List of ingress certificates

A summary of certificates that are used for communications between subsystems and clients in an API Connect deployment.

Note: On Cloud Pak for Integration, and OpenShift top-level CR deployments, some certificate names are contracted and prefixed with the APIConnectCluster instance name. For example, the certificate managment-ca is called <apic instance name>-mgmt-ca.

User-facing certificates

Table 1 presents a list of user-facing certificates. The corresponding secrets use the same names. If you customized your certificates, the certificates in Table 1 use the custom-certs-external.yaml template.
Table 1. User-facing certificates
Certificate name Issuer Description
api-endpoint or mgmt-platform-api ingress-issuer Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI.
consumer-endpoint or mgmt-consumer-api ingress-issuer Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI.
apim-endpoint or mgmt-api-manager ingress-issuer API Manager UI server certificate.
cm-endpoint or mgmt-admin ingress-issuer Cloud Manager UI server certificate.
portal-web ingress-issuer

The server certificate used on the portalUIEndpoint. It is the server certificate that is presented to portal site users, and which their browser authenticates. If there is a problem with this certificate, then users see an error message about an invalid or insecure certificate in their browser when they access a portal site.

The default portal-web certificate is issued by the ingress-issuer, which has a self-signed root certificate. Portal users might see a browser warning about use of a self-signed certificate.
hub-endpoint ingress-issuer Used by the Automated API behavior testing application. User-facing server certificate for the hub-endpoint. If there is a problem with this certificate, then the user's browser shows a warning or error message.
turnstile-endpoint ingress-issuer Used by the Automated API behavior testing application. User-facing server certificate for the turnstile-endpoint. If there is a problem with this certificate, then the user's browser shows a warning or error message.

Inter-subsystem certificates

Table 2 lists all of the common subsystem communication certificates. The corresponding secrets use the same names. If you have customized your certificates, the certificates in Table 2 use the custom-certs-external.yaml template.

Table 2. Inter-subsystem certificates
Certificate name Issuer Description
-ingress-ca selfsigning-issuer The CA and issuer of all API Connect inter-subsystem and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are inaccessible and unable to sync with each other.

Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal.

The ingress-ca certificate is also stored in the management subsystem database. It is visible from the Cloud Manager UI, in the truststores of the analytics, gateway, event gateway, and portal default TLS client profiles. When the management subsystem apim pod is restarted the certificate is reloaded into the database from the Kubernetes ingress-ca certificate. Do not attempt to update this certificate from the Cloud Manager UI.

In 2DCDR deployments, and when you have subsystems in different namespaces, it is necessary to manually copy the ingress-ca certificate from the management subsystem to the other subsystems. Steps are provided in the 2DCDR and multi-namespace install sections of this documentation.

If this certificate is updated, and you have a portal deployed, then restart the portal-www pods for the update to take effect.
analytics-ingestion-client or a7s-ing-client ingress-issuer Client certificate used for communication with the analytics subsystem on the ingestion endpoint. This certificate must have:
  • The same CA as the server certificate analytics-ai-endpoint on the analytics subsystem.
  • The common name must match the spec.clientSubjectDN in the analytics CR:
    kubectl describe cert analytics-admin-client

Spec:
  Common Name:  a7s-ing-client
    kubectl get a7s -o yaml

  spec:
    clientSubjectDN: CN=a7s-ing-client

For a two data center disaster recovery deployment, both data centers must have an identical subject name. For example, both data centers subject name could be CN=a7s-ingestion-client, or they could both be CN=a7s-ingestion-client, O=cert-manager, but they must be identical.

