Refreshing expired Cloud Pak foundational services certificates

Refresh self-signed Cloud Pak foundational services CA certificates that have expired so that the capabilities in your Cloud Pak for Integration installation can use them.

Tip: To change the duration of the CA certificate and refresh IBM Cloud Pak® foundational services internal certificates, see Refreshing IBM Cloud Pak foundational services internal certificates.

IBM Event Streams

For information about refreshing certificates, see Renewing certificates in the Event Streams documentation.

IBM Automation foundation assets (Automation assets)

  1. Switch to the namespace where Operations Dashboard is installed

  2. Ensure Common Services refreshed the certificate management-ingress-ibmcloud-cluster-ca-cert. If not, delete the certificate using the following command and wait for it to be re-created by Common Services again:

    oc delete secret management-ingress-ibmcloud-cluster-ca-cert

    If the secret has not been created automatically, look for errors or delete all operand-deployment-lifecycle-manager-* pods in Common Services namespace (usually ibm-common-services).

  3. Delete the API and UI pods for the Asset Repository deployment:

    <CR name>-ibm-integration-asset-repository-ui-*
    <CR name>-ibm-integration-asset-repository-api-*

IBM API Connect (API management) and IBM DataPower (gateway)

For information about refreshing certificates, see Renewing TLS certificates in the API Connect documentation.

IBM App Connect Enterprise

IBM App Connect Enterprise does not use management-ingress-ibmcloud-cluster-ca-cert, so no action is necessary.


Begin by switching to the namespace where IBM MQ queue managers are deployed.

Next, restart the queue manager pod so that it can pick up the refreshed certificates. Follow the steps applicable to your queue manager's availability type, SingleInstance or MultiInstance.

Single-instance queue manager

Restart the queue manager pod by deleting it. As an example, a queue manager with the name quickstart-cp4i might have a corresponding pod name of quickstart-cp4i-ibm-mq-0. oc delete pod quickstart-cp4i-ibm-mq-0

Multi-instance queue manager

First, restart the standby queue manager pod by deleting it, then restart the active queue manager pod.

  1. To identify which pod is running as the standby queue manager, and which one as the active queue manager, run the dspmq command for each pod name. In this example, a queue manager with the name quickstart-cp4i has the corresponding pod names quickstart-cp4i-ibm-mq-0 and quickstart-cp4i-ibm-mq-1. :

    oc rsh <queuemanager-pod-name> dspmq

    For example:

    oc rsh quickstart-cp4i-ibm-mq-0 dspmq
    QMNAME(QUICKSTART)                         STATUS(Running as standby)

    The response confirms that the standby queue manager pod is quickstart-cp4i-ibm-mq-0.

  2. Delete the standby queue manager pod:

    oc delete pod quickstart-cp4i-ibm-mq-0
  3. Verify that the standby queue manager is restarted. For example:

    oc get pod --selector
  4. Verify that your standby queue manager pod is running:

    oc rsh quickstart-cp4i-ibm-mq-0 dspmq
  5. Restart the active queue manager pod (in this example, quickstart-cp4i-ibm-mq-1):

    oc delete pod quickstart-cp4i-ibm-mq-1