List of ingress certificates
A summary of certificates that are used for communications between subsystems and clients in an API Connect deployment.
APIConnectCluster
instance name. For example, the certificate
managment-ca
is called <apic instance
name>-mgmt-ca
.User-facing certificates
Certificate name | Issuer | Description |
---|---|---|
api-endpoint or mgmt-platform-api |
ingress-issuer |
Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI. |
consumer-endpoint or mgmt-consumer-api |
ingress-issuer |
Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI. |
consumer-catalog-endpoint |
ingress-issuer |
Consumer catalog endpoint server certificate. |
apim-endpoint or mgmt-api-manager |
ingress-issuer |
API Manager UI server certificate. |
cm-endpoint or mgmt-admin |
ingress-issuer |
Cloud Manager UI server certificate. |
portal-web |
ingress-issuer |
The server certificate used on the The default This certificate is used by the |
hub-endpoint |
ingress-issuer |
Used by the Automated API behavior testing
application. User-facing server certificate for the hub-endpoint . If there is a
problem with this certificate, then the user's browser shows a warning or error message. |
Inter-subsystem certificates
Table 2 lists all of the common subsystem communication certificates. The corresponding secrets use the same names. If you have customized your certificates, the certificates in Table 2 use the custom-certs-external.yaml template.
Certificate name | Issuer | Description |
---|---|---|
-ingress-ca |
selfsigning-issuer |
The CA and issuer of all API Connect inter-subsystem
and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are
inaccessible and unable to sync with each other. Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal. The ingress-ca certificate is also stored in the management subsystem
database. It is visible from the Cloud
Manager UI, in the truststores of the
analytics, gateway, event gateway, and portal default TLS client profiles. When the management
subsystem In 2DCDR deployments, and when you have subsystems in different namespaces, it is necessary to manually copy the ingress-ca certificate from the management subsystem to the other subsystems. Steps are provided in the 2DCDR and multi-namespace install sections of this documentation. If this certificate is updated, and you have a portal
deployed, then restart the |
analytics-ingestion-client or a7s-ing-client |
ingress-issuer |
Client certificate used for communication with the analytics subsystem on the ingestion
endpoint. This certificate must have:
For a two data center disaster recovery
deployment, both data centers must have an identical subject name. For example, both data centers
subject name could be To
update this certificate, use kubectl. Restart the This certificate is loaded by the management subsystem into the
|
portal-admin-client or ptl-adm-client |
ingress-issuer |
Client certificate used for communication with the portal subsystem on the
portalAdminEndpoint . This certificate must have:
For a two data center disaster recovery deployment,
both data centers must have an identical subject name. For example, both data centers subject name
could be This certificate is loaded by the management subsystem into the |
gateway-client-client or gw-dr-client |
ingress-issuer |
Client certificate for communications with the gateway service. Restart the This certificate is loaded by the management subsystem into the |
api-endpoint or mgmt-platform-api |
ingress-issuer |
Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI. |
consumer-endpoint or mgmt-consumer-api |
ingress-issuer |
Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI. |
apim-endpoint or mgmt-api-manager |
ingress-issuer |
API Manager UI server certificate. |
cm-endpoint or mgmt-admin |
ingress-issuer |
Cloud Manager UI server certificate. |
mgmt-replication-client |
ingress-issuer |
2DCDR deployments
only. Client certificate used in the warm-standby data center's
<remote-sitename>-postgres pod to connect to the active data
center. |
mgmt-replication-server |
ingress-issuer |
2DCDR deployments
only. Server certificate used in the active data center's <management_CR>-tunnel
pod.This certificate must contain the DNS Subject Alternative Name of this data center's hostname
and must be valid for the |
hub-endpoint |
ingress-issuer |
Used by the Automated API behavior testing
application. User-facing server certificate for the hub-endpoint . If there is a
problem with this certificate, then the user's browser shows a warning or error message. |
management-s3proxy-all |
ingress-issuer |
Inter-subsystem certificate for communication between management subsystem and s3proxy pods. Used for management database local and SFTP backups. |
analytics-ai-endpoint or a7s-ai-endpoint |
ingress-issuer |
Server certificate used on the analytics ingestion endpoint, in the If this certificate is updated, restart the |
portal-admin or ptl-director or portal-director |
ingress-issuer |
Server certificate used on the This certificate must have the same CA as the This certificate is used by the |
portal-web |
ingress-issuer |
The server certificate used on the The default This certificate is used by the |
ptl-replication-client |
ingress-issuer |
2DCDR deployments only.
Client certificate that is used in the warm-standby data center's
This certificate is used by all the portal pods related to 2DCDR replication:
|
ptl-replication-server |
ingress-issuer |
2DCDR deployments only.
Server certificate used in the active data center's This certificate must contain the DNS Subject Alternative Name of this data center's hostname and
must be valid for the This certificate is used by all the portal pods related to 2DCDR replication:
|
gateway-peering or gw-peer |
ingress-issuer |
This certificate secures the communication between gateways in your gateway cluster. If you update this certificate, then restart your gateway pods. See Changing the secret for gateway peering. |
gwv6-endpoint or gw-gateway |
ingress-issuer |
Legacy certificate that is not used. |
gateway-service or gw-svc |
ingress-issuer |
Legacy certificate that is not used. |
gwv6-manager-endpoint or gw-gateway-manager |
ingress-issuer |
The This certificate must be signed by the same CA as the If you update this certificate, then all gateway pods are restarted automatically. |
event-gateway-management-client |
ingress-issuer |
The event-gateway-management-client certificate exists only on Cloud Pak for Integration deployments. |