List of intra-subsystem certificates

A summary of certificates used for communications within subsystems in an API Connect deployment.

Note: On Cloud Pak for Integration, and OpenShift top-level CR deployments, some certificate names are contracted and prefixed with the APIConnectCluster instance name. For example, the certificate managment-ca is called <apic instance name>-mgmt-ca.

Table 1 presents a list of certificates used for communications between pods in the same subsystem. The certificates are managed by cert-manager. For details of all the API Connect certificates, see API Connect certificates.

Table 1. Intra-subsystem certificates
Certificate name Issuer Description
management-ca or mgmt-ca selfsigning-issuer The issuer for the management subsystems intra-subsystem certificates: management-client, management-server, postgres, and nats certificates. Communication between management subsystem pods fails if there is a problem with this certificate.

This certificate is also used as the CA for REST API calls to the management subsystem from the other subsystems, when using in-cluster communication. See In-cluster service communication between subsystems

management-client or mgmt-client management-ca Client certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate.
management-server or mgmt-server management-ca Server certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate.
Required DNS names within the SAN section are:
*.<namespace>
*.<namespace>.svc
*.<namespace>.svc.cluster.local
*.<instance name>-server.<namespace>.svc
*.<instance name>-server.<namespace>.svc.cluster.local
<instance name>-server
db-client-apicuser management-ca Intra-subsystem certificate for the management database subsystem.
db-client-postgres management-ca Intra-subsystem certificate for the management database subsystem.
natscluster-mgmt management-ca Intra-subsystem certificate for the nats pods.
analytics-ca or a7s-ca selfsigning-issuer The issuer for the analytics-client and analytics-server certificates. Communication between analytics subsystem pods fails if there is a problem with this certificate.
If you update this certificate, you must then update the analytics-client and analytics-server server certificates, and then ensure that the following pods are restarted:
  • storage: Restarts automatically.
  • warehouse: Restarts automatically.
  • ingestion: Restarts automatically.
  • director: Restart manually.
analytics-client or a7s-client analytics-ca Client certificate used in communication between analytics subsystem pods. Communication between analytics subsystem pods fails if there is a problem with this certificate.

If this certificate is updated, then the storage, warehouse and ingestion pods restart automatically. You must manually restart the director pod.

analytics-server or a7s-server analytics-ca Server certificate used in communication between analytics subsystem pods. Communication between analytics subsystem pods fails if there is a problem with this certificate.
Required DNS names within the SAN section are:
*.<namespace>
*.<namespace>.svc
*.<namespace>.svc.cluster.local
*.<instance name>-server.<namespace>.svc
*.<instance name>-server.<namespace>.svc.cluster.local
<instance name>-server
<instance name>-storage
<instance name>-director
<instance name>-ingestion
<instance name>-mtls-gw
<instance name>-storage-os-master
<instance name>-warehouse

If this certificate is updated, then the storage, warehouse and ingestion pods restart automatically. You must manually restart the director pod.

portal-ca or ptl-ca selfsigning-issuer

The issuer for the portal-client and portal-server certificates. Communication between portal subsystem pods fails if there is a problem with this certificate.

This certificate is used by all portal pods.

portal-client or ptl-client portal-ca

Client certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate.

This certificate is used by all portal pods.

portal-server or ptl-server portal-ca

Server certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate.

Required DNS names within the SAN section are:
*.<namespace>
*.<namespace>.svc
*.<namespace>.svc.cluster.local
*.<instance name>-server.<namespace>.svc
*.<instance name>-server.<namespace>.svc.cluster.local
<instance name>-server
*.<instance name>-<site name>-db-all.<namespace>.svc
*.<instance name>-<site name>-www-all.<namespace>.svc
*.<instance name>-<site name>-db-all.<namespace>.svc.cluster.local
*.<instance name>-<site name>-www-all.<namespace>.svc.cluster.local
*.<namespace>.svc.cluster.local
<instance name>-db
#<remote portal CR name>-db # For 2DCDR only.
<instance name> and <remote portal CR name> are truncated if more than 15 characters.

This certificate is used by all portal pods.