Customizing Analytics mTLS client authentication

Configure a custom client certificate subject distinguished name (DN) for mutual TLS (mTLS) authentication on the Analytics ingestion endpoint.

Before you begin

Ensure that you meet the following requirements:

  • Analytics is enabled in the IDIG cluster.
  • You have a client certificate that is used to authenticate to the Analytics ingestion endpoint.
  • The client certificate is signed by the same certificate authority (CA) that is trusted by the Analytics ingestion endpoint.

About this task

The Analytics ingestion endpoint (ai.domain) supports mutual TLS (mTLS) authentication. By default, DataPower Interact Gateway validates client certificates by using a predefined certificate subject distinguished name (DN).

If your organization uses custom certificates, you can configure the expected client certificate subject DN by using the analyticsSettings.clientSubjectDN property in the IDIG cluster custom resource. The configured value must match the subject DN of the client certificate that is used for authentication.

Subject DN format

The Analytics ingestion endpoint validates client certificates by using the subject DN in RFC 2253 format.

Table 1. Subject DN examples
Certificate subject Subject DN value
CN=analytics-client, O=example-corp O=example-corp,CN=analytics-client

Procedure

  1. Configure the expected client certificate subject DN.

    Open the IDIG cluster custom resource and configure the analyticsSettings.clientSubjectDN property.

    apiVersion: datapowerinteractgateway.ibm.com/v1beta1
    kind: DatapowerInteractGatewayCluster
    metadata:
      name: idig
      namespace: namespace
    spec:
      domain: example.com
      enableAnalytics: true
      # Configure analytics client authentication for the ingestion endpoint (ai.domain)
      analyticsSettings:
        clientSubjectDN: "O=cert-manager,CN=analytics-ingestion-client"

    If analyticsSettings.clientSubjectDN is specified, it overrides the default value. If it is not specified, the default CN=analytics-ingestion-client,O=cert-manager value is used.

    The value must match the subject DN of the client certificate that is used for Analytics ingestion authentication.

  2. Apply the updated CR.
    kubectl apply -f idig-cluster.yaml
    The IDIG Operator updates the Analytics configuration to use the specified client certificate subject DN.
  3. Create a client certificate that matches the value that is configured in the IDIG cluster custom resource.
    # Generate client private key
    openssl genrsa -out /tmp/client.key 4096
    
    # Create Certificate Signing Request (CSR)
    openssl req -new \
      -key /tmp/client.key \
      -out /tmp/client.csr \
      -subj "/CN=analytics-ingestion-client/O=cert-manager"
    
    # Sign the client certificate with your CA
    openssl x509 -req \
      -in /tmp/client.csr \
      -CA /tmp/ca.crt \
      -CAkey /tmp/ca.key \
      -CAcreateserial \
      -out /tmp/client.crt \
      -days 365 \
      -sha256
    Important: The client certificate must be signed by the same CA as the server certificate on the Analytics ingestion endpoint.
  4. Test the mTLS connection to the Analytics ingestion endpoint.
    curl --cert /tmp/analytics-client.crt \
      --key /tmp/analytics-client.key \
      --cacert /tmp/idig-custom-ca.crt \
      "https://ai.fyre-ci-294533-master.fyre.ibm.com:443/cloud/apis?start=2026-06-18T00:00:00Zend=2026-06-19T23:59:59Z"
    Sample output
    {
      "start": "2026-06-18T00:00:00Z",
      "end": "2026-06-19T23:59:59Z",
      "apis": {
        "total": 0,
        "offset": 0,
        "limit": 50,
        "data": []
      }
    }

What to do next

If you encounter any problem while customizing the user facing certificates, see Troubleshooting certificate customization.