Configuring Let's Encrypt for Maximo Application Suite on Microsoft Azure

When you install Maximo® Application Suite on Microsoft Azure, Maximo Application Suite uses self-signed certificates. If you want to use well-known certificates signed by Certificate Authority as Let's Encrypt, you can install and configure Let's Encrypt on Microsoft Azure.

Before you begin

To configure Let's Encrypt, a service principal in Microsoft Azure must be created. For more information, see https://cert-manager.io/docs/configuration/acme/dns01/azuredns/#service-principal

About this task

The cert-manager can create and then delete DNS-01 records in Microsoft Azure DNS. However, the DNS needs to authenticate with Microsoft Azure first. The following method uses the Microsoft Azure Service principal authentication to configure Let's Encrypt.

Procedure

  1. Create a service principal in Microsoft Azure by using the service principal connection parameters.
    For example:
    AZURE_DNS_ZONE_RESOURCE_GROUP=masperf
    
    AZURE_DNS_ZONE=mas4azure.com
    
    AZURE_CERT_MANAGER_SP_APP_ID=3xx721x5-xx3x-4x10-x39x-xxx31335405
    
    AZURE_CERT_MANAGER_SP_PASSWORD=X87xXxX6q6xxXxXxx7nYhZmbXxxxX~Tho
    
    AZURE_TENANT_ID=xxx67057-50x9-4xx4-98x3-xxxx64xxx9x9
    
    AZURE_SUBSCRIPTION_ID=x2xx5467-2502-4b05-x78x-744604x6531x
    Tip: For all examples, replace the parameters given in the example with your own parameters.
  2. Log in to Microsoft Azure by using the service principal connection details.
    az login --service-principal -u $AZURE_CERT_MANAGER_SP_APP_ID -p $AZURE_CERT_MANAGER_SP_PASSWORD --tenant $AZURE_TENANT_ID
  3. Create the DNS Contributor role to associate DNS zone with the service principal.
    For example:
    DNS_ID=$(az network dns zone show --name $AZURE_DNS_ZONE --resource-group $AZURE_DNS_ZONE_RESOURCE_GROUP --query "id" --output tsv)
    
    az role assignment create --role "DNS Zone Contributor"  --assignee-object-id $AZURE_CERT_MANAGER_SP_APP_ID --assignee-principal-type ServicePrincipal --scope $DNS_ID
    
    
  4. In DNS Record, click your domain, create A record set *.<<Cluster_unique_String>>.<<DNS_NAME>>.
    For example, *.i4l7mh.mas4azure.com, where i4l7mh is the cluster unique string and mas4azure is the DNS name.
    Tip: Use the same value that is used in the A record.
  5. Login to the Red Hat® OpenShift® cluster.
    For example:
    oc login --token=<<token_number>> --server=https://api.masocp-i4l7mh.mas4azure.com:6443
  6. Create a secret azuredns-config, which contains the service principal password.
    For example:
    oc create secret generic azuredns-config --from-literal=client-secret=$AZURE_CERT_MANAGER_SP_PASSWORD -n ibm-common-services
  7. In the Red Hat OpenShift console, create a ClusterIssuer from the Instances tab of the Home > API Explorer cert-manager.io group.
    For example:
    
    apiversion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: letsencrypt-prod
      namespace: ibm-common-services 
    spec:
      acme:
        server: https://acme-v02.api.letsencrypt.org/directory 
        email: username.ibm.com
        privateKeySecretRef:
          name: letsencrypt-prod
        solvers:
          - dns01:
            azureDNS:
              clientID: 3xx721x5-xx3x-4x10-x39x-xxx31335405
              clientSecretSecretRef:
                name: azuredns-config
                key: client-secret
              subscriptionID: x2xx5467-2502-4b05-x78x-744604x6531x
              tenantID: xxx67057-50x9-4xx4-98x3-xxxx64xxx9x9
              resourceGroupName: masperf
              hostedZoneName: mas4azure.com
              environment: AzurePublicCloud
    
    Note: In Maximo Application Suite 8.10, wait for the routes to regenerate and verify the generated routes to check if the certificate is signed by Let's encrypt.
  8. In the Red Hat OpenShift console, from Home > API Explorer search for a suite in your namespace.
  9. In the Red Hat OpenShift console from Administration > CustomResourceDefinition, select the Instances tab for your Suite CRD.
  10. Click your Custom Resource, and in the Instances tab, select YAML to add cluster issue and domain parameters in the spec section.
    ---
    spec:
      certificateIssuer:
        duration: 8760h0m0s
        name: prod-route53-issuer
        renewBefore: 720h0m0s
      domain: <<masinstance_id>>.<<domain>>
  11. Delete the finalizer section from the same Suite YAML to force a reconciliation, and then save the YAML file.
    
    finalizers: 
      - core.mas.ibm.com/finalizer
  12. In Networking under Routes of project mas-<mas_instance_id>-core, wait for the Routes to regenerate for the namespace.
    Note: The Routes regeneration takes some time.
    The Certificate in the routes is signed by Let's encrypt.
  13. Login to the Maximo Application Suite administrator screen and verify the certificate signer.