If you want to enable the IBM Cloud Pak® for Data platform to use your company's CA
certificate to validate certificates from your internal servers, you must create a secret that
contains the CA certificate. Additionally, if your internal servers use an SSL certificate that is
signed using your company's CA certificate, you must create this secret to enable the platform to
connect to the servers.
After you create the secret, the CA certificate is used in the following connections:
- Platform connections
- Connections created in a project
- Connections created in a catalog
- Connections created in Watson™ Query
- Connections created in Db2® Big SQL
- Connections to an external instance of IBM®
OpenPages® from AI Factsheets
- Connections created in Analytics Engine powered by Apache Spark
- Connections created in DataStage®
Before you begin
Best practice: You can run many of the
commands in this task exactly as written if you set up environment variables for your installation.
For instructions, see
Setting up installation environment variables.
Ensure that you
source the environment variables before you run the commands in this task.
- Required permissions
- To complete this task, you must have one of the following roles:
- Cluster administrator
- Instance administrator
To complete this task, you must have your own certificate file in PEM format.
Procedure
To add a CA certificate to the platform:
- Place the PEM file on your local file system.
- Change to the directory where the files are located.
- Log in to Red Hat® OpenShift® Container Platform as a
user with sufficient permissions to complete the task.
- Set the context to the project where Cloud Pak for Data is deployed:
oc project ${PROJECT_CPD_INST_OPERANDS}
- Create a secret named
connection-ca-certs to store the CA
certificate.
Important: The secret must be named connection-ca-certs. If you use a
different name, the platform will not be able to locate the secret.
oc create secret generic connection-ca-certs \
--from-file=<my-cert>.pem=./<my-cert>.crt
If you have more than one CA certificate, you can add multiple --from-file
entries. For example:
oc create secret generic connection-ca-certs \
--from-file=<my-cert>.pem=./<my-cert>.crt \
--from-file=<my-cert2>.pem=./<my-cert2>.crt
Wait for the command to return a message that the secret was created:
secret/connection-ca-certs created
- If the following pods are running on your cluster, restart them so that they can use the
connection-ca-certs secret:
wdp-connect pods- Run the following command to restart any
wdp-connect pods in the
project:for i in `oc get pods | grep wdp-connect- | cut -f1 -d\ `; do oc delete po ${i}; done
If
there are any wdp-connect pods in the project, the command should return output
with the following format:
pod "wdp-connect-connector-6f968c97ff-4lcxc" deleted
pod "wdp-connect-connection-77879f485d-f7cfl" deleted
pod "wdp-connect-flight-6b75df645b-ts4rg" deleted
wkc-factsheet-service pods- Run the following command to restart any
wkc-factsheet-service pods in the
project:for i in `oc get pods | grep wkc-factsheet-service | cut -f1 -d\ `; do oc delete po ${i}; done
If
there are any wkc-factsheet-service pods in the project, the command should return
output with the following
format:
pod "wkc-factsheet-service-5f6685bcbb-g8dx7" deleted
spark-hb-create-trust-store pods- Run the following command to restart any
spark-hb-create-trust-store pods in
the
project:for i in `oc get pods | grep spark-hb-create-trust-store | cut -f1 -d\ `; do oc delete po ${i}; done
If
there are any spark-hb-create-trust-store pods in the project, the command should
return output with the following
format:
pod "spark-hb-create-trust-store-58fc95f9cf-946m8" deleted
px-runtime pods- Run the following commands to restart any DataStage
px-runtime pods in the
project:oc delete pods -l icpdsupport/module=px-runtime
oc delete pods -l icpdsupport/module=px-compute