Renewing the analytics CA

Renew the analytics CA certificate, and all end-entity certificates that the analytics CA signs.

About this task

The pods that comprise the analytics subsystem communicate with each other using certificates that are signed by the analytics CA certificate. If you renew the analytics CA certificate, you must also renew the analytics end-entity certificates that the analytics CA signs.

For more information about API Connect certificates, see API Connect TLS certificates.

Procedure

  1. Run the following command to renew the analytics CA certificate:
    kubectl -n <analytics namespace> get certificate <analytics CA name> -o=jsonpath='{.spec.secretName}' | xargs kubectl -n <analytics namespace> delete secret
    where <analytics CA name> is the name of the analytics CA certificate. On Kubernetes and OpenShift individual subsystem installations this name is analytics-ca. On Cloud Pak for Integration and OpenShift top-level CR installations, this name is <apic instance name>-a7s-ca.
    Verify that a new <analytics CA name> secret is created:
    kubectl -n <analytics namespace> get secret
    Output should show a new <analytics CA name> secret:
    NAME                                                            TYPE                DATA   AGE
    ...
    <analytics CA name>                                                kubernetes.io/tls   4      28s
    Check that the AGE column shows the secret was recently created.
  2. Renew the end-entity certificates signed by the analytics CA. Run the following command for each certificate:
    kubectl get certificate <analytics certificate> -o=jsonpath='{.spec.secretName}' | xargs kubectl delete secret
    where <analytics certificate> is the name of the end entity certificate. The analytics end-entity certificates are:
    • analytics-client or a7s-client.
    • analytics-server or a7s-server.
    On Cloud Pak for Integration and OpenShift top-level CR installations, the certificate name is prefixed with <apic instance name>-.
  3. Restart the analytics pods so that they use the renewed certificates: Restarting Analytics pods and data collection.