When you install Maximo® Application Suite on Microsoft Azure, Maximo Application Suite uses self-signed certificates. If you
want to use well-known certificates signed by Certificate Authority as Let's Encrypt, you can
install and configure Let's Encrypt on Microsoft Azure.
About this task
The cert-manager can create and then delete DNS-01 records in Microsoft Azure DNS. However, the DNS needs to authenticate with Microsoft Azure first. The following method uses the Microsoft Azure
Service principal authentication to configure Let's Encrypt.
Procedure
- Create a service principal in Microsoft Azure by using the service
principal connection parameters.
For
example:
AZURE_DNS_ZONE_RESOURCE_GROUP=masperf
AZURE_DNS_ZONE=mas4azure.com
AZURE_CERT_MANAGER_SP_APP_ID=3xx721x5-xx3x-4x10-x39x-xxx31335405
AZURE_CERT_MANAGER_SP_PASSWORD=X87xXxX6q6xxXxXxx7nYhZmbXxxxX~Tho
AZURE_TENANT_ID=xxx67057-50x9-4xx4-98x3-xxxx64xxx9x9
AZURE_SUBSCRIPTION_ID=x2xx5467-2502-4b05-x78x-744604x6531x
Tip: For all examples, replace the parameters given in the example with your
own parameters.
-
Log in to Microsoft Azure by using the service principal connection
details.
az login --service-principal -u $AZURE_CERT_MANAGER_SP_APP_ID -p $AZURE_CERT_MANAGER_SP_PASSWORD --tenant $AZURE_TENANT_ID
- Create the DNS Contributor role to associate DNS zone with the
service principal.
For
example:
DNS_ID=$(az network dns zone show --name $AZURE_DNS_ZONE --resource-group $AZURE_DNS_ZONE_RESOURCE_GROUP --query "id" --output tsv)
az role assignment create --role "DNS Zone Contributor" --assignee-object-id $AZURE_CERT_MANAGER_SP_APP_ID --assignee-principal-type ServicePrincipal --scope $DNS_ID
- In DNS Record, click your domain, create
A record set
*.<<Cluster_unique_String>>.<<DNS_NAME>>
. For
example, *.i4l7mh.mas4azure.com, where i4l7mh is
the cluster unique string and mas4azure is the DNS name.
Tip: Use the same value that is used in the A
record.
- Login to the Red Hat® OpenShift® cluster.
For
example:
oc login --token=<<token_number>> --server=https://api.masocp-i4l7mh.mas4azure.com:6443
- Create a secret azuredns-config, which contains the service
principal password.
For
example:
oc create secret generic azuredns-config --from-literal=client-secret=$AZURE_CERT_MANAGER_SP_PASSWORD -n ibm-common-services
- In the Red Hat OpenShift console, create a
ClusterIssuer from the Instances tab of the
cert-manager.io
group. For
example:
apiversion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: ibm-common-services
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: username.ibm.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
azureDNS:
clientID: 3xx721x5-xx3x-4x10-x39x-xxx31335405
clientSecretSecretRef:
name: azuredns-config
key: client-secret
subscriptionID: x2xx5467-2502-4b05-x78x-744604x6531x
tenantID: xxx67057-50x9-4xx4-98x3-xxxx64xxx9x9
resourceGroupName: masperf
hostedZoneName: mas4azure.com
environment: AzurePublicCloud
Note: In Maximo Application Suite 8.10, wait for the routes to regenerate and
verify the generated routes to check if the certificate is signed by Let's
encrypt.
- In the Red Hat OpenShift console, from
search for a suite in your namespace.
- In the Red Hat OpenShift console from
,
select the Instances tab for your Suite
CRD.
- Click your Custom Resource, and in the Instances tab, select
YAML to add cluster issue and
domain parameters in the spec section.
---
spec:
certificateIssuer:
duration: 8760h0m0s
name: prod-route53-issuer
renewBefore: 720h0m0s
domain: <<masinstance_id>>.<<domain>>
- Delete the finalizer section from the same Suite YAML to force
a reconciliation, and then save the YAML file.
finalizers:
- core.mas.ibm.com/finalizer
- In Networking under Routes of project
mas-<mas_instance_id>-core, wait for the
Routes to regenerate for the namespace.
Note: The Routes regeneration takes some time.
The Certificate in the routes is signed by Let's
encrypt.
- Login to the Maximo Application Suite administrator screen and
verify the certificate signer.