To update this certificate, use kubectl. Restart the apim, taskmanager, and analytics-proxy pods after the update. This certificate is also used by the gateways for sending API events to the analytics subsystem. The updated certificate is sent by the management subsystem to the gateways, it is not necessary to restart any gateway pods.
portal-admin-client or ptl-adm-client ingress-issuer Client certificate used for communication with the portal subsystem on the portalAdminEndpoint. This certificate must have:
  • The same CA as the server certificate portal-admin or ptl-director on the portal subsystem.
  • The common name must match the spec.adminClientSubjectDN in the portal CR:
    kubectl describe cert portal-admin-client

Spec:
  Common Name:  ptl-adm-client
    kubectl get ptl -o yaml

  spec:
    adminClientSubjectDN: CN=ptl-adm-client
For a two data center disaster recovery deployment, both data centers must have an identical subject name. For example, both data centers subject name could be CN=portal-admin-client, or they could both be CN=ptl-adm-client, O=cert-manager, but they must be identical.
gateway-client-client or gw-dr-client ingress-issuer Client certificate for communications with the gateway service. Restart the apim, and taskmanager pods after update. This certificate must have the same CA as the gwv6-manager-endpoint or gw-gateway-manager certificate on the gateway.
api-endpoint or mgmt-platform-api ingress-issuer Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI.
consumer-endpoint or mgmt-consumer-api ingress-issuer Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI.
apim-endpoint or mgmt-api-manager ingress-issuer API Manager UI server certificate.
cm-endpoint or mgmt-admin ingress-issuer Cloud Manager UI server certificate.
mgmt-replication-client ingress-issuer 2DCDR deployments only. Client certificate used in the warm-standby data center's <remote-sitename>-postgres pod to connect to the active data center.
mgmt-replication-server ingress-issuer 2DCDR deployments only. Server certificate used in the active data center's <management_CR>-tunnel pod.

This certificate must contain the DNS Subject Alternative Name of this data center's hostname and must be valid for the spec.multiSiteHA.replicationEndpoint defined in the management CR.
hub-endpoint ingress-issuer Used by the Automated API behavior testing application. User-facing server certificate for the hub-endpoint. If there is a problem with this certificate, then the user's browser shows a warning or error message.
turnstile-endpoint ingress-issuer Used by the Automated API behavior testing application. User-facing server certificate for the turnstile-endpoint. If there is a problem with this certificate, then the user's browser shows a warning or error message.
analytics-ai-endpoint or a7s-ai-endpoint ingress-issuer

Server certificate used on the analytics ingestion endpoint, in the mtls-gw pod. Management and gateway subsystems communicate with the analytics subsystem on this endpoint. The client certificates that are used by the management and gateway subsystems must use the same CA certificate as the analytics-ai-endpoint certificate.
portal-admin or ptl-director ingress-issuer

Server certificate used on the portalAdminEndpoint. The management subsystem communicates with the portal subsystem on this endpoint. The corresponding client certificate used in the management to portal communication is the portal-admin-client certificate.

This certificate must have the same CA as the portal-admin-client certificate on the management subsystem.
portal-web ingress-issuer

The server certificate used on the portalUIEndpoint. It is the server certificate that is presented to portal site users, and which their browser authenticates. If there is a problem with this certificate, then users see an error message about an invalid or insecure certificate in their browser when they access a portal site.

The default portal-web certificate is issued by the ingress-issuer, which has a self-signed root certificate. Portal users might see a browser warning about use of a self-signed certificate.
ptl-replication-client ingress-issuer 2DCDR deployments only. Client certificate that is used in the warm-standby data center's <remote-sitename>-www and <remote-sitename>-db pods to connect to the active data center.
ptl-replication-server ingress-issuer 2DCDR deployments only. Server certificate used in the active data center's <portal_CR>-tunnel pod, the counterpart to the ptl-replication-client certificate.

This certificate must contain the DNS Subject Alternative Name of this data center's hostname and must be valid for the spec.multiSiteHA.replicationEndpoint defined in the portal CR.
gateway-peering or gw-peer ingress-issuer

This certificate secures the communication between gateways in your gateway cluster.
gwv6-endpoint or gw-gateway ingress-issuer Legacy certificate that is not used.
gwv6-manager-endpoint or gw-gateway-manager ingress-issuer The gatewayManager endpoint certificate. This is the server certificate on the gateway director endpoint, which the management subsystem communicates with.

This certificate must be signed by the same CA as the gateway-client-client certificate on management subsystem
event-gateway-management-client ingress-issuer The event-gateway-management-client certificate exists only on Cloud Pak for Integration deployments.