To integrate with an external service, you must first import its Transport Layer Security
(TLS) certificate in Privacy Enhanced Mail (PEM) format into the operator trust list. The
certificate is added to the truststore of each component.
About this task
The shared configuration parameter trusted_certificate_list
contains a list of
certificates, or the component-level CR parameter for external services, such as the LDAP or
databases, can contain the certificate information.
Note: The TLS certificate for the LDAP service must be specified with
ldap_ssl_secret_name
. For more information, see
LDAP configuration. The TLS certificate for the database
service must be specified with
database_ssl_secret_name
. For more information, see
Custom resource configuration parameters.
Procedure
-
Get the signer certificate that is used to sign your external service and save it to a
certificate.
For example, external-service-cert.crt.
For more information, see
OpenSSL.
The following example command gets the certificate chain of
cloud.ibm.com
by using
OpenSSL.
echo | openssl s_client -showcerts -connect cloud.ibm.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > external-service-cert.crt
The
following example command gets the certificate chain of cloud.ibm.com
by using
keytool.
keytool -printcert -sslserver cloud.ibm.com:443 -rfc > external-service-cert.crt
Alternatively, you can create a certificate file and add multiple certificates. The following
file provides an example file that contains three
certificates.
-----BEGIN CERTIFICATE-----
MIIGXTCCBU****
Kwa==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGX****
Kws==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIG******
Kwd==
-----END CERTIFICATE-----
Note: The whole certification chain must be imported to the
truststore to successfully validate an external service.
-
To create the secret, run the following command in the project (namespace) where you installed
the operator and your deployment:
oc project <CP4BA_namespace>
kubectl create secret generic secretName --from-file=tls.crt=your_cert_path/external-service-cert.crt -n <CP4BA_namespace>
Substitute your values for secretName
and
your_cert_path/external-service-cert.crt
.
When the secret is created, you can discard the .crt file that you
generated.
-
Add the secret to the component's truststore.
If you want this service to be trusted by all components installed by the operator, add the
secret to the custom resource in the shared_configuration.trusted_certificate_list
parameter.
For example, the following list includes two external services:
shared_configuration:
trusted_certificate_list:
- externalservice1-tls-secret
- externalservice2-tls-secret
- Optional: Check the certificates in the updated component's truststore.
The following command lists the certificates in the Content Platform Engine (CPE) default
truststore.
keytool -v -list -storepass changeit -keystore /opt/ibm/wlp/usr/servers/defaultServer/resources/security/ibm_customFNCMTrustStore.p12