API Connect TLS certificates
Details of all Kubernetes TLS certificate objects that are created and used in a default installation of API Connect.
Overview
TLS is used to secure communications between API Connect pods, subsystems, external services, and users. The TLS certificates that are used by API Connect are created automatically during the installation of API Connect. The certificates are managed by an open source product called cert-manager.
The certificates that are described in this topic all exist as Kubernetes certificate objects in
the API Connect namespace
where the subsystem that uses the certificate is installed. Run kubectl get certs -n
<namespace>
to see the certificates in your environment. Some of the API Connect Kubernetes
certificates are also stored in the management subsystem database. These certificates can be seen in
the Cloud
Manager UI, in the truststores
and keystores of the subsystem default TLS profiles. When the management subsystem
apim
pod is restarted, the certificates in the management database are reloaded
from the Kubernetes certificates.
The certificates that are created and used by API Connect are categorized as follows:
- CA certificates - API Connect creates self-signed CA certificates
to sign all the API Connect
end-entity certificates. The CA certificates are:
ingress-ca
- used by the ingress-issuer. The ingress-ca signs all user-facing and inter-subsystem certificates.management-ca
- signs all the management intra-subsystem certificates.portal-ca
- signs all the portal intra-subsystem certificates.analytics-ca
- signs all the analytics intra-subsystem certificates.
- Ingress certificates - API Connect creates a self-signed
issuer that is called the ingress-issuer. Ingress certificates are the API Connect certificates that are
issued by the ingress-issuer. Ingress certificates are divided into two types:
- Inter-subsystem certificates - certificates that are used for communication between API Connect subsystems, for example between the management subsystem and gateway. By default, communication between most subsystems uses mTLS. From v10.0.5.3, it is possible to use JWT instead of mTLS: Using JWT instead of mTLS on Kubernetes and OpenShift, Using JWT instead of mTLS on OVA.
- User-facing certificates - certificates that API Connect users see when they interact with the API Connect UIs and REST API.
- Intra-subsystem certificates - certificates that are used between pods in the same subsystem.
Intra-subsystem certificates are signed by a subsystem specific CA certificate:
management-ca
,portal-ca
,analytics-ca
. The gateway subsystem is a single pod, and has no intra-subsystem certificates.
On OVA deployments, certificate management is done with the apicup
command, see
API Connect TLS certificate best practices. Do not login to your VMs by ssh
and attempt to modify certificates directly, unless advised by IBM.
APIConnectCluster
instance name. For example, the certificate
managment-ca
is called <apic instance
name>-mgmt-ca
.Customizing certificates
It is possible to customize certificates with ones from your own organization. However it is recommended to customize only the user-facing certificates, which are the certificates that your users see when they access the API Connect UIs, CLI, and the REST API.
Renewing certificates
For most of the certificates, when they are renewed, the pods that use those certificates are automatically restarted so that they pick up the updated certificate. The minority of certificates that require manual pod restarts after renewal are identified in the reference tables.
ingress-ca
in the specified namespace:
kubectl get secrets -n <namespace> -o custom-columns='NAME:.metadata.name,ISSUER:.metadata.annotations.cert-manager\.io/issuer-name' --no-headers=true | grep ingress-issuer | awk '{ print $1 }' | xargs kubectl delete secret -n <namespace>
ingress-ca
30 days before it expires. The automatic renewal of
ingress-ca
does not trigger the renewal of the end-entity certificates that are
signed by ingress-ca
. When ingress-ca
is automatically renewed,
you must manually renew all end-entity certificates.Reference tables
The tables show all the API Connect certificates that are created in all possible deployment configurations.
management-ca or mgmt-ca
.Certificate name | Issuer | Description |
---|---|---|
-ingress-ca |
selfsigning-issuer |
The CA and issuer of all API Connect inter-subsystem and user-facing certificates. If there
is a problem with this certificate, then all API Connect subsystems are inaccessible and unable to
sync with each other. Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal. The ingress-ca
certificate is also stored in the management subsystem database. It is visible from the Cloud
Manager UI, in the truststores of the
analytics, gateway, event gateway, and portal default TLS client profiles. When the management
subsystem In 2DCDR deployments, and when you have subsystems in different namespaces, it is necessary to manually copy the ingress-ca certificate from the management subsystem to the other subsystems. Steps are provided in the 2DCDR and multi-namespace install sections of this documentation. If this certificate is updated, and you have a portal
deployed, then restart the |
management-ca or mgmt-ca |
selfsigning-issuer |
The issuer for the management subsystems intra-subsystem certificates:
management-client, management-server, postgres, and nats certificates. Communication between
management subsystem pods fails if there is a problem with this certificate. This certificate is
also used as the CA for REST API calls to the management subsystem from the other subsystems, when
using |
management-client or mgmt-client |
management-ca |
Client certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate. |
management-server or mgmt-server |
management-ca |
Server certificate used in communication between management subsystem
pods. Communication between management subsystem pods fails if there is a problem with this
certificate. Required DNS names in the certificate:
|
analytics-client-client or a7s-cl-client |
ingress-issuer |
Legacy certificate from pre-v10.0.5 releases. Not used for anything and safe to delete. In
v10.0.5, communication with the analytics subsystem uses the
