Configure a custom client certificate subject distinguished name (DN) for mutual TLS (mTLS) authentication on the Analytics ingestion endpoint.
Before you begin
Ensure that you meet the following requirements:
- Analytics is enabled in the IDIG cluster.
- You have a client certificate that is used to authenticate to the Analytics ingestion endpoint.
- The client certificate is signed by the same certificate authority (CA) that is trusted by the Analytics ingestion endpoint.
About this task
The Analytics ingestion endpoint (ai.domain) supports mutual TLS (mTLS)
authentication. By default, DataPower Interact
Gateway
validates client certificates by using a predefined certificate subject distinguished name (DN).
If your organization uses custom certificates, you can configure the expected client certificate subject DN by using the analyticsSettings.clientSubjectDN property in the IDIG cluster custom resource. The configured value must match the subject DN of the client certificate that is used for authentication.
Subject DN format
The Analytics ingestion endpoint validates client certificates by using the subject DN in RFC
2253 format.
Table 1. Subject DN examples
| Certificate subject |
Subject DN value |
CN=analytics-client, O=example-corp |
O=example-corp,CN=analytics-client |
Procedure
-
Configure the expected client certificate subject DN.
Open the IDIG cluster custom resource and configure the
analyticsSettings.clientSubjectDN property.
apiVersion: datapowerinteractgateway.ibm.com/v1beta1
kind: DatapowerInteractGatewayCluster
metadata:
name: idig
namespace: namespace
spec:
domain: example.com
enableAnalytics: true
# Configure analytics client authentication for the ingestion endpoint (ai.domain)
analyticsSettings:
clientSubjectDN: "O=cert-manager,CN=analytics-ingestion-client"
If analyticsSettings.clientSubjectDN is specified, it overrides the default
value. If it is not specified, the default
CN=analytics-ingestion-client,O=cert-manager value is used.
The value must match the subject DN of the client certificate that is used for Analytics
ingestion authentication.
-
Apply the updated CR.
kubectl apply -f idig-cluster.yaml
The IDIG Operator updates the
Analytics configuration to use the specified client certificate subject DN.
-
Create a client certificate that matches the value that is configured in the IDIG cluster custom resource.
# Generate client private key
openssl genrsa -out /tmp/client.key 4096
# Create Certificate Signing Request (CSR)
openssl req -new \
-key /tmp/client.key \
-out /tmp/client.csr \
-subj "/CN=analytics-ingestion-client/O=cert-manager"
# Sign the client certificate with your CA
openssl x509 -req \
-in /tmp/client.csr \
-CA /tmp/ca.crt \
-CAkey /tmp/ca.key \
-CAcreateserial \
-out /tmp/client.crt \
-days 365 \
-sha256
Important: The client certificate must be signed by the same CA as the server certificate on the Analytics ingestion endpoint.
-
Test the mTLS connection to the Analytics ingestion endpoint.
curl --cert /tmp/analytics-client.crt \
--key /tmp/analytics-client.key \
--cacert /tmp/idig-custom-ca.crt \
"https://ai.fyre-ci-294533-master.fyre.ibm.com:443/cloud/apis?start=2026-06-18T00:00:00Zend=2026-06-19T23:59:59Z"
Sample output
{
"start": "2026-06-18T00:00:00Z",
"end": "2026-06-19T23:59:59Z",
"apis": {
"total": 0,
"offset": 0,
"limit": 50,
"data": []
}
}
What to do next
If you encounter any problem while customizing the user facing certificates, see Troubleshooting certificate customization.