Providing a custom certificate for Analytics offload

Prepare a private or self-signed certificate for use when offloading data, and then re-install IBM® API Connect Analytics deployment on VMware to apply the certificate.

Before you begin

Install the Analytics subsystem on VMware as explained in Deploying the Analytics subsystem. Analytics must be deployed before you attempt to use the certificate.

When you re-install Analytics after applying the certificate, you can upload the analytics-extra-values.yaml file to include additional configuration options.

Procedure

  1. Use SSH to log into the virtual machine on a server that has kubectl access to the Kubernetes cluster where API Connect Analytics is deployed.
    1. Run the following command to connect as the API Connect administrator. 
      ssh ip_address -l apicadm
    2. When prompted, select Yes to continue connecting.
  2. Encode the certificate file in base64.

    You can use either JKS files or text-based files such as PEM files:

    • If you use a JKS file for certificate, you must encode the file now, before proceeding to the next step.
    • If you use a text-based file such as PEM, then you can choose between encoding the file now or skipping this step and adding the keys to the secret in the next step.
    There are several ways to encode the file. If cat and base64 are available, then you can run the following command to encode the file:
    cat keystore.jks | base64

    Copy the output so that you can paste it into the secret in the next step.

  3. Create a Kubernetes secret to contain the certificate.
    1. Create a YAML file to contain the secret; for example, you can call the file analytics_certs.yaml.

      The secret's name that you specify in the file does not have to match the file name. In this example, the secret's name is offload-certificates. Do not use the underscore character ( _ ) in the secret name.

      Add as many keys as you want, using any field names that you want. For each key, a file based on the corresponding field name is created in the container at /etc/velox/external_certs/offload. For example, if you paste a certificate in the cacert field as shown in the following example, then a file named cacert.pem is stored in the /etc/velox/external_certs/offload location.

      apiVersion: v1
kind: Secret
metadata:
  # Change value of name to be whatever you wish secret to be called
  name: offload-certificates
# Only base64 encoded data should be placed in data section; JKS keys would go here
data:
  keystore.jks: "output_of_base64_encoded_jks"
stringData:
  cacert: |-
    -----BEGIN CERTIFICATE-----
    MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEQMA4GA1UE
    ChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
    MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoT
    B0VxdWlmYXgxLTArBgNVBAsTJEVxdWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCB
    nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPR
    fM6fBeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+AcJkVV5MW
    8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kCAwEAAaOCAQkwggEFMHAG
    A1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UE
    CxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoG
    A1UdEAQTMBGBDzIwMTgwODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvS
    spXXR9gjIBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQFMAMB
    Af8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUAA4GBAFjOKer89961
    zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y7qj/WsjTVbJmcVfewCHrPSqnI0kB
    BIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee95
    70+sB3c4
    -----END CERTIFICATE-----
    2. Paste the certificate into the file.

      The method for adding the certificate to the secret depends on whether you encoded the file in the previous step:

      • Base64-encoded file: In the data section of the secret, type a name for the field (you can choose the name). Paste the encoded output from the previous step (enclosed in "") as the value.
      • Plain text file: In the stringDdata section of the secret, type a name for the key or certificate (you can choose the name), and paste the value.
    3. Save the file.
  4. Apply Kubernetes secret it to the cluster where the Analytics subsystem is deployed.
    Run the following command to update the cluster:
    kubectl apply -f file_name_of_secret.yaml -n namespace
    where:
    • file_name_of_secret.yaml is the secret's file name.
    • namespace is the name of the namespace where Analytics is deployed.
  5. Edit the Analytics CR and add a reference to the secret in the offload section; for example: 
       offload:
      enabled: true
      output: |
        kafka {
        ...
        }
      secretName: offload-certificates
  6. If you want to reference the certificate in an offload plugin, configure the plugin now.

    Step 3 of that procedure shows how you can include the certificate information in the plugin.

  7. Install the Analytics subsystem again as explained in Deploying the Analytics subsystem, making sure to upload the analytics-extra-values.yaml file that contains your offload configuration.