API Connect supports custom certificates for each subsystem, and for internal
communications.
Note: The API invocation certificate that callers to the published APIs on
your gateways see is configured in the
Cloud
Manager UI when you register your
gateway services. For more information about API invocation certificates, see
Registering a gateway
service and
TLS profiles overview.
Table 1. Certificates for the Management subsystem:
Certificate |
Type |
Notes |
analytics-ingestion-client |
Common Subsystem Communication |
Must be signed by the same CA as analytics-ai-endpoint Certificate of
Analytics Subsystem. For a two data center deployment, both data centers must have an identical
subject name. For example, both data centers subject name could be
CN=a7s-ingestion-client , or they could both be CN=a7s-ingestion-client,
O=cert-manager , but they must be identical. |
portal-admin-client |
Common Subsystem Communication |
Must be signed by the same CA as portal-admin Certificate of Portal
Subsystem. For a two data center deployment, both data centers must have an identical subject name.
For example, both data centers subject name could be CN=portal-admin-client , or
they could both be CN=ptl-adm-client, O=cert-manager , but they must be
identical. |
gateway-client-client |
Common Subsystem Communication |
Must be signed by the same CA as gwv5-management-endpoint and/or
gwv6-management-endpoint of Gateway Subsystem |
cm-endpoint |
External Frontend/Ingress |
|
apim-endpoint |
External Frontend/Ingress |
|
api-endpoint |
External Frontend/Ingress |
|
consumer-endpoint |
External Frontend/Ingress |
|
hub-endpoint |
External Frontend/Ingress |
|
turnstile-endpoint |
External Frontend/Ingress |
|
Note:
To generate the certificates for the endpoints used by the Automated testing behavior endpoints
(hub-endpoint
and turnstile-endpoint
), add the following
statements to the custom-certs-external.yaml
:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: hub-endpoint
labels: {
app.kubernetes.io/instance: "management",
app.kubernetes.io/managed-by: "ibm-apiconnect",
app.kubernetes.io/name: "hub-endpoint"
}
spec:
commonName: hub-endpoint
secretName: hub-endpoint
dnsNames:
- hub.example.com
issuerRef:
name: ingress-issuer
usages:
- "server auth"
- "signing"
- "key encipherment"
duration: 17520h # 2 years
renewBefore: 720h # 30 days
privateKey:
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: turnstile-endpoint
labels: {
app.kubernetes.io/instance: "management",
app.kubernetes.io/managed-by: "ibm-apiconnect",
app.kubernetes.io/name: "turnstile-endpoint"
}
spec:
commonName: turnstile-endpoint
secretName: turnstile-endpoint
dnsNames:
- turnstile.example.com
issuerRef:
name: ingress-issuer
usages:
- "server auth"
- "signing"
- "key encipherment"
duration: 17520h # 2 years
renewBefore: 720h # 30 days
privateKey:
rotationPolicy: Always
Table 2. Certificates for Analytics Subsystem
Certificate |
Type |
Notes |
analytics-ai-endpoint |
External Frontend/Ingress |
Must be signed by the same CA as analytics-ingestion-client Certificate of
Management Subsystem |
Table 3. Certificates for Gateway Subsystem
Certificate |
Type |
Notes |
gwv5-endpoint |
External Frontend/Ingress |
|
gwv5-management-endpoint |
External Frontend/Ingress |
Must be signed by the same CA as gateway-client-client Certificate of
Management Subsystem |
gwv6-endpoint |
External Frontend/Ingress |
|
gwv6-management-endpoint |
External Frontend/Ingress |
Must be signed by the same CA as gateway-client-client Certificate of
Management Subsystem |
Table 4. Certificates for Portal Subsystem
Certificate |
Type |
Notes |
portal-admin |
External Frontend/Ingress |
Must be signed by the same CA as portal-admin-client Certificate of
Management Subsystem |
portal-web |
External Frontend/Ingress |
|
Table 5. Internal Certificates
Certificate |
Type (CA/Server/Client) |
Subsystem |
Notes |
caCertificate |
CA |
Management, Analytics, Portal |
|
clientCertificate |
Client |
Management, Analytics, Portal |
|
serverCertificate |
Server |
Management, Analytics, Portal |
- Portal DNS names required
-
*.<namespace>
*.<namespace>.svc
*.<instance name>-server.<namespace>.svc
<instance name>-server
*.<instance name>-<site name>-db-all.<namespace>.svc
*.<instance name>-<site name>-www-all.<namespace>.svc
*.<instance name>-<site name>-db-all.<namespace>.svc.cluster.local
*.<instance name>-<site name>-www-all.<namespace>.svc.cluster.local
*.<namespace>.svc.cluster.local
<instance name>-db
|
dbServerCertificate |
Server |
Management |
|
pgBouncerServerCertificate |
Server |
Management |
|
PGOTLSCertificate |
Server |
Management |
|
NATSTLSCertificate |
Server |
Management |
|
dbClientPostgres |
Client |
Management |
|
dbClientReplicator |
Client |
Management |
|
dbClientPgbouncer |
Client |
Management |
|
dbClientApicuser |
Client |
Management |
|
dbClientPrimaryuser |
Client |
Management |
|
Several certificates as noted above are required to be signed by the same CA as another
certificate. For example, portal-admin-client
, and portal-admin
.
This means that if the portal-admin-client
certificate were to be customized, then
the portal-admin
certificate must also be customized, and signed by the same CA as
portal-admin-client
. To ensure that pairs of certificates like these are signed by
the same CA, the Issuer for each certificate must be the same.