you have more than one DataStage service instance, the command will return
additional pods.