Rotating certificates and credentials in Red Hat OpenShift

In your IBM® App Connect environment, certificates and credentials are used for TLS-encrypted internal communications between services, and for encrypted client traffic originating from UI or command-line interactions. You can manually rotate these certificates and credentials to replace them if they expire or are compromised.

Before you begin

Ensure that you are logged in to the cluster as a cluster administrator.

About this task

You can rotate the certificates or credentials for the following App Connect resources:

  • IBM App Connect Operator: Certificates for validating webhooks and mutating webhooks
  • App Connect Dashboard: Certificate for the inbound traffic to the Dashboard
  • App Connect Designer: Certificates for the inbound traffic to the UI and for service-to-service (microservice) communications
  • Integration servers: Basic authentication credentials for communication between the Dashboard and an integration server's admin API
  • Integration runtimes: Basic authentication credentials for communication between the Dashboard and an integration runtime's admin API

The original certificates for the Operator, Dashboard, and Designer are issued with a 10-year expiry period. Certificate authorities (CAs) are not monitored for expiry, but because of the long life of the CAs, it is expected that certificate rotation will be required only if security is compromised. The credentials for integration servers and integration runtimes do not expire, so you might similarly need to rotate the credentials only if security is compromised.

When new certificates or credentials are generated, a rolling restart is initiated on the relevant pods to apply the certificates or credentials to all relevant services.

Note: A set of scripts are supplied for rotating certificates and credentials. These scripts are supported on Linux® and macOS only.

Rotating the IBM App Connect Operator webhook certificates

A rotate-webhook-cert.sh script is supplied for rotating the IBM App Connect Operator certificates.

Procedure

To rotate the certificates, complete the following steps:

  1. Download the attached webhook-rotatecerts.zip file.

    This ZIP file contains a README.md file and a rotate-webhook-cert.sh script.

  2. Extract the contents of the ZIP file to a directory on your local computer.
  3. Navigate to this directory and then follow the instructions in the README.md file to rotate the certificates.

Rotating the App Connect Dashboard certificate

A rotate-dashboard-certs.sh script is supplied for rotating the certificate for an App Connect Dashboard instance.

Procedure

To rotate the certificate, complete the following steps:

  1. Download the attached dashboard-rotatecerts.zip file.

    This ZIP file contains a README.md file and a rotate-dashboard-certs.sh script.

  2. Extract the contents of the ZIP file to a directory on your local computer.
  3. Navigate to this directory and then follow the instructions in the README.md file to rotate the certificate.

Rotating the App Connect Designer certificates

A rotate-designerauthoring-certs.sh script is supplied for rotating the certificates for an App Connect Designer instance.

Procedure

To rotate the certificates, complete the following steps:

  1. Download the attached designerauthoring-rotatecerts.zip file.

    This ZIP file contains a README.md file and a rotate-designerauthoring-certs.sh script.

  2. Extract the contents of the ZIP file to a directory on your local computer.
  3. Navigate to this directory and then follow the instructions in the README.md file to rotate the certificates.

Rotating integration server credentials

A rotate-integrationserver-creds.sh script is supplied for rotating basic authentication credentials for any integration server that is deployed in an App Connect Dashboard instance.

You can also use this script to rotate the credentials for integration servers that were created by using the Red Hat OpenShift web console or CLI only if a spec.barURL value (rather than a custom server runtime image) was supplied for that integration server.

Procedure

To rotate the credentials, complete the following steps:

  1. Download the attached integrationserver-rotatecerts.zip file.

    This ZIP file contains a README.md file and a rotate-integrationserver-creds.sh script.

  2. Extract the contents of the ZIP file to a directory on your local computer.
  3. Navigate to this directory and then follow the instructions in the README.md file to rotate the credentials.

Rotating integration runtime credentials

A rotate-integrationruntime-creds.sh script is supplied for rotating basic authentication credentials for any integration runtime that is deployed in an App Connect Dashboard instance.

You can also use this script to rotate the credentials for integration runtimes that were created by using the Red Hat OpenShift web console or CLI only if a spec.barURL value (rather than a custom server runtime image) was supplied for that integration runtime.

Procedure

To rotate the credentials, complete the following steps:

  1. Download the attached integrationruntime-rotatecerts.zip file.

    This ZIP file contains a README.md file and a rotate-integrationruntime-creds.sh script.

  2. Extract the contents of the ZIP file to a directory on your local computer.
  3. Navigate to this directory and then follow the instructions in the README.md file to rotate the credentials.