API Connect TLS certificates

Details of all Kubernetes TLS certificate objects that are created and used in a default installation of API Connect.

Overview

TLS is used to secure communications between API Connect pods, subsystems, external services, and users. The TLS certificates that are used by API Connect are created automatically during the installation of API Connect. The certificates are managed by an open source product called cert-manager.

The certificates that are described in this topic all exist as Kubernetes certificate objects in the API Connect namespace where the subsystem that uses the certificate is installed. Run kubectl get certs -n <namespace> to see the certificates in your environment. Some of the API Connect Kubernetes certificates are also stored in the management subsystem database. These certificates can be seen in the Cloud Manager UI, in the truststores and keystores of the subsystem default TLS profiles. When the management subsystem apim pod is restarted, the certificates in the management database are reloaded from the Kubernetes certificates.

Note: The API invocation certificate that callers to the published APIs on your gateways see is configured in the Cloud Manager UI when you register your gateway services. For more information about API invocation certificates, see Registering a gateway service and TLS profiles overview.

The certificates that are created and used by API Connect are categorized as follows:

  • CA certificates - API Connect creates self-signed CA certificates to sign all the API Connect end-entity certificates. The CA certificates are:
    • ingress-ca - used by the ingress-issuer. The ingress-ca signs all user-facing and inter-subsystem certificates.
    • management-ca - signs all the management intra-subsystem certificates.
    • portal-ca - signs all the portal intra-subsystem certificates.
    • analytics-ca - signs all the analytics intra-subsystem certificates.
    CA certificates have a default duration of 10 years. All the end-entity certificates have a default duration of 2 years.
  • Ingress certificates - API Connect creates a self-signed issuer that is called the ingress-issuer. Ingress certificates are the API Connect certificates that are issued by the ingress-issuer. Ingress certificates are divided into two types:
    • Inter-subsystem certificates - certificates that are used for communication between API Connect subsystems, for example between the management subsystem and gateway. By default, communication between most subsystems uses mTLS. From v10.0.5.3, it is possible to use JWT instead of mTLS: Using JWT instead of mTLS on Kubernetes and OpenShift, Using JWT instead of mTLS on OVA.
    • User-facing certificates - certificates that API Connect users see when they interact with the API Connect UIs and REST API.
  • Intra-subsystem certificates - certificates that are used between pods in the same subsystem. Intra-subsystem certificates are signed by a subsystem specific CA certificate: management-ca, portal-ca, analytics-ca. The gateway subsystem is a single pod, and has no intra-subsystem certificates.

On OVA deployments, certificate management is done with the apicup command, see API Connect TLS certificate best practices. Do not login to your VMs by ssh and attempt to modify certificates directly, unless advised by IBM.

Note: On Cloud Pak for Integration, and OpenShift top-level CR deployments, some certificate names are contracted and prefixed with the APIConnectCluster instance name. For example, the certificate managment-ca is called <apic instance name>-mgmt-ca.

Customizing certificates

It is possible to customize certificates with ones from your own organization. However it is recommended to customize only the user-facing certificates, which are the certificates that your users see when they access the API Connect UIs, CLI, and the REST API.

All other certificates are used internally between API Connect microservices.
Note: The inter and intra-subsystem certificates use of a self-signed root CA presents no security risk. For internal communications with a limited number of predefined endpoints, use of locally generated self-signed CA certificates can be more secure than external CA certificates, as certificates are only ever issued for the known components and the domain of trust is kept as small as possible.

Renewing certificates

Cert-manager handles the renewal of expired certificates so that the user does not need to monitor or manually renew any of the certificates. However, there are scenarios where the renewal of certificates must be triggered manually. Every API Connect certificate has a corresponding Kubernetes secret object of the same name, deleting this secret triggers cert-manager to re-create the secret with a new TLS certificate. For more information about certificate renewal, see Renewing TLS certificates.
Remember: The Kubernetes certificate objects do not contain the TLS certificates themselves, they are pointers to Kubernetes secrets that contain the TLS certificate. See Key Concepts: Cert-manager, Issuers, and Secrets.

For most of the certificates, when they are renewed, the pods that use those certificates are automatically restarted so that they pick up the updated certificate. The minority of certificates that require manual pod restarts after renewal are identified in the reference tables.

