Configuring a custom HTTPS certificate for Managed services Management Console
Procedure to install a custom certificate for use by the Managed services management console. You must first install Managed services and then customize your secrets using instructions in Procedure to configure your custom HTTPS certificate postinstallation.
You can configure your custom HTTPS certificate either during installation of Managed services or update the certificate postinstallation. Before you follow the below procedure, you need to create a secret to store your custom certificates required by the nginx server. The secret must contain the following key values.
- A key named
tls.crtwhose value must be the tls certificate. - A key named
tls.keywhose value must be the tls key.
After creating the secret, follow one of the following procedures:
Procedure to follow to configure your custom HTTPS certificate during installation
To set the custom HTTPS certificate during installation, use the
name of a new secret which contains the custom certificates as the
value for
camProxy.customNginxSSLCertificate.customNginxSSLCertName
in the IAConfig resource specification. For more
details on how to create IAConfig resource, see
Online
install of Infrastructure Automation for
Concert Operate
or Online installation of
Infrastructure Automation
.
The following sample yaml shows IAConfig resource
specification with customized certificate name as value for
camProxy.customNginxSSLCertificate.customNginxSSLCertName.
cat << EOF | oc apply -f -
kind: IAConfig
apiVersion: aiops.ibm.com/v1alpha1
metadata:
name: ibm-ia-installer
namespace: cp4aiops
spec:
imagePullSecret: ibm-entitlement-key
infraAutoComposableComponents:
- enabled: <Set true to install Infrastructure Management component of Infrastructure Automation false otherwise>
name: ibm-management-im-install
spec: {}
- enabled: <Set true to install Managed services component of Infrastructure Automation false otherwise>
name: ibm-management-cam-install
spec:
manageservice:
camProxy:
customNginxSSLCertificate:
customNginxSSLCertName: mycert
license:
accept: <Set true to accept the license>
storageClass: <Storage Class name that supports RWO>
storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)>
EOF
storageClass and storageClassLargeBlock
to the same classes that IBM Concert Operate uses.To verify whether cam-proxy uses your custom secret, the
type value for volume cam-nginx-cert must
be set to your secret name once the cam-proxy pod comes up. If your
secret name is mycert, then the type column must
display mycert.
Procedure to configure your custom HTTPS certificate postinstallation
To set the custom HTTPS certificate after installation, do the following:
-
In Red Hat OpenShift Container Platform console, navigate to your installed ManagedService custom resource YAML.
-
Find string
customNginxSSLCertNamein the YAML. -
Set the secret name of your custom certificate (tls.crt and tls.key) as the value for
customNginxSSLCertName. If your secret name ismycertthen your modified YAML looks as below:camProxy: replicaCount: 1 resources: limits: cpu: 500m memory: 1500Mi requests: cpu: 100m memory: 256Mi customNginxSSLCertificate: customNginxSSLCertName: mycert -
Save your changes.
-
Your cam-proxy pod will be restarted. To verify whether cam-proxy uses your custom secret, once the cam-proxy pod comes up, the
typevalue for volumecam-nginx-certmust be set to your secret name. If your secret name ismycert, then the type column must displaymycert.