Extracting the root CA for external services

To secure the connection to an external service, extract the Cloud Pak foundational services certificate authority (CA) TLS key and certificate and import it into the external service.

About this task

In a namespace-scoped CP4BA deployment, the Identity Management (IM) route cp-console is unified with the Cloud Pak Platform UI (Zen Service) cpd route, which starts with https://cpd-<namespace>.<hostname>. For more information about getting the endpoint secret, see Configuring Cloud Pak foundational services External link opens a new window or tab. Then follow the instructions for specific changes that are related to a service. For more information about the IM service for example, see hostname and certificate External link opens a new window or tab.

Procedure

  1. For external services that use the Zen route, get the full certificate chain.
    Option 1: Using OpenSSL
    1. Run the following command:
      openssl s_client -connect cpd-<namespace>.<hostname>:443 \
-showcerts < /dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
> zen-cert-chain.pem

      The certificate chain might contain more than one certificate. To determine which certificate is the CA certificate, run the following command.

      awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==2' zen-cert-chain.pem | openssl x509 \
-text -noout |grep -E '(CA:TRUE)'

      Where "cert==2" is the second certificate in the zen-cert-chain.pem file that you want to inspect.

    2. After you identify the CA certificate, split the combined certificate by running the following command.
      awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==2' zen-cert-chain.pem > zen-ca-cert.pem

      Where "cert==2" is the second certificate that represents the CA.

    Option 2: Using OC CLI
    1. Go to the CP4BA deployment namespace.
      oc project <your project>
    2. Extract the Zen CA by running the following command to get the secret.
      oc get secret iaf-system-automationui-aui-zen-ca -o template \
--template='{{ index .data "tls.crt" }}' | base64 --decode > zenRootCA.cert
  2. For external services that use a non-Zen route (routes that do not start with "cpd"), get the certificate chain.

    For example, the route for ACCE is https://cpe-<namespace>-<hostname>/acce.

    Using OpenSSL and OC CLI
    1. Determine the host for the non-Zen route that you want to use and retrieve the hostname. For example, if you want to retrieve the CA certificates of the Content Platform Engine (CPE) route, run the following command.
      oc get routes | grep cpe
    2. To get the leaf certificate chain for a non-Zen route, run the following command.
      openssl s_client -connect cpe-<namespace>.<hostname>:443 \
-showcerts < /dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
> cpe-cert.pem
    3. To determine which certificate is the CA and used to sign the leaf certificate, run the following command.
      awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==1' cpe-cert.pem | openssl x509 \
-text -noout | grep -E '(CA:TRUE)'

      Where "cert==1" is the first certificate in the cpe-cert.pem file that you want to inspect. Check all the certificates in the file.

    4. After you identified the CA certificate, split the combined certificate by running the following command.
      awk '/-----BEGIN CERTIFICATE-----/{cert++} cert==1' cpe-cert.pem > cpe-ca-cert.pem

      Where "cert==1" is the first certificate that represents the CA.

      Note: If you have no CA certificate in the cpe-cert.pem file, then it is signed by the CP4A CA root certificate. Extract the CP4BA root CA by running the following commands.
      oc project <your project>
      oc get secret -lapp.kubernetes.io/component=rootCA --no-headers | awk '{print $1}' | xargs oc get secret -o template \
--template='{{ index .data "tls.crt" }}' | base64 -d > root-ca.pem > CP4ARootCA.cert

      If you have a custom CA for Content Platform Engine (CPE), the secret that contains the custom CA must be specified in the custom resource parameter ecm_configuration.fncm_auth_ca_secret_name. For more information, see FileNet Content Manager common parameters External link opens a new window or tab.

  3. Import these secrets into the external services that need secure communication with your CP4BA deployment.