Extracting the root CA for external services
About this task
For more information about getting the endpoint secret of the foundational services, see Configuring Cloud Pak foundational services.
Procedure
- For external services that use the IM route
, get the full certificate chain.cp-consoleOption 1: Using OpenSSL- The
route is signed with the default OpenShift's CA certificate. To get the full certificate chain, run the following command.cp-consoleopenssl s_client -connect cp-console-<namespace>.<hostname>:443 \ -showcerts < /dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \ > cp-cert-chain.pemThe certificate chain might contain more than one certificate. To determine which certificate is the CA certificate, run the following command.
awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==2' cp-cert-chain.pem | openssl x509 \ -text -noout |grep -E '(CA:TRUE)'Where "
cert==2" is the second certificate in the cp-cert-chain.pem file that you want to inspect. Check all the certificates in the file. - After you identify the CA certificate, split the combined certificate by running the following
command.
awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==2' cp-cert-chain.pem > cp-ca-cert.pemWhere "
cert==2" is the second certificate that represents the CA.
- Go to the CP4BA deployment namespace.
oc project <your project> - Extract the OpenShift ingress certificates by running the following command to get the
secret.
oc get cm -n openshift-config-managed default-ingress-cert -o template \ --template='{{ index .data "ca-bundle.crt"}}' > cp-cert-chain.pem - The certificate chain might contain more than one certificate. To determine which certificate is
the CA and used to sign the leaf certificate, run the following
command.
awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==2' cp-cert-chain.pem | openssl x509 \ -text -noout | grep -E '(CA:TRUE)'Where "
cert==2" is the second certificate in the cp-cert-chain.pem file that you want to inspect. Check all the certificates in the file. - After you identified the CA certificate, split the combined certificate by running the following
command.
awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==2' cp-cert-chain.pem > cp-ca-cert.pemWhere "
cert==2" is the second certificate that represents the CA.
- The
- For external services that use the Zen route
(
https://cpd-<namespace>-<hostname>/zen), get the certificate chain.Option 1: Using OpenSSL- To get the full certificate chain for the Zen route, run the following
command.
openssl s_client -connect cpd-<namespace>.<hostname>:443 \ -showcerts < /dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \ > zen-cert-chain.pem - The certificate chain might contain more than one certificate. To determine which certificate is
the CA, run the following
command.
awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==2' zen-cert-chain.pem | openssl x509 \ -text -noout |grep -E '(CA:TRUE)'Where "
cert==2" is the second certificate in the zen-cert-chain.pem file that you want to inspect. Check all the certificates in the file. - After you identified the CA certificate, split the combined certificate by running the following
command.
awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==2' zen-cert-chain.pem > zen-ca-cert.pemWhere "
cert==2" is the second certificate that represents the CA.
- Go to the CP4BA deployment namespace.
oc project <your project> - Extract the Zen CA by running the following command to get the
secret.
oc get secret iaf-system-automationui-aui-zen-ca -o template \ --template='{{ index .data "tls.crt" }}' | base64 --decode > zenRootCA.cert - Extract the Zen CA by running the following command to get the secret.
- To get the full certificate chain for the Zen route, run the following
command.
- For external services that use neither a Zen or IM route (routes that do not start with
orcpd
), get the certificate chain.cp-consoleFor example, the route for ACCE is
Using OpenSSL and OC CLI
.https://cpe-<namespace>-<hostname>/acce- Determine the host for the non-Zen route that you want to use and retrieve the hostname. For
example, if you want to retrieve the CA certificates of the Content Platform Engine (CPE) route, run
the following command.
oc get routes | grep cpe - To get the leaf certificate chain for a non-Zen route, run the following
command.
openssl s_client -connect cpe-<namespace>.<hostname>:443 \ -showcerts < /dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \ > cpe-cert.pem - To determine which certificate is the CA and used to sign the leaf certificate, run the
following
command.
awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==1' cpe-cert.pem | openssl x509 \ -text -noout | grep -E '(CA:TRUE)'Where "
cert==1" is the first certificate in thecpe-cert.pemfile that you want to inspect. Check all the certificates in the file. - After you identified the CA certificate, split the combined certificate by running the following
command.
awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==1' cpe-cert.pem > cpe-ca-cert.pemWhere "
cert==1" is the first certificate that represents the CA.Note: If you have no CA certificate in the cpe-cert.pem file, then it is signed by the CP4A CA root certificate. Extract the CP4BA root CA by running the following commands.oc project <your project>oc get secret -lapp.kubernetes.io/component=rootCA --no-headers | awk '{print $1}' | xargs oc get secret -o template \ --template='{{ index .data "tls.crt" }}' | base64 -d > root-ca.pem > CP4ARootCA.certIf you have a custom CA for Content Platform Engine (CPE), the secret that contains the custom CA must be specified in the custom resource parameter ecm_configuration.fncm_auth_ca_secret_name. For more information, see FileNet Content Manager common parameters.
- Determine the host for the non-Zen route that you want to use and retrieve the hostname. For
example, if you want to retrieve the CA certificates of the Content Platform Engine (CPE) route, run
the following command.
- Import these secrets into the external services that need secure communication with your CP4BA deployment.