Using custom certificates

You can use either a self-signed certificate or a custom certificate when you use License Service API over https.

IMPORTANT: From License Service version v1.16.6, custom external certificates is handled using Ingress.

To set the custom certificate for automatic ingress configuration

  1. Change the certificate name to tls.crt.

  2. Change the key name to tls.key.

  3. Run the following command to change the directory to where the certificate and the key are stored:

    cd <certificate_directory>

  4. Create a secret by using the following command:

    licensingNamespace=$(oc get pods --all-namespaces | grep "ibm-licensing-service-" | awk {'print $1'})
oc create secret tls ibm-licensing-certs --key tls.key --cert tls.crt -n ${licensingNamespace}

  5. Open the IBMLicensing instance YAML to include the certificate by running the following command:

    kubectl edit IBMLicensing instance

  6. Edit the YAML and add the following sections under spec.ingressOptions.

    • Specify host explicitly by setting spec.ingressOptions.host to your external endpoint hostname.

    • To apply custom certificate, add following section under spec.ingressOptions.

      tls:
  - hosts:
        - <your_hostname>
    secretName: ibm-licensing-certs

      Note: Hostname specified in spec.ingressOptions.host must exist under spec.ingressOptions.tls[0].hosts. Also, the custom certificate must be issued to this hostname. For example:

      apiVersion: operator.ibm.com/v1alpha1
kind: IBMLicensing
metadata:
  name: instance
spec:
  ingressOptions:
      hosts: example.com
      tls:
        - hosts:
            - example.com
          secretName: ibm-licensing-certs

  7. Edit the YAML and add the following parameters to the IBMLicensing section, under spec:

    • To enable the https connection, add the following line: httpsEnable: true

    • To apply the custom certificate that you created as ibm-licensing-certs, add the following line: httpsCertsSource: custom

    For example:

    apiVersion: operator.ibm.com/v1alpha1
kind: IBMLicensing
metadata:
    name: instance
  spec:
    httpsEnable: true
    httpsCertsSource: custom

  8. Save the changes in YAML.

To set the custom certificate for manual ingress configuration

To set the custom certificate for manual ingress configuration, see TLS.