To integrate with an external service, you must first import its Transport Layer Security
(TLS) certificate into the operator trust list. These certificates are added to the truststore of
each component in the Cloud Pak. The TLS certificate for the LDAP service must be specified with
ldap_ssl_secret_name
. The TLS certificate for the database service must be
specified with database_ssl_secret_name
.
Procedure
-
Get the signer certificate that is used to sign your external service and save it to a
certificate.
For example, external-service-cert.crt.
For more information, see
OpenSSL.
The following example command gets the certificate chain of
cloud.ibm.com
by using
OpenSSL.
echo | openssl s_client -showcerts -connect cloud.ibm.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > external-service-cert.crt
The
following example command gets the certificate chain of cloud.ibm.com
by using
keytool.
keytool -printcert -sslserver cloud.ibm.com:443 -rfc > external-service-cert.crt
-
To create the secret, run the following command in the OpenShift project (namespace) where you
installed the Cloud Pak operator and your CP4BA deployment:
oc project <CP4BA_namespace>
kubectl create secret generic secretName --from-file=tls.crt=your_cert_path/external-service-cert.crt -n <CP4BA_namespace>
Substitute your values for secretName
and
your_cert_path/external-service-cert.crt
. The
certificate must be in Privacy Enhanced Mail (PEM) format. When the secret is created, you can
discard the .crt file that you generated.
-
Add the secret to the component's truststore.
If you want this service to be trusted by all components installed by the operator, add the
secret to the custom resource in the shared_configuration.trusted_certificate_list
parameter.
For example, the following list includes two external services:
shared_configuration:
trusted_certificate_list:
- extenalservice1-tls-secret
- externalservice2-tls-secret