List of intra-subsystem certificates

A summary of certificates used for communications within subsystems in an API Connect deployment.

Note: On Cloud Pak for Integration, and OpenShift top-level CR deployments, some certificate names are contracted and prefixed with the APIConnectCluster instance name. For example, the certificate managment-ca is called <apic instance name>-mgmt-ca.

Table 1 presents a list of certificates used for communications between pods in the same subsystem. The certificates are managed by cert-manager. For details of all the API Connect certificates, see API Connect certificates.

Table 1. Intra-subsystem certificates
Certificate name Issuer Description
management-ca or mgmt-ca selfsigning-issuer The issuer for the management subsystems intra-subsystem certificates: management-client, management-server, postgres, and nats certificates. Communication between management subsystem pods fails if there is a problem with this certificate.

This certificate is also used as the CA for REST API calls to the management subsystem from the other subsystems, when using in-cluster communication. See In-cluster service communication between subsystems

management-client or mgmt-client management-ca Client certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate.
management-server or mgmt-server management-ca Server certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate.
Required DNS names in the certificate:
*.<namespace>
*.<namespace>.svc
*.<instance name>-server.<namespace>.svc
<instance name>-server
db-client-apicuser management-ca Intra-subsystem certificate for the management database subsystem.
db-client-pgbouncer management-ca Intra-subsystem certificate for the management database subsystem.
db-client-postgres management-ca Intra-subsystem certificate for the management database subsystem.
db-client-primaryuser management-ca Intra-subsystem certificate for the management database subsystem.
postgres management-ca Intra-subsystem certificate for the management database subsystem.
postgres-pgbouncer management-ca Intra-subsystem certificate for the management database subsystem.
postgres-operator management-ca Intra-subsystem certificate for the management database subsystem.
natscluster-mgmt management-ca Intra-subsystem certificate for the nats pods.
db-client-replicator management-ca 2DCDR deployments only. Client certificate used by the <management_CR>-tunnel pod to connect to the other data center's <management_CR>-tunnel pod.
analytics-ca or a7s-ca selfsigning-issuer The issuer for the analytics-client and analytics-server certificates. Communication between analytics subsystem pods fails if there is a problem with this certificate.

If this certificate is updated, restart the storage and ingestion pods for the update to take effect.

analytics-client or a7s-client analytics-ca Client certificate used in communication between analytics subsystem pods. Communication between analytics subsystem pods fails if there is a problem with this certificate.

If this certificate is updated, restart the storage and ingestion pods for the update to take effect.

analytics-server or a7s-server analytics-ca Server certificate used in communication between analytics subsystem pods. Communication between analytics subsystem pods fails if there is a problem with this certificate.
Required DNS names in the certificate:
*.<namespace>
*.<namespace>.svc
*.<instance name>-server.<namespace>.svc
<instance name>-server
<instance name>-storage

If this certificate is updated, restart the storage and ingestion pods for the update to take effect.

portal-ca or ptl-ca selfsigning-issuer

The issuer for the portal-client and portal-server certificates. Communication between portal subsystem pods fails if there is a problem with this certificate.

V10.0.5.3 and previous releases: If this certificate is updated, then all portal pods must be manually restarted. In later releases, the restart is automatic.

portal-client or ptl-client portal-ca

Client certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate.

V10.0.5.3 and previous releases: If this certificate is updated, then all portal pods must be manually restarted. In later releases, the restart is automatic.

portal-server or ptl-server portal-ca

Server certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate.

Required DNS names in the certificate:
*.<namespace>
*.<namespace>.svc
*.<instance name>-server.<namespace>.svc
<instance name>-server
*.<instance name>-<site name>-db-all.<namespace>.svc
*.<instance name>-<site name>-www-all.<namespace>.svc
*.<instance name>-<site name>-db-all.<namespace>.svc.cluster.local
*.<instance name>-<site name>-www-all.<namespace>.svc.cluster.local
*.<namespace>.svc.cluster.local
<instance name>-db
#<remote portal CR name>-db # For 2DCDR only.
<instance name> and <remote portal CR name> are truncated if more than 15 characters.

V10.0.5.3 and previous releases: If this certificate is updated, then all portal pods must be manually restarted. In later releases, the restart is automatic.