Create certificates
Use a different set of certificates, even if self-signed, for every deployment. Generally, self-signed certificates are allowed in development or nonproduction deployments. The certificates need to be added to FTM secrets.
| Red Hat OpenShift Container Platform secret | Files in the secret | FTM pods that use the secret |
|---|---|---|
ftm-db2-ssl-cert-secret |
|
|
ftm-ssl-cert-secret |
|
|
ftm-ingress-cert-secret |
|
|
ftm-additional-certs-secret |
You can add more certificates to the FTM truststore. For example, you can import the certificate for the IBM licensing server. |
|
ftm-ssl-signing-cert-secret |
|
FTM TCH RTP connectors |
ftm-routes-ssl-cert-secret |
|
This is an optional certificate that can be configured on the FTM routes. If not specified, the FTM routes will use the default Red Hat OpenShift certificate. |
The FTM application components use keystore or truststore files in
PKCS12 or JKS format to store the certificates. The FTM components import the generated certificates into the keystore or truststore file for their
use. In the Red Hat
OpenShift Container
Platform secret ftm-application-secret, configure
the KSTORE_PASSWORD and TSTORE_PASSWORD variables for the keystore and
truststore password. The password can be up to 12 characters.
Create FTM certificates
- Cloud native certificate management. For more information, see https://cert-manager.io/.
- External Secrets Operator. For more information, see https://external-secrets.io/latest/.
The FTM operator can generate TLS certificates for the FTM application. If the FTM operator deploys the MQ queue manager, the same TLS certificates can be used by the MQ queue manager. The cert-manager operator for Red Hat OpenShift must be installed for the FTM operator to generate the FTM application certificate.
The FTM certificate must include the following DNS entries in its Subject Alternative Names (SANs) list. You need to replace the FTM instance name with your environment-specific name and the namespace with that of the namespace that FTM is deployed to. These entries are automatically added if the FTM operator is used to generate the certificate.
-
"*.<ftm-instance>-gateway-engine-internal.<namespace>.svc.cluster.local" -
"*.<ftm-instance>-gateway-server-inbound-internal.<namespace>.svc.cluster.local" -
"*.<ftm-instance>-gateway-server-inbound-check-internal.<namespace>.svc.cluster.local" -
"*.<ftm-instance>-gateway-server-outbound-internal.<namespace>.svc.cluster.local" -
"*.<ftm-instance>-business-rules-server-internal.<namespace>.svc.cluster.local" -
"*.<ftm-instance>-business-rules-server-headless-internal.<namespace>.svc.cluster.local" -
"*.<ftm-instance>-transaction-server-internal.<namespace>.svc.cluster.local" -
"*.<ftm-instance>-business-rules-manager-internal.<namespace>.svc.cluster.local" -
"*.<namespace>.svc.cluster.local"
Example of using cloud native certificate management to create the FTM certificates
Cloud native certificate management is responsible for creating and managing the certificates that are used by the applications. It can be configured to create the certificates by using different issuers. For more information about using other types of issuers, see the cloud native certificate management documentation at https://cert-manager.io/docs/configuration/issuers/.
- Import the following YAML configuration to create the self-signed CA issuers.
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ftm-self-tls namespace: <FTM-namespace> spec: selfSigned: {}- Replace
<FTM-namespace>with the actual namespace where your FTM offering is deployed. - Click Create. The self-signed certificate issuer is created.
- Replace
- Import the following YAML configuration to create a CA certificate that references the self-signed issuer
and specifies the
isCAfield.apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ftm-ca-tls namespace: <FTM-namespace> spec: secretName: ftm-ibm-cert-manager-ca-certs isCA: true commonName: "mycacert" issuerRef: name: ftm-self-tls # This name needs to match the name of the issuer that was created previously kind: Issuer dnsNames: - <DNS-Domain>- Replace the
<FTM-namespace>with the actual namespace where your FTM offering is deployed. - Replace the
<DNS-Domain>with the domain for which the CA certificates are generated. For example,example.com. - Click Create. The CA certificate that references the self-signed issuer is created.
