Replacing the ingress certificate

You can choose to replace the default ingress certificate after you install Guardium® Insights or keep the default ingress certificate.

Before you begin

  • Install openssl and the oc command-line utility as described in the command-line tool requirements.
  • Log in to the OpenShift® cluster where Guardium Insights is deployed. To log in, run a command similar to this example and use your own data:
    oc login --token=sha256~7rUpGhaFp-lEY3UDH4VBZjIsbIYxkXFemHiI-0MJS50 --server=https://myOpenShift.guardium-insights.com:6443

Procedure

  1. Set the environment variables with these commands:
    mkdir -p working-dir/cert-request
    mkdir -p working-dir/cert-received
    
    export KEY_FILE="tls.key"
    export CA_FILE="ca.crt"
    export CERT_FILE="tls.crt"

    Specify the hostname that is used to access Guardium Insights.

    For example, run the following command:

    export INGRESS_HOSTNAME=guardiuminsights.mydomain.example
  2. Optional: Create a self-signed certificate authority (CA), key, and cert files:
    1. Create the key_file:
      cd working-dir/cert-request
      openssl genrsa -out ca.key 4096
    2. Create the ca_file:
      subjectValCN="/CN=ibm.com/"
      openssl req -x509 -new -nodes -key ca.key -sha256 -days 825 -subj "$subjectValCN" -out ca.crt
    3. Create the cert_file by running these commands in the same terminal:
      cat > openssl.cfg << EOF
        [req]
        req_extensions = req_ext
        x509_extensions = usr_cert
        distinguished_name      = req_name
        [ req_name ]
        commonName = "$HOSTNAME"
        [ usr_cert ]
        basicConstraints=CA:FALSE
        nsCertType = server
        keyUsage = nonRepudiation, digitalSignature, keyEncipherment
        extendedKeyUsage = serverAuth
        subjectKeyIdentifier=hash
        authorityKeyIdentifier=keyid,issuer
        subjectAltName = DNS:$HOSTNAME
        [ req_ext ] = @sans
        [ sans ]      
        DNS.1 = = "$HOSTNAME,*.domainName"
        DNS.2 = = "*.$HOSTNAME,*.domainName"
      EOF
    4. Create the certificate signing request (CSR):
      #subjectVal="/C=US/ST=CA/O=IBM/CN=*.apps.giaas1.cp.fyre.ibm.com/"   <--- Change this value based on your deployment
      #subjectVal="/C=US/ST=CA/O=IBM/CN=*.apps.xdr-dev03.xdrdev.com/"   <--- Change this value based on your deployment
      #subjectVal="/C=US/ST=VA/O=IBM/CN=*.apps.guardium-insights-dev01.xdrdev.com/"   <--- Change this value based on your deployment
      subjectVal="/C=US/ST=VA/O=IBM/CN=giaas.apps.guardium-insights-rel01.xdrdev.com/"   <--- Change this value based on your deployment
      
      cd working-dir/cert-request
      openssl req -nodes -newkey rsa:2048 -keyout tls.key -outform PEM -out tls.csr -subj "$subjectVal" -config openssl.cfg
      Tip: If your openssl.cfg file contains special characters, you might receive an error.
    Important: The tls.crt, tls.key, and ca.crt files can use only the new line (\n) as a delimiter. In addition, your environment must support the cat, tr, and base64 commands.
  3. Sign your domain with a certificate.
    Tip: These instructions describe the self-sign option. If you prefer to submit your CSR to a certificate authority (CA), follow these instructions instead and then replace the certificate in IBM® Common Services.
    1. Self-sign the certificate:
      cd working-dir/cert-req
      openssl x509 -req -sha256 -in tls.csr -out tls.crt  -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.serial -days 825 -extensions usr_cert -extfile openssl.cfg
    2. Inject ca.crt into the certificate:
      cat ca.crt >> tls.crt
  4. Replace the Ingress certificate in Guardium Insights.
    1. Backup the Guardium Insights Ingress CA.
      oc get secret insights-ingressca -n=${GI_NAMESPACE} > backup-gi-tls.yaml
    2. Delete the old Guardium Insights Ingress CA secret.
      oc delete secret insights-ingressca -n=${GI_NAMESPACE}
    3. Store the new ca.crt, tls.crt, and tls.key in the Guardium Insights ingress CA.
      oc create secret generic insights-ingressca --type=kubernetes.io/tls -n ${GI_NAMESPACE} --from-file=ca.crt=ca.crt --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key
      
    4. Restart the Guardium Insights Operator.
      oc delete $(oc get po -oname -n=${GI_NAMESPACE} | grep guardium-insights-operator) -n=${GI_NAMESPACE}
      
    5. Wait until the routes are updated. To confirm if the routes are updated, run the following command. The output must match your ca.crt value.
       oc get $(oc get route -oname -n=${GI_NAMESPACE} | grep insights) -n=${GI_NAMESPACE} -ojsonpath='{.spec.tls.caCertificate}
  5. Replace the gi-ics-ca-cert certificate in IBM Common Services (for more information, see https://www.ibm.com/docs/SSRV9V_3.19/cert-manager/3.4.0/cert_mgmt_ingress.html):
    1. Open a browser and go to the cp-console link for your system (such as https://cp-console.gi-demo-xxxx.eu-gb.containers.appdomain.cloud/).
    2. When the page loads, click the lock icon that indicates a secure connection to the system.
    3. Select Connection secure to see the trusted certificate.
    4. Click More information > View certification.
    5. In the View certificate page, click the ISRG Root X1 tab to see the ROOTCA of the intermediate certificate issuer.
    6. Click the PEM(cert) to download the root-CA certificate and save it as a .crt file.
    7. Copy this file to the machine that is connected to the OpenShift cluster by using oc login.
    8. To see the secret that you want to replace, run the following command.
      oc get secret -n gi | grep gi-icsgi-ics-ca-cert
    9. Delete this secret:
      oc -n ${NAMESPACE} delete secret ${NAMESPACE}-ics-ca-certsecret
    10. Create the secret by using the PEM file that you created earlier and saved as a .crt file:
      oc -n ${NAMESPACE} create secret generic ${NAMESPACE}-ics-ca-cert --from-file=ca.crt=icsca.crt
      Tip: After you delete the secret in 5.i, the secret can automatically be re-created. To prevent this recreation from happening, run the secret-creation command in this step right after you delete the secret.
    11. Confirm that the secret was created by running the following command:
      oc get secret -n gi | grep gi-icsgi-ics-ca-cert
    12. Reconciliation takes approximately 20 minutes. To verify that the reconciliation occurred, log in to the OpenShift Container Platform (OCP) and click Networking > Routes > Project: <name of your Guardium Insights project>. Click each of the routes and verify that the certificates are the ones that you just added from your .crt file.
  6. Restart the Guardium Insights pods:
    1. Retrieve the list of pods in your Guardium Insights namespace:
      oc get pods | grep -i ${NAMESPACE}-insights

      For example, if your namespace is gi, run the following command:

      oc get pods | grep -i gi-insights
    2. For each pod name that is returned, run the following command:
      oc delete $NAMESPACE-insights-xxxxxxx

      Repeat this command for each pod until all pods are deleted.