The IBM® Cloud Pak for Data installation
includes a self-signed TLS certificate that can be used to enable HTTPS connections. By default,
this certificate is untrusted by all HTTPS clients. However, you can replace the default certificate
with your own TLS certificate.
Cloud Pak for Data exposes one HTTPS port as the
primary access point for the web client and for API requests. On Red Hat® OpenShift®, the port is exposed as an OpenShift route.
Before you begin
To complete this task, you must have your own certificate and private key file that
meet the following requirements:
- Both files are in PEM format.
- The certificate is named cert.crt.
The certificate can be a bundle that
contains your server, intermediates, and root certificates concatenated (in the proper order) into
one file. The necessary certificates must be enabled as trusted certificates on the clients that
connect to the cluster.
- The private key is named cert.key.
Procedure
To replace the default TLS certificate with your custom TLS certificate:
- Place the cert.crt and
cert.key files in the same directory on your local file system.
- Change to the directory where the files are located.
- Connect to your OpenShift
cluster:
oc login OpenShift_URL:port
- Set the context to the project where Cloud Pak for Data is deployed:
oc project PROJECT-NAME
The default project name is zen
.
- Locate an
ibm-nginx
pod in the deployment:
ibm_nginx_pod=$(oc get pods | grep ibm-nginx | head -1 | cut -f1 -d\ )
echo $ibm_nginx_pod
- Create a directory called customer-certs inside the pod in the
user-home/_global_ directory:
oc exec ${ibm_nginx_pod} -- mkdir -p "/user-home/_global_/customer-certs"
- Copy the certificate and key files into the customer-certs
directory:
oc cp cert.crt ${ibm_nginx_pod}:/user-home/_global_/customer-certs/
oc cp cert.key ${ibm_nginx_pod}:/user-home/_global_/customer-certs/
- Restart all of the
ibn-nginx
pods:
for i in `oc get pods | grep ibm-nginx | cut -f1 -d\ `; do oc exec ${i} -- /scripts/reload.sh; done
The output should be similar to the following output:
reloading nginx conf
setting up ssl
using customer certs
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful
TIMESTAMP [notice] 132#132: signal process started
reloading nginx conf
setting up ssl
using customer certs
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful
TIMESTAMP [notice] 51#51: signal process started
reloading nginx conf
setting up ssl
using customer certs
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful
TIMESTAMP [notice] 52#52: signal process started