If you renew a CA certificate, any end-entity certificates that use this CA certificate must also be renewed. The following command identifies and renews all certificates that are signed by ingress-ca in the specified namespace:
kubectl get secrets -n <namespace> -o custom-columns='NAME:.metadata.name,ISSUER:.metadata.annotations.cert-manager\.io/issuer-name' --no-headers=true | grep ingress-issuer | awk '{ print $1 }' | xargs kubectl delete secret -n <namespace>
Warning: Cert-manager automatically renews the ingress-ca 30 days before it expires. The automatic renewal of ingress-ca does not trigger the renewal of the end-entity certificates that are signed by ingress-ca. When ingress-ca is automatically renewed, you must manually renew all end-entity certificates.

Reference tables

The tables show all the API Connect certificates that are created in all possible deployment configurations.

Each table corresponds to a subsystem, and shows the certificates that are used by that subsystem.
Note: On Cloud Pak for Integration or top-level CR deployments, some of the certificates have a shortened name. Where two names for a certificate are shown in the tables, the second name is the name that is used on Cloud Pak for Integration or top-level CR deployments. For example, management-ca or mgmt-ca.
Table 1. Management certificates
Certificate name Issuer Description
-ingress-ca selfsigning-issuer The CA and issuer of all API Connect inter-subsystem and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are inaccessible and unable to sync with each other.

Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal.

The ingress-ca certificate is also stored in the management subsystem database. It is visible from the Cloud Manager UI, in the truststores of the analytics, gateway, event gateway, and portal default TLS client profiles. When the management subsystem apim pod is restarted the certificate is reloaded into the database from the Kubernetes ingress-ca certificate. Do not attempt to update this certificate from the Cloud Manager UI.

In 2DCDR deployments, and when you have subsystems in different namespaces, it is necessary to manually copy the ingress-ca certificate from the management subsystem to the other subsystems. Steps are provided in the 2DCDR and multi-namespace install sections of this documentation.

If this certificate is updated, and you have a portal deployed, then restart the portal-www pods for the update to take effect.

management-ca or mgmt-ca selfsigning-issuer The issuer for the management subsystems intra-subsystem certificates: management-client, management-server, postgres, and nats certificates. Communication between management subsystem pods fails if there is a problem with this certificate.

This certificate is also used as the CA for REST API calls to the management subsystem from the other subsystems, when using in-cluster communication. See In-cluster service communication between subsystems

management-client or mgmt-client management-ca Client certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate.
management-server or mgmt-server management-ca Server certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate.
Required DNS names in the certificate:
*.<namespace>
*.<namespace>.svc
*.<instance name>-server.<namespace>.svc
<instance name>-server
analytics-client-client or a7s-cl-client ingress-issuer Legacy certificate from pre-v10.0.5 releases. Not used for anything and safe to delete. In v10.0.5, communication with the analytics subsystem uses the analytics-ingestion-client certificate.
analytics-ingestion-client or a7s-ing-client ingress-issuer Client certificate used for communication with the analytics subsystem on the ingestion endpoint. This certificate must have:
  • The same CA as the server certificate analytics-ai-endpoint on the analytics subsystem.
  • The common name must match the spec.clientSubjectDN in the analytics CR:
    kubectl describe cert analytics-admin-client
    
    Spec:
      Common Name:  a7s-ing-client
    kubectl get a7s -o yaml
    
      spec:
        clientSubjectDN: CN=a7s-ing-client

For a two data center disaster recovery deployment, both data centers must have an identical subject name. For example, both data centers subject name could be CN=a7s-ingestion-client, or they could both be CN=a7s-ingestion-client, O=cert-manager, but they must be identical.

To update this certificate, use kubectl. Restart the apim, taskmanager, and analytics-proxy pods after the update. This certificate is also used by the gateways for sending API events to the analytics subsystem. The updated certificate is sent by the management subsystem to the gateways, it is not necessary to restart any gateway pods.

