Using a custom TLS certificate for HTTPS connections

The IBM® Cloud Pak for Data installation includes a self-signed TLS certificate that can be used to enable HTTPS connections. By default, this certificate is untrusted by all HTTPS clients. However, you can replace the default certificate with your own TLS certificate.

Cloud Pak for Data exposes one HTTPS port as the primary access point for the web client and for API requests. On Red Hat® OpenShift®, the port is exposed as an OpenShift route.

Before you begin

To complete this task, you must have your own certificate and private key file that meet the following requirements:

  • Both files are in PEM format.
  • The certificate is named cert.crt.

    The certificate can be a bundle that contains your server, intermediates, and root certificates concatenated (in the proper order) into one file. The necessary certificates must be enabled as trusted certificates on the clients that connect to the cluster.

  • The private key is named cert.key.

Procedure

To replace the default TLS certificate with your custom TLS certificate:

  1. Place the cert.crt and cert.key files in the same directory on your local file system.
  2. Change to the directory where the files are located.
  3. Connect to your OpenShift cluster: 
    oc login OpenShift_URL:port
  4. Set the context to the project where Cloud Pak for Data is deployed: 
    oc project PROJECT-NAME

    The default project name is zen.

  5. Locate an ibm-nginx pod in the deployment: 
    ibm_nginx_pod=$(oc get pods | grep ibm-nginx | head -1 | cut -f1 -d\ )
echo $ibm_nginx_pod
  6. Create a directory called customer-certs inside the pod in the user-home/_global_ directory: 
    oc exec ${ibm_nginx_pod} -- mkdir -p "/user-home/_global_/customer-certs"
  7. Copy the certificate and key files into the customer-certs directory: 
    oc cp cert.crt ${ibm_nginx_pod}:/user-home/_global_/customer-certs/
oc cp cert.key ${ibm_nginx_pod}:/user-home/_global_/customer-certs/
  8. Restart all of the ibn-nginx pods: 
    for i in `oc get pods | grep ibm-nginx |  cut -f1 -d\ `; do oc exec ${i} -- /scripts/reload.sh; done

    The output should be similar to the following output:

    reloading nginx conf
setting up ssl 
using customer certs
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful
TIMESTAMP [notice] 132#132: signal process started
reloading nginx conf
setting up ssl 
using customer certs
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful
TIMESTAMP [notice] 51#51: signal process started
reloading nginx conf
setting up ssl 
using customer certs
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful
TIMESTAMP [notice] 52#52: signal process started