Enable management CA verification on REST API calls

Enable the portal and gateway to validate the management subsystem's REST API server certificates.

About this task

After you install API Connect, you can enable the portal and gateway to verify the REST API server certificate when they make calls to the REST API. The gateway and portal subsystems make calls to the management subsystem REST API during their normal operations. The gateway makes calls to the platform REST API, and the portal makes calls to the platform REST API and the consumer REST API. To verify the CA certificates of the REST API endpoints, enter the secret names of the CA certificates into the portal and gateway CRs.
Note:
If you are not sure of the secret names, follow these steps to determine their names:
  1. Check the management subsystem CR with oc describe mgmt, and identify the issuer of the platform and consumer API endpoints:
    oc describe mgmt
    
    ...
    Platform API Endpoint:
        Annotations:
          cert-manager.io/issuer:               <instance name>-ingress-issuer
    ...
      Consumer API Endpoint:
        Annotations:
          cert-manager.io/issuer:               <instance name>-ingress-issuer
  2. Describe the issuer with oc describe issuer, and identify the secret name:
    oc describe issuer <instance name>-ingress-issuer
    ...
    Spec:
      Ca:
        Secret Name:  <instance name>-ingress-ca
    ...
Note: If you are using in-cluster communication (see In-cluster service communication between subsystems), then the portal and gateway make REST calls on the service endpoints, instead of the external endpoints. In the steps documented in this topic, replace mgmtPlatformEndpointCASecret with mgmtPlatformEndpointSvcCASecret, and mgmtConsumerEndpointCASecret with mgmtConsumerEndpointSvcCASecret. For secretName, the default for the service endpoints is mgmt-ca or <apic instance name>-mgmt-ca.

Procedure

  1. Update the portal CR.
    1. Edit the portal CR
      oc edit ptl
      Note: If you are using the OpenShift top-level CR deployment, edit your APIConnectCluster CR instead. Updates should be made in the spec.portal section.
    2. Set spec.mgmtPlatformEndpointCASecret.secretName and spec.mgmtConsumerEndpointCASecret.secretName to the name of the CA secret.
      spec:
      ...
        mgmtPlatformEndpointCASecret:
          secretName: <instance name>-ingress-ca
        mgmtConsumerEndpointCASecret:
          secretName: <instance name>-ingress-ca
  2. Update the gateway CR.
    1. Edit the gateway CR
      oc edit gw
      Note: If you are using the OpenShift top-level CR deployment, edit your APIConnectCluster CR instead. Updates should be made in the spec.portal section.
    2. Set spec.mgmtPlatformEndpointCASecret.secretName to the name of the CA secret.
      spec:
      ...
        mgmtPlatformEndpointCASecret:
          secretName: <instance name>-ingress-ca