Providing a custom certificate for Analytics offload
Prepare a private or self-signed certificate for offloading data.
Before you begin
Install the Analytics subsystem on VMware as explained in Deploying the Analytics subsystem. Analytics must be deployed before you attempt to use the certificate.
When you re-install Analytics after applying the certificate, you can upload the analytics-extra-values.yaml file to include additional configuration options.
- Base64 encoded
pem
file format. - JKS file.
Procedure
- Login to your analytics VM.
- SSH to your analytics VM, or one of the VMs if you have a three replica deployment.
ssh apicadm@<analytics VM FQDN>
- Switch to root user:
sudo -i
- If you are using a JKS file, create a file to contain your certificate.
echo "<certificate>" > <certificate filename>
- SSH to your analytics VM, or one of the VMs if you have a three replica deployment.
-
If you are using a JKS file, encode the contents in base64.
cat <certificate filename> | base64
Copy the output so that you can paste it into the secret in the next step.
-
Create a Kubernetes secret to contain the certificate.
-
Create a file called analytics_certs.yaml.
The method for defining the certificate in the secret depends on whether you are using a PEM file or JKS file.
- JKS file: In the
data
section of the secret, paste the encoded output from step 2 as shown:apiVersion: v1 kind: Secret metadata: name: offload-certificates data: keystore.jks: "<encoded JKS string>"
- PEM file: In the
stringData
section of the secret, type a name for the key or certificate (you can choose the name), and paste the contents of the PEM file.apiVersion: v1 kind: Secret metadata: name: offload-certificates stringData: cacert.pem: |- -----BEGIN CERTIFICATE----- MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEQMA4GA1UE ChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoT B0VxdWlmYXgxLTArBgNVBAsTJEVxdWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPR fM6fBeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+AcJkVV5MW 8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kCAwEAAaOCAQkwggEFMHAG A1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UE CxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoG A1UdEAQTMBGBDzIwMTgwODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvS spXXR9gjIBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQFMAMB Af8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUAA4GBAFjOKer89961 zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y7qj/WsjTVbJmcVfewCHrPSqnI0kB BIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee95 70+sB3c4 -----END CERTIFICATE-----
You can add multiple certificates, and can set the names to what you want.Note: Kubernetes, OpenShift, and Cloud Pak for Integration users: For each key included in analytics_certs.yaml, a file based on the corresponding key name is created in the ingestion pod container at /etc/velox/external_certs/offload. The examples here would result in the fileskeystore.jks
andcacert.pem
. - JKS file: In the
- Save the file.
-
Create a file called analytics_certs.yaml.
- Optional: Create a password secret.
If you have sensitive data such as a certificate password that must be available in text format, you can store it in another secret.
If your password is not sensitive (such as the JKS default password), then you can supply it directly in the Logstash configuration, and skip this step.
- Create a file called offload_env_var.yaml.
- In the
stringData
section, set the propertyjks_password.txt
to your password (in plain text):apiVersion: v1 kind: Secret metadata: name: offload-jks-password stringData: jks_password.txt: <password>
- Run the following
command:
VMware users can omit thekubectl apply -f offload_env_var.yaml -n <namespace>
-n <namespace>
.
-
Apply the secret to the cluster where the analytics subsystem is installed.
Run the following command to update the cluster:
VMware users can omit thekubectl apply -f analytics_certs.yaml -n <namespace>
-n <namespace>
. - Add the secret (and password secret if you created one) to the offload section in your
analytics-extra-values.yaml
- Edit the analytics-extra-values.yaml file, and add the
secrets:
offload: enabled: true output: | kafka { ... } secretName: offload-certificates passwordSecretName: offload-jks-password
- Ensure that your
extra-values-file
property is set to point to your analytics-extra-values.yaml file:apicup subsys set <analytics subsystem> extra-values-file analytics-extra-values.yaml
- Apply the analytics-extra-values.yaml to your analytics
subsystem:
apicup subsys install <analytics subsystem>
- Edit the analytics-extra-values.yaml file, and add the
secrets: