Importing the certificate of an external service

To integrate with an external service, you must first import its Transport Layer Security (TLS) certificate in Privacy Enhanced Mail (PEM) format into the operator trust list. The certificate is added to the truststore of each component.

About this task

The shared configuration parameter trusted_certificate_list contains a list of certificates, or the component-level CR parameter for external services, such as the LDAP or databases, can contain the certificate information.

Note: The TLS certificate for the LDAP service must be specified with ldap_ssl_secret_name. For more information, see LDAP configuration. The TLS certificate for the database service must be specified with database_ssl_secret_name. For more information, see Custom resource configuration parameters.

Procedure

  1. Get the signer certificate that is used to sign your external service and save it to a certificate.
    For example, external-service-cert.crt.
    For more information, see OpenSSL.

    The following example command gets the certificate chain of cloud.ibm.com by using OpenSSL.

    echo | openssl s_client -showcerts -connect cloud.ibm.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > external-service-cert.crt 

    The following example command gets the certificate chain of cloud.ibm.com by using keytool.

    keytool -printcert -sslserver cloud.ibm.com:443 -rfc > external-service-cert.crt
    Alternatively, you can create a certificate file and add multiple certificates. The following file provides an example file that contains three certificates.
    -----BEGIN CERTIFICATE-----
    MIIGXTCCBU****
    Kwa==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIGX****
    Kws==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIG******
    Kwd==
    -----END CERTIFICATE-----
    Note: The whole certification chain must be imported to the truststore to successfully validate an external service.
  2. To create the secret, run the following command in the project (namespace) where you installed the operator and your deployment:
    oc project <CP4BA_namespace>
    kubectl create secret generic secretName --from-file=tls.crt=your_cert_path/external-service-cert.crt -n <CP4BA_namespace>

    Substitute your values for secretName and your_cert_path/external-service-cert.crt. When the secret is created, you can discard the .crt file that you generated.

  3. Add the secret to the component's truststore.

    If you want this service to be trusted by all components installed by the operator, add the secret to the custom resource in the shared_configuration.trusted_certificate_list parameter.

    For example, the following list includes two external services:
    shared_configuration:
      trusted_certificate_list:
        - externalservice1-tls-secret
        - externalservice2-tls-secret
  4. Optional: Check the certificates in the updated component's truststore.

    The following command lists the certificates in the Content Platform Engine (CPE) default truststore.

    keytool -v -list -storepass changeit -keystore /opt/ibm/wlp/usr/servers/defaultServer/resources/security/ibm_customFNCMTrustStore.p12