Configuring a custom HTTPS certificate for Managed services Management Console

Procedure to install a custom certificate for use by the Managed services management console. You must first install Managed services and then customize your secrets using instructions in Procedure to configure your custom HTTPS certificate postinstallation.

You can configure your custom HTTPS certificate either during installation of Managed services or update the certificate postinstallation. Before you follow the below procedure, you need to create a secret to store your custom certificates required by the nginx server. The secret must contain the following key values.

A key named tls.crt whose value must be the tls certificate.
A key named tls.key whose value must be the tls key.

After creating the secret, follow one of the following procedures:

Procedure to configure your custom HTTPS certificate during installation
Procedure to configure your custom HTTPS certificate postinstallation

Procedure to follow to configure your custom HTTPS certificate during installation

To set the custom HTTPS certificate during installation, use the name of a new secret which contains the custom certificates as the value for camProxy.customNginxSSLCertificate.customNginxSSLCertName in the IAConfig resource specification. For more details on how to create IAConfig resource, see Online install of Infrastructure Automation for IBM Cloud Pak for AIOps or Online installation of Infrastructure Automation.

The following sample yaml shows IAConfig resource specification with customized certificate name as value for camProxy.customNginxSSLCertificate.customNginxSSLCertName.

cat << EOF | oc apply -f -
kind: IAConfig
apiVersion: aiops.ibm.com/v1alpha1
metadata:
  name: ibm-ia-installer
  namespace: cp4aiops
spec:
  imagePullSecret: ibm-entitlement-key
  infraAutoComposableComponents:
    - enabled: <Set true to install Infrastructure Management component of {{site.data.keyword.infra_automation}} false otherwise>
      name: ibm-management-im-install
      spec: {}
    - enabled: <Set true to install Managed services component of {{site.data.keyword.infra_automation}} false otherwise>
      name: ibm-management-cam-install
      spec:
        manageservice:
          camProxy:
            customNginxSSLCertificate:
              customNginxSSLCertName: mycert
  license:
    accept: <Set true to accept the license>
  storageClass: <Storage Class name that supports RWO>
  storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)>
EOF

Note: If Infrastructure Automation is installed with IBM Cloud Pak for AIOps, then set storageClass and storageClassLargeBlock to the same classes that IBM Cloud Pak for AIOps uses.

To verify whether cam-proxy uses your custom secret, the type value for volume cam-nginx-cert must be set to your secret name once the cam-proxy pod comes up. If your secret name is mycert, then the type column must display mycert.

Procedure to configure your custom HTTPS certificate postinstallation

To set the custom HTTPS certificate after installation, do the following:

In Red Hat OpenShift Container Platform console, navigate to your installed ManagedService custom resource YAML.
Find string customNginxSSLCertName in the YAML.

Set the secret name of your custom certificate (tls.crt and tls.key) as the value for customNginxSSLCertName. If your secret name is mycert then your modified YAML looks as below:

camProxy:
  replicaCount: 1
  resources:
    limits:
      cpu: 500m
      memory: 1500Mi
    requests:
      cpu: 100m
      memory: 256Mi
  customNginxSSLCertificate:
    customNginxSSLCertName: mycert

Save your changes.
Your cam-proxy pod will be restarted. To verify whether cam-proxy uses your custom secret, once the cam-proxy pod comes up, the type value for volume cam-nginx-cert must be set to your secret name. If your secret name is mycert, then the type column must display mycert.