- Replace the
- Import the following YAML configuration to create the certificate issuer for the application certificates.
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ftm-deployment-tls namespace: <FTM-namespace> spec: ca: secretName: ftm-ibm-cert-manager-ca-certs- Replace the
<FTM-namespace>with the actual namespace where your FTM offering is deployed. - Click Create. The certificate issuer for the application certificates is created.
- Replace the
- Verify whether the status of both issuers is
Readyby using the following command in the Red Hat OpenShift Container Platform command-line interface.oc get issuersNAME READY ftm-deployment-tls True ftm-self-tls True - Import the following YAML configuration to create the certificate for FTM by using
the issuer.
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ftm-deployment-tls namespace: <FTM-namespace> spec: secretName: ftm-ssl-cert-secret issuerRef: name: ftm-deployment-tls # This name needs to match the name of the issuer that was created previously kind: Issuer commonName: "ftmserver" dnsNames: - <DNS-Domain>- Replace the
<FTM-namespace>with the actual namespace where your FTM offering is deployed. - Replace the
<DNS-Domain>with the list of domains for which the application certificates are generated. You need to include the domain names from the Create FTM certificates section in this list of domains. To add each of these domains, replace <ftm-instance> with your environment-specific name and <namespace> with the namespace that FTM is deployed into. - The value of the
commonNameattribute needs to match the value of the spec.config.security.tls.label parameter in the operator CR YAML file. This attribute is important because it is part of theSubjectfield of the certificate. The common name for the CA public certificate (ca.crt) needs to be different from the common name for the application certificatetls.crt. - Click Create to create the certificate for FTM by using the issuer.
- Replace the
- After the YAML file configuration import is successful, the Red Hat
OpenShift Container
Platform creates a
secret that is named
ftm-ssl-cert-secret. This secret includes thetls.keyandtls.crtfiles that are used by FTM. It also includesca.crt, which is the CA root certificate. - Use the Red Hat
OpenShift Container Platform command-line
interface to run the following command to make sure that the
certificate includes the ca.crt, tls.crt, and
tls.key
files.
oc get secret ftm-ssl-cert-secret -o yaml
IBM Db2 certificates
FTM does not bundle the IBM Db2 database and always treats it as an external database. Make sure that you predeploy IBM Db2 before you deploy FTM. Using the IBM Db2U operator, you can deploy IBM Db2 either externally to the Red Hat OpenShift Container Platform cluster or within the cluster.
FTM supports TLS encrypted communication with the IBM Db2 database. You can configure IBM Db2 to run over TLS by following the IBM Db2 documentation.
- Run the following commands to create a directory to store the IBM
Db2 certificates and then switch to that
directory.
mkdir -p /var/tmp/db-certscd /var/tmp/db-certs - To get the certificate from the predeployed IBM
Db2U instance where TLS is enabled, do the following steps. The certificate is in
the /mnt/blumeta0/db2/ssl_keystore/ca.crt file.
- Copy the TLS certificate ca.crt file to the /var/tmp/db-certs directory.
- Rename the file to mydbserver.arm.
- To use a pre-created TLS certificate when you are creating new IBM
Db2U instances, do the following steps:
- Copy all the certificate files (certificate, private key, and CA public certificate) to the directory /var/tmp/db-certs. You can use an authorized CA in your environment to generate the certificate.
- Create a copy of the certificate file tls.crt and name the copy mydbserver.arm. FTM refers to the IBM Db2 certificate with this specific file name.
- Make sure that the following files are in the /var/tmp/db-certs directory.
- ca.crt (CA public certificate)
- tls.crt (Certificate)
- tls.key (Private key)
- mydbserver.arm (Copy of tls.crt)
ftm-demo as the namespace.- Run the following commands to change to the FTM namespace and delete the existing
secret if it
exists.
oc project ftm-demooc delete secret ftm-db2-ssl-cert-secret - Run the following command to create a new Red Hat
OpenShift Container
Platform secret in the namespace where the
FTM offering is
deployed.
oc create secret generic ftm-db2-ssl-cert-secret --from-file=/var/tmp/db-certs
Now that the ftm-db2-ssl-cert-secret secret is created, you can create the
instances of Db2U. FTM uses this secret for all the
database instances.
