Configuring TLS encryption with a custom certificate on IBM Cloud Private

The proxy requires a public certificate and private key pair to be supplied through a Kubernetes secret called {{ .Release.Name }}-proxy-tls-secret. If you want to use a custom certificate, for example, one signed by your own public key infrastructure Certificate Authority (CA), create your own proxy secret, containing the public certificate and private key pair, before deployment. To enable a successful Transport Layer Security (TLS) handshake, import the CA signer certificate into the keystore of any client application as a trusted source.

Note: If you deployed IBM® Netcool® Operations Insight® on IBM Cloud® Private V3.2.1, configure TLS encryption with the default certificate. For more information, see Configuring TLS encryption with the default certificate on IBM Cloud Private.

Before deploying Operations Management on IBM Cloud Private, you can create your own certificate key pair and create the proxy TLS secret by completing the following steps:

|Follow this procedure when the public certificate and private key have already been created and signed by an external CA. When creating the certificate, it is important to ensure that the subject Common Name (CN) field matches the following format:

proxy.{{ .Release.Name }}.{{global.cluster.fqdn}}

Where {{ .Release.Name }} is the name of the Helm release and {{global.cluster.fqdn}} is the fully qualified domain name (FQDN) of the cluster's master node. For more information about the FQDN, see Master node.

Set the global.tls.certificate.useExistingSecret global property in the Helm chart.
Create the proxy TLS secret by running the following command:
```
kubectl create secret tls {{ .Release.Name }}-proxy-tls-secret --cert=certificate.pem --key=key.pem [--namespace namespace]
```
Where:
- {{ .Release.Name }} is the unique name that is assigned to the deployment, for example, noi.
- certificate.pem is the signed certificate returned by the CA.
- key.pem is the private key corresponding to the signed certificate.
To establish a successful TLS connection, import the CA public certificate, which is used in step 2. Complete the following steps:
1. If necessary, create the keystore using one of the following commands:
```
$NCHOME/bin/nc_ikeyman
```
  or
```
•	$NCHOME/bin/nc_gskcmd -keydb -create -db "$NCHOME/etc/security/keys/omni.kdb" -pw password -stash -expire 366
```
  For more information about creating a keystore, see https://www.ibm.com/support/knowledgecenter/en/SSSHTQ_8.1.0/com.ibm.netcool_OMNIbus.doc_8.1.0/omnibus/wip/install/task/omn_con_ssl_creatingkeydbase.html.
2. Import a privacy enhanced mail (PEM) encoded signer certificate by running one of the following commands:
```
$NCHOME/bin/nc_ikeyman
```
  or
```
•	$NCHOME/bin/nc_gskcmd -cert -add -file mycert.pem -db $NCHOME/etc/security/keys/omni.kdb -stashed
```
  For more information about adding certificates from CAs, see https://www.ibm.com/support/knowledgecenter/en/SSSHTQ_8.1.0/com.ibm.netcool_OMNIbus.doc_8.1.0/omnibus/wip/install/task/omn_con_ssl_addingcerts.html.
Note: To successfully complete the TLS handshake and establish a secure TLS connection, the ObjectServer address, which is specified in the omni.dat file, must exactly match the certificate subject Common Name (CN) value. Certificates that are manually created must have a subject CN value in the following format:
```
proxy.{{ .Release.Name }}.{{global.cluster.fqdn}}
```
Edit the client's omni.dat file to configure a Secure Sockets Layer (SSL) connection. Specify the SSL for each Object Server entry and add the server address and port number in the omni.dat file, as displayed in the following example:
```
[AGG_P]
{
Primary: proxy.{{ .Release.Name }}.{{global.cluster.fqdn}} ssl 3XXXX
}
[AGG_B]
{
Primary: proxy.{{ .Release.Name }}.{{global.cluster.fqdn}} ssl 3XXXX
}
```
For more information, see Identifying the proxy listening port.
Run the following command to generate the interfaces file:
```
$NCHOME/bin/nco_igen
```

For more information, see Preparing secrets for TLS encryption.