Using a custom certificate

Learn how to add a custom certificate to a deployment of IBM Cloud Pak for AIOps or Infrastructure Automation on Red Hat OpenShift.

If you want to use your own custom certificate for IBM Cloud Pak® for AIOps or Infrastructure Automation instead of the Red Hat® OpenShift® Container Platform cluster certificate, then complete the following steps after you have installed IBM Cloud Pak® for AIOps or Infrastructure Automation.

  1. Export an environment variable containing your project's name.

    export PROJECT=<project>
    

    Where <project> is the project (namespace) where IBM Cloud Pak for AIOps or Infrastructure Automation is deployed.

  2. Ensure that you have created the following four PEM-encoded certificate files.

    • cachain.pem: A certificate chain containing the root and intermediate certificates.
    • carootcert.pem: The root certificate of your Certificate Authority (CA), with no intermediate or application certificates.
    • aiops.key.pem: A key file for the signed certificate in aiops.pem.
    • aiops.pem: A IBM Cloud Pak for AIOps or Infrastructure Automation certificate, which includes the two fully qualified domain names (FQDNs) for cpd-${PROJECT} and cp-console-${PROJECT} in the Subject Alternative Name (SAN) list.

    You can find the FQDNs for cp-console-${PROJECT} and cpd-${PROJECT} with the following commands.

    oc get route cp-console -n ${PROJECT} -o jsonpath="{.spec.host}"
    oc get route cpd -n ${PROJECT} -o jsonpath="{.spec.host}"
    
  3. Add your root CA to the CA bundle, to ensure that it is trusted across the Red Hat OpenShift cluster.

    For more information, see the instructions in Replacing the CA Bundle certificate.

  4. Create a secret called custom-tls-secret with your custom certificates.

    oc project ${PROJECT}
    oc create secret generic custom-tls-secret --from-file=ca.crt=./cachain.pem --from-file=tls.crt=./aiops.pem --from-file=tls.key=./aiops.key.pem
    
  5. Create a file named cs-onprem-tenant-config.yaml with the following contents:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cs-onprem-tenant-config
      labels:
        cs_onprem_tenant_config: "true"
    data:
      custom_host_certificate_secret: custom-tls-secret
    
  6. Run the following command to create the ConfigMap:

    oc apply -f cs-onprem-tenant-config.yaml -n $PROJECT
    
  7. Restart the nginx pods to pickup the new custom certificates.

    oc delete pod -l component=ibm-nginx
    
  8. Patch ZenService with the new custom-tls-secret.

    oc patch ZenService/iaf-zen-cpdservice --type merge -p '{"spec":{"zenCustomRoute":{"route_reencrypt":true,"route_secret": "custom-tls-secret"}}}'
    
  9. Patch the cp-console route with the new custom-tls-secret.

    oc patch route cp-console -p '{"spec":{"tls":{"certificate":"'"$(oc get secret custom-tls-secret -o jsonpath='{.data.tls\.crt}' | base64 -d | tr '\n' ':' | sed 's/:/\\n/g')"'", "key":"'"$(oc get secret custom-tls-secret -o jsonpath='{.data.tls\.key}'| base64 -d | tr '\n' ':' | sed 's/:/\\n/g')"'", "caCertificate":"'"$(oc get secret custom-tls-secret -o jsonpath='{.data.ca\.crt}' | base64 -d | tr '\n' ':' | sed 's/:/\\n/g')"'"}}}'
    
  10. Run the following commands:

    oc -n ${PROJECT} delete pod -l app=platform-auth-service
    oc -n ${PROJECT} delete pod -l app=platform-identity-provider
    oc -n ${PROJECT} delete pod -l name=ibm-zen-operator
    oc -n ${PROJECT} delete pod -l component=usermgmt
    oc -n ${PROJECT} delete pod -l name=operand-deployment-lifecycle-manager
    
  11. Wait for around 15 minutes for these updates to be reconciled, and for the new configuration to be in place.

    You can check the progress of the reconciliation with the following commands:

    oc get zenservice iaf-zen-cpdservice -o jsonpath='{.status.Progress}'
    oc get zenservice iaf-zen-cpdservice -o jsonpath='{.status.ProgressMessage}'
    

    When Progress is shown as 100%, then reconciliation is complete and you can log in to the console.