Renew the analytics CA certificate, and all end-entity certificates that the analytics CA
signs.
About this task
The pods that comprise the analytics subsystem communicate with each other using certificates
that are signed by the analytics CA certificate. If you renew the analytics CA certificate, you must
also renew the analytics end-entity certificates that the analytics CA signs.
For more information about API Connect certificates,
see API Connect TLS certificates.
Procedure
- Run the following command to renew the analytics CA
certificate:
kubectl -n <analytics namespace> get certificate <analytics CA name> -o=jsonpath='{.spec.secretName}' | xargs kubectl -n <analytics namespace> delete secret
where
<analytics CA name> is the name of the analytics CA certificate. On Kubernetes
and OpenShift individual subsystem installations this name is
analytics-ca
. On
Cloud Pak for Integration and OpenShift top-level CR
installations, this name is
<apic instance
name>-a7s-ca
.
Verify that a new
<analytics CA name>
secret is
created:
kubectl -n <analytics namespace> get secret
Output
should show a new
<analytics CA name>
secret:
NAME TYPE DATA AGE
...
<analytics CA name> kubernetes.io/tls 4 28s
Check
that the
AGE
column shows the secret was recently created.
- Renew the end-entity certificates signed by the analytics CA. Run the following command
for each
certificate:
kubectl get certificate <analytics certificate> -o=jsonpath='{.spec.secretName}' | xargs kubectl delete secret
where
<analytics certificate> is the name of the end entity certificate. The
analytics end-entity certificates are:
analytics-client
or a7s-client
.
analytics-server
or a7s-server
.
On
Cloud Pak for Integration and OpenShift
top-level CR installations, the certificate name is prefixed with
<apic instance
name>-
.
- Restart the analytics pods so that they use the renewed certificates: Restarting Analytics pods and data collection.