Replacing certificates
Certificates need to be replaced periodically to keep Operations Dashboard functional and secure. Perform these steps, in the order given, to replace the certificates used by Operations Dashboard.
Replacing a ui-proxy certificate
Operations Dashboard's ui-proxy
container uses a certificate for securing HTTPS traffic to the Web Console. This certificate is a service serving certificate, which is automatically replaced when it gets close to expiration, and is stored together with its key in <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-fe-ui-int-tls
secret. Once replaced, restart Operations Dashboard's front end pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-fe
) to start using the new key and certificate.
Replacing a registration-endpoint certificate
Operations Dashboard's registration-endpoint container uses a certificate for securing HTTPS registration requests from IBM Cloud Pak for Integration capabilities. This certificate is a service-serving certificate, which is automatically replaced when it gets close to expiration, and is stored together with its key in <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-fe-reg-int-tls
secret. Once replaced, restart Operations Dashboard's front end pods (which have the prefix <OD_INSTANCE_NAME>-ibm-integration-od-fe
) to start using the new key and certificate.
Replacing a api-proxy certificates
Operations Dashboard's api-proxy containers use certificates for securing HTTPS API requests from the Operations Dashboard's internal components. These certificates are "service serving certificates", which are automatically replaced when they gets close to expiration, and are stored together with their key in <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-hkw-int-tls
,<OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-job-int-tls
and <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-scd-int-tls
secrets. Once replaced, restart Operations Dashboard's Scheduler pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-scd
), Housekeeping pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-hkw
) and Job pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-job
) to start using the new keys and certificates.
Replacing a config-db certificate
Operations Dashboard's config-db
container uses a certificate for securing communication from the Operations Dashboard's internal components. This certificate is a service-serving certificate that is automatically replaced when it gets close to expiration, and is stored together with its key in <OD_INSTANCE_NAME>-integration-operations-dashboard-db-int-tls
secret. Once replaced, restart Operations Dashboard's Configuration Database pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-db
) to start using the new key and certificate.
Replacing a store master node certificate
Operations Dashboard's store master node container uses a certificate for securing internal communication between the Operations Dashboard store containers. This certificate is a "service serving certificate", which is automatically replaced when it gets close to expiration, and is stored together with its key in <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-mst-int-tls
secret. Once replaced, restart Operations Dashboard's store master node pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-mst
) to start using the new key and certificate.
Replacing a store data node certificate
Operations Dashboard's store data node container uses a certificate for securing HTTPS requests from other Operations Dashboard containers and from IBM Cloud Pak for Integration capabilities. This certificate is a "service serving certificate", which is automatically replaced when it gets close to expiration, and is stored together with its key in <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-str-int-tls
secret. Once replaced, restart Operations Dashboard's store pods (prefixed <OD_INSTANCE_NAME>-ibm-integration-od-str
) to start using the new key and certificate.
Applying a new service CA certificate
In case the service CA certificate, which signs all service-serving certificates, has been replaced, it is automatically updated within the <OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-srv-ca-cm
config map. However, this CA certificate is also stored in secrets of IBM Cloud Pak for Integration capabilities that have completed the registration process.
Restart all Operations Dashboard pods to use the new service CA certificate.
For each approved namespace that has completed the registration process in the past, the request needs to be reprocessed in registration requests page, and the integration capability pods need to be restarted so that the newly created secret becomes effective.
Replacing a store admin certificate
Operations Dashboard's store container requires a client certificate for gaining admin privileges. This certificate is used by the Scheduler and Housekeeping containers, and is also used for health checks for the store container. The client certificate is issued with a self-signed CA certificate, and IBM recommends that you replace both certificates simultaneously.
Delete the following secrets :
<OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-clustrca
<OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-crt-adm
<OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-crt-api
<OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-crt-ca
<OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-crt-trns
Restart Operations Dashboard operator pod.
Restart all Operations Dashboard pods.
Applying a new management ingress root CA certificate
This certificate is managed by IBM Cloud Pak foundational services, and it is stored together with its key in management-ingress-ibmcloud-cluster-ca-cert
secret. Once the certificate is replaced:
Confirm that Cloud Pak foundational services refreshed the secret
management-ingress-ibmcloud-cluster-ca-cert
. If not, delete the secret and wait until it is recreated by Cloud Pak foundational services.
If the secret is not created automatically, look for errors or delete theoperand-deployment-lifecycle-manager-*
pods in the Cloud Pak foundational services namespace (this namespace is usuallyibm-common-services
).Delete the secret
<OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-clustrca
.Delete the OD operator pod (it may be in a different namespace, such as
openshift-operators
).Wait until the secret
<OD_INSTANCE_NAME>-ibm-integration-operations-dashboard-com-clustrca
is recreated by OD operator.Delete the following pods:
<OD_INSTANCE_NAME>-ibm-integration-od-fe-* <OD_INSTANCE_NAME>-ibm-integration-od-hkw-* <OD_INSTANCE_NAME>-ibm-integration-od-job-* <OD_INSTANCE_NAME>-ibm-integration-od-scd-*
Tracing data is collected regardless of the status of the management ingress root CA certificate. However, the Web Console becomes available only after <OD_INSTANCE_NAME>-ibm-integration-od-fe-*
pods become ready (when the preceding procedure is completed).