Using a custom TLS certificate for HTTPS connections to the platform
IBM® Cloud Pak for Data includes a self-signed TLS certificate that is used to enable HTTPS connections. However, this certificate is untrusted by all HTTPS clients. It is strongly recommended that you replace the self-signed certificate with your own certificate.
- What permissions do you need to complete this task?
- To complete this task, you must have one of the following roles:
- Red Hat® OpenShift® Container Platform cluster administrator
- Red Hat OpenShift Container Platform project administrator on the project where Cloud Pak for Data is installed
- When do you need to complete this task.
- This task is optional, but strongly recommended. You should complete this task before you give
users access to the Cloud Pak for Data platform.
If you installed multiple instances of Cloud Pak for Data on your cluster, complete this task for each instance.
Before you begin
- Cloud Pak for Data CLI:
cpd-cli
- OpenShift CLI:
oc
For details, see: Setting up a client workstation.
About this task
The files that you must provide depend on the type of route that you want to use for Cloud Pak for Data:
Route type | Default certificate | Custom TLS certificate and key | CA certificate |
---|---|---|---|
Passthrough (default) | Supported. However, it is recommended that you replace this certificate with a custom certificate. |
Supported. If you use a passthrough route, this option is strongly recommended. The files must be PEM-encoded files. |
Not used. |
Re-encrypt | Not supported. | Required. The files must be PEM-encoded files. |
Required. The file must be a PEM-encoded file. |
- You can place the files in the
cpd-cli-workspace/olm-utils-workspace/work
directory on the client workstation and specify the names when you run thecpd-cli manage setup-route
command. - You can create a secret that you provide to the
cpd-cli
.To create a secret, run the appropriate command for your environment:
Command to create a secret with a TLS certificate and TLS key
The following example creates a secret called
cpd-tsl-secret
.You must replace the following variables before you can run the command:
- <tls-certificate-file-name>
- The name of the TLS certificate file. The example assumes that you are running the command from the directory where the file is located.
- <tls-key-file-name>
- The name of the TLS key file. The example assumes that you are running the command from the directory where the file is located.
oc create secret generic cpd-tls-secret \ --n ${PROJECT_CPD_INSTANCE} \ --from-file=tls.crt=./<tls-certificate-file-name> \ --from-file=tls.key=./<tls-key-file-name>
Command to create a secret with a CA certificate, TLS certificate, and TLS key
The following example creates a secret called
cpd-tsl-secret
.You must replace the following variables before you can run the command:
- <ca-certificate-file-name>
- The name of the CA certificate file. The example assumes that you are running the command from the directory where the file is located.
- <tls-certificate-file-name>
- The name of the TLS certificate file. The example assumes that you are running the command from the directory where the file is located.
- <tls-key-file-name>
- The name of the TLS key file. The example assumes that you are running the command from the directory where the file is located.
oc create secret generic cpd-tls-secret \ --n ${PROJECT_CPD_INSTANCE} \ --from-file=ca.cert=./<ca-certificate-file-name> \ --from-file=tls.crt=./<tls-certificate-file-name> \ --from-file=tls.key=./<tls-key-file-name>