Cannot access your product console on macOS

You are unable to access the console with the updated macOS version, Catalina.

Symptoms

An error message appears when you attempt to log in to your cluster and you are unable to access the console. See the following error message example:

cp-console.apps.<cluster_CA_domain>.nip.io normally uses encryption to protect your information. When Google Chrome tried to connect to cp-console.apps.<cluster_CA_domain>.nip.io this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be cp-console.apps.<cluster_CA_domain>.nip.io, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit cp-console.apps.<cluster_CA_domain>.nip.io now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

Cause

When you access your product console from Google Chrome, you are unable to log in. The latest update of macOS (Catalina) or later offers greater security constraints. The increased security constraints block the connection of your product deployment because of the self-signed certificate.

Resolving the problem

Complete the following steps to update the access permissions for your certificates:

  1. Extract your product Root CA Certificate from the cluster-ca-cert.pem file by running the following command:

    • For macOS, run the following command:

      kubectl get secret cluster-ca-cert -n kube-system -o jsonpath="{.data['tls\.crt']}" | base64 -D > cluster-ca-cert.pem
      
    • For Linux, run the following command:

      kubectl get secret cluster-ca-cert -n kube-system -o jsonpath="{.data['tls\.crt']}" | base64 --decode > cluster-ca-cert.pem
      
    • When you set the NavTLSGEnerate parameter to True, in the namespace where IBM Cloud Pak for Multicloud Management is installed, run the following command to extract the Root CA Certificate:

      kubectl get secret icip-navigator-tls-secret -n cp4int -o jsonpath="{.data['tls.crt']}" | base64 -D > cluster-ca-cert.pem
      
  2. Add the certificate file to your local file system.

  3. Update the trust store for your macOS. Select the Launch Pad application.

  4. Locate and select the Keychain Access application.

  5. Move your cluster-ca-cert.pem certificate file into the Keychain Access application.

  6. From the Certificates section, verify that the certificate is added.

  7. Update the access permissions by double-clicking the certificate that you added. Update the When using this certificate parameter to Always Trust.

  8. Return to your Chrome browser and refresh the console.

You can log in to your console with access to the product.