Configuring the on-premises system

  1. Get the service CA that signed the ObjectServer certificates:

    Note: You must run this step on the cloud side and copy over the service-ca.crt to the on-premises server.

    oc get configmap <name>-tls-ca -o jsonpath='{.data.ca\.crt}' > service-ca.crt
    

    Where <name> is the name of your installation resource.

  2. Import the CA certificate into the IBM Tivoli Netcool/OMNIbus keystore:

    $NCHOME/bin/nc_gskcmd -keydb -create -db $NCHOME/etc/security/keys/omni.kdb  -pw "$KEYSTORE_PW" -stash
    
    $NCHOME/bin/nc_gskcmd -cert -add -db $NCHOME/etc/security/keys/omni.kdb -pw "$KEYSTORE_PW" -label "CA" -file service-ca.crt
    

    Note: The default for $NCHOME is /opt/IBM/tivoli/netcool/.

  3. Add the local host resolution for service name that is used in the CN of certificates to the IP of the cluster control node. This is so that the client can validate the certificate chain by the hostname used.

    /etc/hosts:
    <cluster_control_node_ip> aiops-ir-core-ncoprimary.<namespace>.svc
    <cluster_control_node_ip> aiops-ir-core-ncobackup.<namespace>.svc
    
  4. Update the omni.dat ($NCHOME/etc/omni.dat) with the necessary connection details, for example:

    [AIOPS_AGGV]
    {
    	Primary: aiops-ir-core-ncoprimary.<namespace>.svc ssl ${NCOPRIMARY_NODEPORT}
    	Backup: aiops-ir-core-ncobackup.<namespace>.svc ssl ${NCOBACKUP_NODEPORT}
    }
    

    Then, regenerate the interfaces file through $NCHOME/bin/nco_igen.

  5. Try pinging the server by name:

    $NCHOME/omnibus/bin/nco_ping AIOPS_AGGV
    
  6. Specify the challenge credentials in the probe property files:

    AuthUsername: "aiopsprobe"
    AuthPassword: "<password from step 6 of on cloud side>"