Replacing certificates

Certificates need to be replaced periodically to keep Operations Dashboard functional and secure. Perform these steps, in the order given, to replace the certificates used by Operations Dashboard.

Attention: Effective with IBM Cloud Pak® for Integration 2022.4.1, the integration tracing capability (IBM Cloud Pak for Integration Operations Dashboard) is deprecated. This capability will be removed in a future release. No further updates will be provided. No new uses of the Operations Dashboard should be implemented. Users who want to implement tracing should use Instana observability. For more information, see Enabling IBM Instana monitoring.

Replacing a ui-proxy certificate

Operations Dashboard's ui-proxy container uses a certificate for securing HTTPS traffic to the Web Console. This certificate is a service serving certificate, which is automatically replaced when it gets close to expiration, and is stored together with its key in <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-fe-ui-int-tls secret. Once replaced, restart Operations Dashboard's front end pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-fe) to start using the new key and certificate.

Note: This certificate is not presented to the end user's browser. The route certificate is the certificate that the browser should trust and use.

Replacing a registration-endpoint certificate

Operations Dashboard's registration-endpoint container uses a certificate for securing HTTPS registration requests from IBM Cloud Pak for Integration capabilities. This certificate is a service-serving certificate, which is automatically replaced when it gets close to expiration, and is stored together with its key in <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-fe-reg-int-tls secret. Once replaced, restart Operations Dashboard's front end pods (which have the prefix <OD_INSTANCE_NAME>-ibm-integration-od-fe) to start using the new key and certificate.

Replacing a api-proxy certificates

Operations Dashboard's api-proxy containers use certificates for securing HTTPS API requests from the Operations Dashboard's internal components. These certificates are "service serving certificates", which are automatically replaced when they gets close to expiration, and are stored together with their key in <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-hkw-int-tls ,<OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-job-int-tls and <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-scd-int-tls secrets. Once replaced, restart Operations Dashboard's Scheduler pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-scd), Housekeeping pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-hkw) and Job pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-job) to start using the new keys and certificates.

Replacing a config-db certificate

Operations Dashboard's config-db container uses a certificate for securing communication from the Operations Dashboard's internal components. This certificate is a service-serving certificate that is automatically replaced when it gets close to expiration, and is stored together with its key in <OD_INSTANCE_NAME>-integration-operations-dashboard-db-int-tls secret. Once replaced, restart Operations Dashboard's Configuration Database pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-db) to start using the new key and certificate.

Replacing a store master node certificate

Operations Dashboard's store master node container uses a certificate for securing internal communication between the Operations Dashboard store containers. This certificate is a "service serving certificate", which is automatically replaced when it gets close to expiration, and is stored together with its key in <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-mst-int-tls secret. Once replaced, restart Operations Dashboard's store master node pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-mst) to start using the new key and certificate.

Replacing a store data node certificate

Operations Dashboard's store data node container uses a certificate for securing HTTPS requests from other Operations Dashboard containers and from IBM Cloud Pak for Integration capabilities. This certificate is a "service serving certificate", which is automatically replaced when it gets close to expiration, and is stored together with its key in <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-str-int-tls secret. Once replaced, restart Operations Dashboard's store pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-str) to start using the new key and certificate.

Applying a new service CA certificate

In case the service CA certificate, which signs all service-serving certificates, has been replaced, it is automatically updated within the <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-srv-ca-cm config map. However, this CA certificate is also stored in secrets of IBM Cloud Pak for Integration capabilities that have completed the registration process.

  • Restart all Operations Dashboard pods to use the new service CA certificate.

  • For each approved namespace that has completed the registration process in the past, the request needs to be reprocessed in registration requests page, and the integration capability pods need to be restarted so that the newly created secret becomes effective.

Replacing a store admin certificate

Operations Dashboard's store container requires a client certificate for gaining admin privileges. This certificate is used by the Scheduler and Housekeeping containers, and is also used for health checks for the store container. The client certificate is issued with a self-signed CA certificate, and IBM recommends that you replace both certificates simultaneously.

  • Delete the following secrets :

    • <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-clustrca

    • <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-crt-adm

    • <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-crt-api

    • <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-crt-ca

    • <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-crt-trns

  • Restart Operations Dashboard operator pod.

  • Restart all Operations Dashboard pods.

Applying a new management ingress root CA certificate

This certificate is managed by IBM Cloud Pak foundational services, and it is stored together with its key in management-ingress-ibmcloud-cluster-ca-cert secret. Once the certificate is replaced:

  • Confirm that Cloud Pak foundational services refreshed the secret management-ingress-ibmcloud-cluster-ca-cert. If not, delete the secret and wait until it is recreated by Cloud Pak foundational services.
    If the secret is not created automatically, look for errors or delete the operand-deployment-lifecycle-manager-* pods in the Cloud Pak foundational services namespace (this namespace is usually ibm-common-services).

  • Delete the secret <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-clustrca.

  • Delete the OD operator pod (it may be in a different namespace, such as openshift-operators).

  • Wait until the secret <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-clustrca is recreated by OD operator.

  • Delete the following pods:

    <OD_INSTANCE_NAME>-ibm-integration-od-fe-*
    <OD_INSTANCE_NAME>-ibm-integration-od-hkw-*
    <OD_INSTANCE_NAME>-ibm-integration-od-job-*
    <OD_INSTANCE_NAME>-ibm-integration-od-scd-*

Tracing data is collected regardless of the status of the management ingress root CA certificate. However, the Web Console becomes available only after <OD_INSTANCE_NAME>-ibm-integration-od-fe-* pods become ready (when the preceding procedure is completed).