analytics-ingestion-client certificate. |
analytics-ingestion-client or a7s-ing-client |
ingress-issuer |
Client certificate used for communication with the analytics subsystem on the ingestion
endpoint. This certificate must have:
For a two data center disaster recovery
deployment, both data centers must have an identical subject name. For example, both data centers
subject name could be To
update this certificate, use kubectl. Restart the This certificate is loaded by the management subsystem into the
|
portal-admin-client or ptl-adm-client |
ingress-issuer |
Client certificate used for communication with the portal subsystem on the
portalAdminEndpoint . This certificate must have:
For a two data center disaster recovery deployment,
both data centers must have an identical subject name. For example, both data centers subject name
could be This certificate is loaded by the management subsystem into the |
gateway-client-client or gw-dr-client |
ingress-issuer |
Client certificate for communications with the gateway service. Restart the This certificate is loaded by the management subsystem into the |
api-endpoint or mgmt-platform-api |
ingress-issuer |
Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI. |
consumer-endpoint or mgmt-consumer-api |
ingress-issuer |
Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI. |
consumer-catalog |
ingress-issuer |
Consumer catalog endpoint server certificate. |
apim-endpoint or mgmt-api-manager |
ingress-issuer |
API Manager UI server certificate. |
cm-endpoint or mgmt-admin |
ingress-issuer |
Cloud Manager UI server certificate. |
db-client-apicuser |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
db-client-postgres |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
postgres |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
natscluster-mgmt |
management-ca |
Intra-subsystem certificate for the nats
pods. |
mgmt-replication-client |
ingress-issuer |
2DCDR deployments
only. Client certificate used in the warm-standby data center's
<remote-sitename>-postgres pod to connect to the active data
center. |
mgmt-replication-server |
ingress-issuer |
2DCDR deployments
only. Server certificate used in the active data center's <management_CR>-tunnel
pod.This certificate must contain the DNS Subject Alternative Name of this data center's hostname
and must be valid for the |
hub-endpoint |
ingress-issuer |
Used by the Automated API behavior testing
application. User-facing server certificate for the hub-endpoint . If there is a
problem with this certificate, then the user's browser shows a warning or error message. |
Certificate name | Issuer | Description |
---|---|---|
analytics-ai-endpoint or a7s-ai-endpoint |
ingress-issuer |
Server certificate used on the analytics ingestion endpoint, in the If this certificate is updated, restart the |
analytics-ca or a7s-ca |
selfsigning-issuer |
The issuer for the analytics-client and
analytics-server certificates. Communication between analytics subsystem pods fails
if there is a problem with this certificate.If you update this certificate, you must then update
the
analytics-client and analytics-server server certificates, and
then ensure that the following pods are restarted:
|
analytics-client or a7s-client |
analytics-ca |
Client certificate used in communication between analytics subsystem
pods. Communication between analytics subsystem pods fails if there is a problem with this
certificate. If this certificate is updated, then the |
analytics-server or a7s-server |
analytics-ca |
Server certificate used in communication between analytics subsystem
pods. Communication between analytics subsystem pods fails if there is a problem with this
certificate. Required DNS names in the certificate:
If this certificate is updated, then the
|
Certificate name | Issuer | Description |
---|---|---|
portal-ca or ptl-ca |
selfsigning-issuer |
The issuer for the portal-client and portal-server certificates. Communication between portal subsystem pods fails if there is a problem with this certificate. This certificate is used by all portal pods. |
portal-client or ptl-client |
portal-ca |
Client certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. This certificate is used by all portal pods. |
portal-server or ptl-server |
portal-ca |
Server certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. Required DNS names in the certificate:
<instance name>
and <remote portal CR name> are truncated if more than 15 characters.This certificate is used by all portal pods. |
portal-admin or ptl-director or portal-director |
ingress-issuer |
Server certificate used on the This certificate must have the same CA as the This certificate is used by the |
portal-web |
ingress-issuer |
The server certificate used on the The default This certificate is used by the |
ptl-replication-client |
ingress-issuer |
2DCDR deployments only.
Client certificate that is used in the warm-standby data center's
This certificate is used by all the portal pods related to 2DCDR replication:
|
ptl-replication-server |
ingress-issuer |
2DCDR deployments only.
Server certificate used in the active data center's This certificate must contain the DNS Subject Alternative Name of this data center's hostname and
must be valid for the This certificate is used by all the portal pods related to 2DCDR replication:
|
Certificate name | Issuer | Description |
---|---|---|
gateway-peering or gw-peer |
ingress-issuer |
This certificate secures the communication between gateways in your gateway cluster. If you update this certificate, then restart your gateway pods. See Changing the secret for gateway peering. |
gateway-service or gw-svc |
ingress-issuer |
Legacy certificate that is not used. |
gwv6-endpoint or gw-gateway |
ingress-issuer |
Legacy certificate that is not used. |
gwv6-manager-endpoint or gw-gateway-manager |
ingress-issuer |
The This certificate must be signed by the same CA as the If you update this certificate, then all gateway pods are restarted automatically. |
Certificate name | Issuer | Description |
---|---|---|
event-gateway-management-client |
ingress-issuer |
The event-gateway-management-client certificate exists only on Cloud Pak for Integration deployments. |