Providing a custom certificate for Analytics offload

Prepare a private or self-signed certificate for offloading data.

Before you begin

Install the Analytics subsystem on VMware as explained in Deploying the Analytics subsystem. Analytics must be deployed before you attempt to use the certificate.

When you re-install Analytics after applying the certificate, you can upload the analytics-extra-values.yaml file to include additional configuration options.

You must have the certificate in either of these formats:
  • Base64 encoded pem file format.
  • JKS file.

Procedure

  1. Login to your analytics VM.
    1. SSH to your analytics VM, or one of the VMs if you have a three replica deployment.
      ssh apicadm@<analytics VM FQDN>
    2. Switch to root user:
      sudo -i
    3. If you are using a JKS file, create a file to contain your certificate.
      echo "<certificate>" > <certificate filename>
  2. If you are using a JKS file, encode the contents in base64.
    cat <certificate filename> | base64

    Copy the output so that you can paste it into the secret in the next step.

  3. Create a Kubernetes secret to contain the certificate.
    1. Create a file called analytics_certs.yaml.

      The method for defining the certificate in the secret depends on whether you are using a PEM file or JKS file.

      • JKS file: In the data section of the secret, paste the encoded output from step 2 as shown:
        apiVersion: v1
        kind: Secret
        metadata:
          name: offload-certificates
        data:
          keystore.jks: "<encoded JKS string>"
        
      • PEM file: In the stringData section of the secret, type a name for the key or certificate (you can choose the name), and paste the contents of the PEM file.
        apiVersion: v1
        kind: Secret
        metadata:
          name: offload-certificates
        stringData:
          cacert.pem: |-
            -----BEGIN CERTIFICATE-----
            MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEQMA4GA1UE
            ChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
            MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoT
            B0VxdWlmYXgxLTArBgNVBAsTJEVxdWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCB
            nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPR
            fM6fBeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+AcJkVV5MW
            8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kCAwEAAaOCAQkwggEFMHAG
            A1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UE
            CxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoG
            A1UdEAQTMBGBDzIwMTgwODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvS
            spXXR9gjIBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQFMAMB
            Af8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUAA4GBAFjOKer89961
            zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y7qj/WsjTVbJmcVfewCHrPSqnI0kB
            BIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee95
            70+sB3c4
            -----END CERTIFICATE-----
      You can add multiple certificates, and can set the names to what you want.
      Note: Kubernetes, OpenShift, and Cloud Pak for Integration users: For each key included in analytics_certs.yaml, a file based on the corresponding key name is created in the ingestion pod container at /etc/velox/external_certs/offload. The examples here would result in the files keystore.jks and cacert.pem.
    2. Save the file.
  4. Optional: Create a password secret.

    If you have sensitive data such as a certificate password that must be available in text format, you can store it in another secret.

    If your password is not sensitive (such as the JKS default password), then you can supply it directly in the Logstash configuration, and skip this step.

    1. Create a file called offload_env_var.yaml.
    2. In the stringData section, set the property jks_password.txt to your password (in plain text):
      apiVersion: v1
      kind: Secret
      metadata:
        name: offload-jks-password
      stringData:
        jks_password.txt: <password>
    3. Run the following command:
      kubectl apply -f offload_env_var.yaml -n <namespace>
      VMware users can omit the -n <namespace>.
  5. Apply the secret to the cluster where the analytics subsystem is installed.
    Run the following command to update the cluster:
    kubectl apply -f analytics_certs.yaml -n <namespace>
    VMware users can omit the -n <namespace>.
  6. Add the secret (and password secret if you created one) to the offload section in your analytics-extra-values.yaml
    1. Edit the analytics-extra-values.yaml file, and add the secrets:
         offload:
            enabled: true
            output: |
              kafka {
              ...
              }
            secretName: offload-certificates
            passwordSecretName: offload-jks-password
    2. Ensure that your extra-values-file property is set to point to your analytics-extra-values.yaml file:
      apicup subsys set <analytics subsystem> extra-values-file analytics-extra-values.yaml
    3. Apply the analytics-extra-values.yaml to your analytics subsystem:
      apicup subsys install <analytics subsystem>