- spec.config.database.enableTLS
- spec.config.duplicateDatabase.enableTLS
- Specify whether to use a TLS connection to the database. When the value is true, a TLS connection to the database is used. When it is false, a TLS connection is not used.
- spec.config.database.certificate.valueFrom.secretKeyRef.name
- spec.config.duplicateDatabase.certificate.valueFrom.secretKeyRef.name
- Specify the name of the Red Hat OpenShift Container Platform secret that contains the TLS certificate to use for Db2.
- spec.config.database.certificate.valueFrom.secretKeyRef.key
- spec.config.duplicateDatabase.certificate.valueFrom.secretKeyRef.key
- Specify the name of the key in the secret that contains the certificate file.
IBM MQ configurations with TLS and LDAP authentication
- Configure whether FTM connects to IBM MQ by using TLS.
- If you want to enable TLS for IBM MQ, set spec.config.mq.enableTLS to true in the custom resource for your FTM offering. Set spec.config.mq.certificate to the name of your Red Hat OpenShift secret that has the IBM MQ TLS certificate.
- If you want to disable TLS for IBM MQ, set spec.config.mq.enableTLS to false.
- To configure IBM MQ LDAP authentication, do the following steps:
- IBM MQ can be configured to authenticate with an external LDAP server that is
running outside the Red Hat
OpenShift Container
Platform environment. To enable authentication with this external
LDAP server, configure the following parameters in the custom resource for your FTM offering.
- spec.config.mq.username.valueFrom.secretKeyRef.name
- Set this parameter to the name of the Red Hat OpenShift secret that has the username to use to connect to IBM MQ.
- spec.config.mq.username.valueFrom.secretKeyRef.key
- Set this parameter to the name of the key to use to get the username from the Red Hat OpenShift secret with the username for IBM MQ.
- spec.config.mq.password.valueFrom.secretKeyRef.name
- Set this parameter to the name of the Red Hat OpenShift secret that has the password to use to connect to IBM MQ.
- spec.config.mq.password.valueFrom.secretKeyRef.key
- Set this parameter to the name of the key to use to get the password from the Red Hat OpenShift secret with the password for IBM MQ.
- Run the following commands to create a directory for storing the IBM MQ LDAP
configuration files and then switch to the
directory.
mkdir -p /var/tmp/mq-ldapcd /var/tmp/mq-ldap - Create a file called
ldap_config.mqscto hold the LDAP configuration data. Use the following text as a template for the file.ALTER QMGR CHLAUTH(ENABLED) SET CHLAUTH(QMLDAP.SVRCONN) TYPE(BLOCKUSER) ACTION(REPLACE) USERLIST('nobody') SET CHLAUTH('FTM.*') TYPE(BLOCKUSER) ACTION(REPLACE) USERLIST('nobody') DEFINE AUTHINFO(FTMQMGR.IDPW.LDAP) AUTHTYPE(IDPWLDAP) CONNAME(‘myldap.server.com(389)’) SHORTUSR(‘uid’) ADOPTCTX(YES) AUTHORMD(SEARCHGRP) BASEDNG(‘ou=mqusers,dc=example,dc=com’) BASEDNU(‘dc=example,dc=com’) CHCKCLNT(OPTIONAL) CHCKLOCL(NONE) CLASSGRP(‘groupOfUniqueNames’) CLASSUSR(‘inetOrgPerson’) FINDGRP(‘uniqueMember’) GRPFIELD(‘cn’) LDAPPWD(‘password’) LDAPUSER(‘cn=read-only-admin,dc=example,dc=com’) NESTGRP(YES) SECCOMM(NO) USRFIELD(‘uid’) ALTER QMGR CONNAUTH(FTMQMGR.IDPW.LDAP) REFRESH SECURITY SET AUTHREC PROFILE(‘**’) OBJTYPE(QMGR)GROUP(‘ou=mqusers,dc=example,dc=com’) AUTHADD(ALL) SET AUTHREC PROFILE(‘**’) OBJTYPE(queue) GROUP(‘ou=mqusers,dc=example,dc=com’) AUTHADD(ALL) SET AUTHREC PROFILE(‘@class’) OBJTYPE(queue) GROUP(‘ou=mqusers,dc=example,dc=com’) AUTHADD(CRT) SET AUTHREC PROFILE(‘**’) OBJTYPE(topic) GROUP(‘ou=mqusers,dc=example,dc=com’) AUTHADD(ALL) SET AUTHREC PROFILE(‘@class’) OBJTYPE(topic) GROUP(‘ou=mqusers,dc=example,dc=com’) AUTHADD(CRT) - Update the MQSC commands in the provided template with the appropriate commands that corresponds to the LDAP server that you are connecting to. For more information about each MQSC command, see the IBM MQ documentation.
