Adding a custom TLS certificate for HTTPS connections with Cognos Dashboards

Optional. The Cognos Dashboards installation includes a self-signed TLS certificate that you can use to enable HTTPS connections. You can replace this default self-signed certificate with your own custom TLS certificate.

Before you begin

Who needs to complete this task?
To complete this task, you must have one of the following roles:
  • Cluster administrator
  • Instance administrator

Procedure

  1. Disable session affinity for the Cognos Dashboards service.
    1. Open the Cognos Dashboards custom resource for editing. 
      oc edit dashboardservice dashboardservice-cr -n ${PROJECT_CPD_INST_OPERANDS}
    2. Set the enableAffinity property to false.
    3. Save the update and exit the editor.

      For example, if you are using vi, press Esc and enter :wq!

      Saving this update triggers all Cognos Dashboards services to restart, so it takes approximately 5 minutes for this change to take effect. Wait until all Cognos Dashboards services to restart before you proceed to the next step.

      Run the following command to view the status of the Cognos Dashboards services while they are restarting:

      oc get pod -o wide -lapp.kubernetes.io/managed-by=ibm-dashboard-prod -n ${PROJECT_CPD_INST_OPERANDS}

      Look for the status and age fields in the output.

  2. Set up the custom TLS certificate.
    1. Get the YAML content for the query-service route.

      The following command extracts the content into the query-service.yaml file:

      oc get route query-service -o yaml > query-service.yaml -n ${PROJECT_CPD_INST_OPERANDS}
    2. In the YAML file, go to the tls section, then set the key, certificate, and caCertificate keys for your custom TLS certificate.
    3. Delete the query-service route. 
      oc delete route query-service -n ${PROJECT_CPD_INST_OPERANDS}
    4. Re-create the query-service route with the custom TLS certificate that you added. 
      oc apply -f query-service.yaml -n ${PROJECT_CPD_INST_OPERANDS}
  3. Check that the route is set up properly with the new certificate.

    Run the following command to show a self-signed certificate error message.

    curl -v https://<site_name>/query-service

    If the following command shows a 400 error request, your custom certificate is accepted:

    curl --cacert path.to.cacertificate -v https://<site_name>/query-service
  4. Enable session affinity for the Cognos Dashboards service.
    1. Open the Cognos Dashboards custom resource for editing. 
      oc edit dashboardservice dashboardservice-cr -n ${PROJECT_CPD_INST_OPERANDS}
    2. Set the enableAffinity property to true.
    3. Save the update and exit the editor.

      For example, if you are using vi, press Esc and enter :wq! to save and exit.

      Saving this update triggers all Cognos Dashboards services to restart, so it takes approximately 5 minutes for this change to take effect.

      Run the following command to view the status of the Cognos Dashboards services while they are restarting:

      oc get pod -o wide -lapp.kubernetes.io/managed-by=ibm-dashboard-prod -n ${PROJECT_CPD_INST_OPERANDS}

      Look for the status and age fields in the output.