This certificate is loaded by the management subsystem into the Analytics ingestion TLS client profile that you can see in the Cloud Manager UI (see TLS profiles). If you want the management subsystem to present a different client certificate to the analytics subsystem, then create a new profile and specify it when you register the analytics service.

portal-admin-client or ptl-adm-client ingress-issuer
Client certificate used for communication with the portal subsystem on the portalAdminEndpoint. This certificate must have:
  • The same CA as the server certificate portal-admin or ptl-director on the portal subsystem.
  • The common name must match the spec.adminClientSubjectDN in the portal CR:
    kubectl describe cert portal-admin-client
    
    Spec:
      Common Name:  ptl-adm-client
    kubectl get ptl -o yaml
    
      spec:
        adminClientSubjectDN: CN=ptl-adm-client

For a two data center disaster recovery deployment, both data centers must have an identical subject name. For example, both data centers subject name could be CN=portal-admin-client, or they could both be CN=ptl-adm-client, O=cert-manager, but they must be identical.

This certificate is loaded by the management subsystem into the Portal Director TLS client profile that you can see in the Cloud Manager UI (see TLS profiles). If you want the management subsystem to present a different client certificate to the portal, then create a new profile and specify it when you register the portal service.

gateway-client-client or gw-dr-client ingress-issuer

Client certificate for communications with the gateway service. Restart the apim and taskmanager pods after update. This certificate must have the same CA as the gwv6-manager-endpoint or gw-gateway-manager certificate on the gateway.

This certificate is loaded by the management subsystem into the Gateway management client TLS client profile that you can see in the Cloud Manager UI (see TLS profiles). If you want the management subsystem to present a different client certificate to the gateway, then create a new profile and specify it when you register the gateway service.

api-endpoint or mgmt-platform-api ingress-issuer Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI.
consumer-endpoint or mgmt-consumer-api ingress-issuer Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI.
consumer-catalog ingress-issuer Consumer catalog endpoint server certificate.
apim-endpoint or mgmt-api-manager ingress-issuer API Manager UI server certificate.
cm-endpoint or mgmt-admin ingress-issuer Cloud Manager UI server certificate.
db-client-apicuser management-ca Intra-subsystem certificate for the management database subsystem.
db-client-postgres management-ca Intra-subsystem certificate for the management database subsystem.
postgres management-ca Intra-subsystem certificate for the management database subsystem.
natscluster-mgmt management-ca Intra-subsystem certificate for the nats pods.
mgmt-replication-client ingress-issuer 2DCDR deployments only. Client certificate used in the warm-standby data center's <remote-sitename>-postgres pod to connect to the active data center.
mgmt-replication-server ingress-issuer 2DCDR deployments only. Server certificate used in the active data center's <management_CR>-tunnel pod.

This certificate must contain the DNS Subject Alternative Name of this data center's hostname and must be valid for the spec.multiSiteHA.replicationEndpoint defined in the management CR.

hub-endpoint ingress-issuer Used by the Automated API behavior testing application. User-facing server certificate for the hub-endpoint. If there is a problem with this certificate, then the user's browser shows a warning or error message.
Table 2. Analytics certificates
Certificate name Issuer Description
analytics-ai-endpoint or a7s-ai-endpoint ingress-issuer

Server certificate used on the analytics ingestion endpoint, in the mtls-gw pod. Management and gateway subsystems communicate with the analytics subsystem on this endpoint. The client certificates that are used by the management and gateway subsystems must use the same CA certificate as the analytics-ai-endpoint certificate.

If this certificate is updated, restart the mtls-gw pod for the update to take effect.

analytics-ca or a7s-ca selfsigning-issuer The issuer for the analytics-client and analytics-server certificates. Communication between analytics subsystem pods fails if there is a problem with this certificate.
If you update this certificate, you must then update the analytics-client and analytics-server server certificates, and then ensure that the following pods are restarted:
  • storage: Restarts automatically.
  • warehouse: Restarts automatically.
  • ingestion: Restart manually.
  • director: Restart manually.
analytics-client or a7s-client analytics-ca Client certificate used in communication between analytics subsystem pods. Communication between analytics subsystem pods fails if there is a problem with this certificate.