- Run the following commands to create the configmap in the namespace where your FTM
offering is deployed. You can choose any name for the configmap. This example uses
ftm-demoas the namespace andftm-mq-ldap-configas the configmap name.oc project ftm-demooc create configmap ftm-mq-ldap-config --from-file=/var/tmp/mq-ldap - Update the queue manager instance with the specified LDAP details by using the following MQSC
configuration:
mqsc: - configMap: items: - ldap_config.mqsc name: ftm-mq-ldap-config - After you complete the steps for IBM MQ LDAP authentication, the IBM MQ pods reconcile automatically with the updated TLS and LDAP configurations.
- IBM MQ can be configured to authenticate with an external LDAP server that is
running outside the Red Hat
OpenShift Container
Platform environment. To enable authentication with this external
LDAP server, configure the following parameters in the custom resource for your FTM offering.
Add the IBM License Service certificate to the FTM truststore
The IBM License Service runs in a pod in another namespace and provides a service that can be used to access it. The FTM Operations and Administration Console (OAC) container accesses the license service securely by using TLS. For the TLS communication to occur successfully, the certificate of the license server needs to be added to the truststore that is used by the FTM components.
- All additional certificates that you want to add for your FTM
offering must be in the same directory. Either change to the existing directory or create a directory where
you want your additional certificates to be stored. The following example command creates a directory for the
FTM certificates.
mkdir /var/tmp/addtnl-certs - If the
ftm-additional-certs-secretsecret exists in the FTM namespace, get the existing certificates from the secret so they are not lost when the secret is deleted. Extract them to the directory from step 1.oc project namespaceoc extract secret/ftm-additional-certs-secret --to=/var/tmp/addtnl-certs - Log in to the Red Hat
OpenShift cluster and select the
ibm-licensingnamespace.oc project ibm-licensing - Extract the certificates from the licensing service by running the following commands. The public and CA
certificates are in
crt.pem.
oc extract configmap/ibm-licensing-upload-config --to=/var/tmp/addtnl-certs --keys=crt.pemmv /var/tmp/addtnl-certs/crt.pem /var/tmp/addtnl-certs/licensing-cert.crt - Create the
ftm-additional-certs-secretsecret in your FTM namespace. If the secret exists, delete it first. The following example commands select the FTM namespace, delete the existing secret, and then create a new secret with the same name.oc project namespaceoc delete secret ftm-additional-certs-secretoc create secret generic ftm-additional-certs-secret --from-file=/var/tmp/addtnl-certs
User-supplied certificates for external applications
Apart from the application-specific certificates, you need to configure additional certificates in the FTM application truststore for integrating with external applications. For client certificate authentication, it is also necessary to include the client certificate in the Liberty truststore.
Renewing self-signed certificate
When the TLS certificates that are configured during deployment are about to expire or are compromised, they need to be renewed. This process involves creating the new certificates, adding them to keystore or truststore, and creating all the required Red Hat OpenShift Container Platform secrets.