Using a custom certificate
Learn how to add a custom certificate to a deployment of IBM Cloud Pak for AIOps or Infrastructure Automation on Red Hat OpenShift.
If you want to use your own custom certificate for IBM Cloud Pak® for AIOps or Infrastructure Automation instead of the Red Hat® OpenShift® Container Platform cluster certificate, then complete the following steps after you have installed IBM Cloud Pak® for AIOps or Infrastructure Automation.
-
Export an environment variable containing your project's name.
export PROJECT=<project>
Where
<project>
is the project (namespace) where IBM Cloud Pak for AIOps or Infrastructure Automation is deployed. -
Ensure that you have created the following four PEM-encoded certificate files.
cachain.pem
: A certificate chain containing the root and intermediate certificates.carootcert.pem
: The root certificate of your Certificate Authority (CA), with no intermediate or application certificates.aiops.key.pem
: A key file for the signed certificate inaiops.pem
.aiops.pem
: A IBM Cloud Pak for AIOps or Infrastructure Automation certificate, which includes the two fully qualified domain names (FQDNs) forcpd-${PROJECT}
andcp-console-${PROJECT}
in the Subject Alternative Name (SAN) list.
You can find the FQDNs for
cp-console-${PROJECT}
andcpd-${PROJECT}
with the following commands.oc get route cp-console -n ${PROJECT} -o jsonpath="{.spec.host}" oc get route cpd -n ${PROJECT} -o jsonpath="{.spec.host}"
-
Add your root CA to the CA bundle, to ensure that it is trusted across the Red Hat OpenShift cluster.
For more information, see the instructions in Replacing the CA Bundle certificate.
-
Create a secret called
custom-tls-secret
with your custom certificates.oc project ${PROJECT} oc create secret generic custom-tls-secret --from-file=ca.crt=./cachain.pem --from-file=tls.crt=./aiops.pem --from-file=tls.key=./aiops.key.pem
-
Create a file named
cs-onprem-tenant-config.yaml
with the following contents:apiVersion: v1 kind: ConfigMap metadata: name: cs-onprem-tenant-config labels: cs_onprem_tenant_config: "true" data: custom_host_certificate_secret: custom-tls-secret
-
Run the following command to create the ConfigMap:
oc apply -f cs-onprem-tenant-config.yaml -n $PROJECT
-
Restart the
nginx
pods to pickup the new custom certificates.oc delete pod -l component=ibm-nginx
-
Patch
ZenService
with the newcustom-tls-secret
.oc patch ZenService/iaf-zen-cpdservice --type merge -p '{"spec":{"zenCustomRoute":{"route_reencrypt":true,"route_secret": "custom-tls-secret"}}}'
-
Patch the
cp-console
route with the newcustom-tls-secret
.oc patch route cp-console -p '{"spec":{"tls":{"certificate":"'"$(oc get secret custom-tls-secret -o jsonpath='{.data.tls\.crt}' | base64 -d | tr '\n' ':' | sed 's/:/\\n/g')"'", "key":"'"$(oc get secret custom-tls-secret -o jsonpath='{.data.tls\.key}'| base64 -d | tr '\n' ':' | sed 's/:/\\n/g')"'", "caCertificate":"'"$(oc get secret custom-tls-secret -o jsonpath='{.data.ca\.crt}' | base64 -d | tr '\n' ':' | sed 's/:/\\n/g')"'"}}}'
-
Run the following commands:
oc -n ${PROJECT} delete pod -l app=platform-auth-service oc -n ${PROJECT} delete pod -l app=platform-identity-provider oc -n ${PROJECT} delete pod -l name=ibm-zen-operator oc -n ${PROJECT} delete pod -l component=usermgmt oc -n ${PROJECT} delete pod -l name=operand-deployment-lifecycle-manager
-
Wait for around 15 minutes for these updates to be reconciled, and for the new configuration to be in place.
You can check the progress of the reconciliation with the following commands:
oc get zenservice iaf-zen-cpdservice -o jsonpath='{.status.Progress}' oc get zenservice iaf-zen-cpdservice -o jsonpath='{.status.ProgressMessage}'
When Progress is shown as 100%, then reconciliation is complete and you can log in to the console.