If this certificate is updated, then the storage and warehouse pods restart automatically. You must manually restart the director and ingestion pods.

analytics-server or a7s-server analytics-ca Server certificate used in communication between analytics subsystem pods. Communication between analytics subsystem pods fails if there is a problem with this certificate.
Required DNS names in the certificate:
*.<namespace>
*.<namespace>.svc
*.<instance name>-server.<namespace>.svc
<instance name>-server
<instance name>-storage

If this certificate is updated, then the storage and warehouse pods restart automatically. You must manually restart the director and ingestion pods.

Table 3. Portal certificates
Certificate name Issuer Description
portal-ca or ptl-ca selfsigning-issuer

The issuer for the portal-client and portal-server certificates. Communication between portal subsystem pods fails if there is a problem with this certificate.

This certificate is used by all portal pods.

portal-client or ptl-client portal-ca

Client certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate.

This certificate is used by all portal pods.

portal-server or ptl-server portal-ca

Server certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate.

Required DNS names in the certificate:
*.<namespace>
*.<namespace>.svc
*.<instance name>-server.<namespace>.svc
<instance name>-server
*.<instance name>-<site name>-db-all.<namespace>.svc
*.<instance name>-<site name>-www-all.<namespace>.svc
*.<instance name>-<site name>-db-all.<namespace>.svc.cluster.local
*.<instance name>-<site name>-www-all.<namespace>.svc.cluster.local
*.<namespace>.svc.cluster.local
<instance name>-db
#<remote portal CR name>-db # For 2DCDR only.
<instance name> and <remote portal CR name> are truncated if more than 15 characters.

This certificate is used by all portal pods.

portal-admin or ptl-director or portal-director ingress-issuer

Server certificate used on the portalAdminEndpoint. The management subsystem communicates with the portal subsystem on this endpoint. The corresponding client certificate used in the management to portal communication is the portal-admin-client certificate.

This certificate must have the same CA as the portal-admin-client certificate on the management subsystem.

This certificate is used by the portal-nginx pod.

portal-web ingress-issuer

The server certificate used on the portalUIEndpoint. It is the server certificate that is presented to portal site users, and which their browser authenticates. If there is a problem with this certificate, then users see an error message about an invalid or insecure certificate in their browser when they access a portal site.

The default portal-web certificate is issued by the ingress-issuer, which has a self-signed root certificate. Portal users might see a browser warning about use of a self-signed certificate.

This certificate is used by the portal-web ingress (portal-web route on OpenShift).

ptl-replication-client ingress-issuer

2DCDR deployments only. Client certificate that is used in the warm-standby data center's <remote-sitename>-www and <remote-sitename>-db pods to connect to the active data center.

This certificate is used by all the portal pods related to 2DCDR replication: portal-db-remote, portal-www-remote, and portal-tunnel.

ptl-replication-server ingress-issuer

2DCDR deployments only. Server certificate used in the active data center's <portal_CR>-tunnel pod, the counterpart to the ptl-replication-client certificate.

This certificate must contain the DNS Subject Alternative Name of this data center's hostname and must be valid for the spec.multiSiteHA.replicationEndpoint defined in the portal CR.

This certificate is used by all the portal pods related to 2DCDR replication: portal-db-remote, portal-www-remote, and portal-tunnel.

Table 4. Gateway certificates
Certificate name Issuer Description
gateway-peering or gw-peer ingress-issuer

This certificate secures the communication between gateways in your gateway cluster.

If you update this certificate, then restart your gateway pods. See Changing the secret for gateway peering.

gateway-service or gw-svc ingress-issuer Legacy certificate that is not used.
gwv6-endpoint or gw-gateway ingress-issuer Legacy certificate that is not used.
gwv6-manager-endpoint or gw-gateway-manager ingress-issuer

The gatewayManager endpoint certificate. This is the server certificate on the gateway director endpoint, which the management subsystem communicates with.

This certificate must be signed by the same CA as the gateway-client-client certificate on management subsystem

If you update this certificate, then all gateway pods are restarted automatically.

Note: The API invocation certificate that callers to the published APIs on your gateways see is configured in the Cloud Manager UI when you register your gateway services. For more information about API invocation certificates, see Registering a gateway service and TLS profiles overview.
Table 5. Event gateway certificates -Cloud Pak for Integration only
Certificate name Issuer Description
event-gateway-management-client ingress-issuer The event-gateway-management-client certificate exists only on Cloud Pak for Integration deployments.