Replacing the ingress certificate
You can choose to replace the default ingress certificate after you install Guardium® Insights or keep the default ingress certificate.
Before you begin
- Install
openssl
and theoc
command-line utility as described in the command-line tool requirements. - Log in to the OpenShift® cluster where Guardium Insights is deployed. To log in, run a command similar to
this example and use your own
data:
oc login --token=sha256~7rUpGhaFp-lEY3UDH4VBZjIsbIYxkXFemHiI-0MJS50 --server=https://myOpenShift.guardium-insights.com:6443
Procedure
- Set the environment variables with these commands:
mkdir -p working-dir/cert-request mkdir -p working-dir/cert-received export KEY_FILE="tls.key" export CA_FILE="ca.crt" export CERT_FILE="tls.crt"
Specify the hostname that is used to access Guardium Insights.
For example, run the following command:
export INGRESS_HOSTNAME=guardiuminsights.mydomain.example
- Optional: Create a self-signed certificate authority (CA), key, and cert
files:
- Create the
key_file
:cd working-dir/cert-request openssl genrsa -out ca.key 4096
- Create the
ca_file
:subjectValCN="/CN=ibm.com/" openssl req -x509 -new -nodes -key ca.key -sha256 -days 825 -subj "$subjectValCN" -out ca.crt
- Create the
cert_file
by running these commands in the same terminal:cat > openssl.cfg << EOF [req] req_extensions = req_ext x509_extensions = usr_cert distinguished_name = req_name [ req_name ] commonName = "$HOSTNAME" [ usr_cert ] basicConstraints=CA:FALSE nsCertType = server keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer subjectAltName = DNS:$HOSTNAME [ req_ext ] = @sans [ sans ] DNS.1 = = "$HOSTNAME,*.domainName" DNS.2 = = "*.$HOSTNAME,*.domainName" EOF
- Create the certificate signing request (CSR):
#subjectVal="/C=US/ST=CA/O=IBM/CN=*.apps.giaas1.cp.fyre.ibm.com/" <--- Change this value based on your deployment #subjectVal="/C=US/ST=CA/O=IBM/CN=*.apps.xdr-dev03.xdrdev.com/" <--- Change this value based on your deployment #subjectVal="/C=US/ST=VA/O=IBM/CN=*.apps.guardium-insights-dev01.xdrdev.com/" <--- Change this value based on your deployment subjectVal="/C=US/ST=VA/O=IBM/CN=giaas.apps.guardium-insights-rel01.xdrdev.com/" <--- Change this value based on your deployment cd working-dir/cert-request openssl req -nodes -newkey rsa:2048 -keyout tls.key -outform PEM -out tls.csr -subj "$subjectVal" -config openssl.cfg
Tip: If your openssl.cfg file contains special characters, you might receive an error.
Important: The tls.crt, tls.key, and ca.crt files can use only the new line (\n
) as a delimiter. In addition, your environment must support thecat
,tr
, andbase64
commands. - Create the
- Sign your domain with a certificate. Tip: These instructions describe the self-sign option. If you prefer to submit your CSR to a certificate authority (CA), follow these instructions instead and then replace the certificate in IBM® Common Services.
- Self-sign the certificate:
cd working-dir/cert-req openssl x509 -req -sha256 -in tls.csr -out tls.crt -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.serial -days 825 -extensions usr_cert -extfile openssl.cfg
- Inject ca.crt into the certificate:
cat ca.crt >> tls.crt
- Self-sign the certificate:
- Replace the Ingress certificate in Guardium Insights.
- Backup the Guardium Insights Ingress
CA.
oc get secret insights-ingressca -n=${GI_NAMESPACE} > backup-gi-tls.yaml
- Delete the old Guardium Insights Ingress CA
secret.
oc delete secret insights-ingressca -n=${GI_NAMESPACE}
- Store the new ca.crt, tls.crt, and
tls.key in the Guardium Insights
ingress CA.
oc create secret generic insights-ingressca --type=kubernetes.io/tls -n ${GI_NAMESPACE} --from-file=ca.crt=ca.crt --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key
- Restart the Guardium Insights Operator.
oc delete $(oc get po -oname -n=${GI_NAMESPACE} | grep guardium-insights-operator) -n=${GI_NAMESPACE}
- Wait until the routes are updated. To confirm if the routes are updated, run the
following command. The output must match your ca.crt value.
oc get $(oc get route -oname -n=${GI_NAMESPACE} | grep insights) -n=${GI_NAMESPACE} -ojsonpath='{.spec.tls.caCertificate}
- Backup the Guardium Insights Ingress
CA.
- Replace the
gi-ics-ca-cert
certificate in IBM Common Services (for more information, see https://www.ibm.com/docs/SSRV9V_3.19/cert-manager/3.4.0/cert_mgmt_ingress.html):- Open a browser and go to the
cp-console
link for your system (such as https://cp-console.gi-demo-xxxx.eu-gb.containers.appdomain.cloud/). - When the page loads, click the lock icon that indicates a secure connection to the system.
- Select Connection secure to see the trusted certificate.
- Click More information > View certification.
- In the View certificate page, click the ISRG Root
X1 tab to see the
ROOTCA
of the intermediate certificate issuer. - Click the PEM(cert) to download the root-CA certificate and save it as a .crt file.
- Copy this file to the machine that is connected to the OpenShift cluster by using
oc login
. - To see the secret that you want to replace, run the following command.
oc get secret -n gi | grep gi-icsgi-ics-ca-cert
- Delete this secret:
oc -n ${NAMESPACE} delete secret ${NAMESPACE}-ics-ca-certsecret
- Create the secret by using the
PEM
file that you created earlier and saved as a .crt file:oc -n ${NAMESPACE} create secret generic ${NAMESPACE}-ics-ca-cert --from-file=ca.crt=icsca.crt
Tip: After you delete the secret in 5.i, the secret can automatically be re-created. To prevent this recreation from happening, run the secret-creation command in this step right after you delete the secret. - Confirm that the secret was created by running the following command:
oc get secret -n gi | grep gi-icsgi-ics-ca-cert
- Reconciliation takes approximately 20 minutes. To verify that the reconciliation occurred, log in to the OpenShift Container Platform (OCP) and click Networking > Routes > Project: <name of your Guardium Insights project>. Click each of the routes and verify that the certificates are the ones that you just added from your .crt file.
- Open a browser and go to the
- Restart the Guardium Insights pods:
- Retrieve the list of pods in your Guardium Insights namespace:
oc get pods | grep -i ${NAMESPACE}-insights
For example, if your namespace is
gi
, run the following command:oc get pods | grep -i gi-insights
- For each pod name that is returned, run the following command:
oc delete $NAMESPACE-insights-xxxxxxx
Repeat this command for each pod until all pods are deleted.
- Retrieve the list of pods in your Guardium Insights namespace: