Setting up SSL certificates on AWS

Netezza Performance Server for Cloud Pak for Data

Learn how to set up your own SSL certificates for Netezza Performance Server on AWS.

Before you begin

Ensure you have the following certificates and items:
  • The domain/server SSL certificate

    Make sure it's in the .crt format. You also must rename it to tls.crt.

  • The server key.

    You must rename it to tls.key.

  • The CA certificate or root certificate.
  • You must rename it to ca.crt.
  • The namespace.
Note: The certificate/key is required to be in PEM format but must be named as specified.

Procedure

  1. Log in to the Red Hat OpenShift cluster.
    You can log in into the Red Hat OpenShift cluster from the command line by running the following command.
    oc login https://api.<CLUSTER_NAME>.<ROUTE53_DNS>:6443 --insecure-skip-tls-verify -u kubeadmin -p <password>
    The installation script writes the Red Hat OpenShift cluster login details to <installation_script_execution_directory>/envs/<CLUSTER_NAME>/assets/oc_login_details. Red Hat OpenShift creates a default user kubeadmin with the role cluster-admin during installation. The password for the cluster is saved in the <installation_script_execution_directory>/envs/<CLUSTER_NAME>/assets/auth/kubeadmin-password file.
  2. Delete the existing self-signed certificate custom resource object from namespace ibm-nz-cyclops-private if you are using private endpoint. Otherwise, use ibm-nz-cyclops namespace. 
    oc delete  certificate  ibm-nz-cyclops-private-cert -n ibm-nz-cyclops-private
  3. Replace the existing secrets consisting of self signed certificates with custom certificates by running the following command. 
    oc delete secret ips-ssl-certs -n ibm-nz-cyclops-private
oc -n ibm-nz-cyclops-private create secret generic ips-ssl-certs --from-file=ca.crt --from-file=tls.crt --from-file=tls.key
  4. Restart all cyclops console pods. The number of replicas must be set to 3. 
    oc scale deployment <deployment-name> --replicas=0
oc scale deployment <deployment-name> --replicas=<number of replicas>
  5. Verify whether the SSL certificate matches the host name and domain name that were specified during the installation of Netezza Performance Server.
    You can check the SLL certificate in the installation directory in which you ran the nz-cloud command.
    # eg On the system that nz-cloud was run from, in the install directory
cat envs/lontest2/assets/cp4d_login_details
cp4d_USERNAME=admin
cp4d_PASSWORD=......
cp4d_CONSOLE_URL=https://zen-cpd-zen.apps.{cluster-name}.ibmnzcloud.com    #

    If the SSL certificate uses the cluster domain, skip to Step 4.

    If your SSL certificate is valid for *.{ssl-cert-domain}.com, but your cluster was installed as *.{cluster-name}.foobar.com, do the following sub steps.

    In your cloud providers DNS entries, add the following CNAME aliases.

    1. {cluser-name}-cpd.{ssl-cert-domain}.com

      This alias is for the URL of the Cloud Pak for Data web console.

      Make sure the CNAME points to zen-cpd-zen.apps.{cluster-name}.ibmnzcloud.com.
    2. {cluser-name}-console.{ssl-cert-domain}.com

      This alias is for the URL of the Netezza Performance Server web console.

      Make sure the CNAME points to the web console.
      oc -n $NAMESPACE get svc console | awk '{print $4}'

      Where $NAMESPACE can be ibm-nz-cyclops or ibm-nz-cyclops-private depending on the type of endpoint chosen.

      Example:
      oc -n ibm-nz-cyclops-private get svc | awk '{print $4}'
    3. {cluster-name}-nps.{ssl-cert-domain}.com

      This alias is for the Netezza Performance Server database itself.

      Make sure the CNAME points to the Netezza Performance Server service.
      oc -n $NAMESPACE get svc ipshost-external | awk '{print $4}'
    4. Setup Red Hat OpenShift routes to reflect and use these aliases.
      oc create route passthrough --service=console --port=443 -n $NAMESPACE \
         --hostname={cluster-name}-console.{ssl-cert-domain}.com
oc create route passthrough -n zen --service=ibm-nginx-svc --port=ibm-nginx-https-port \
         --hostname={cluster-name}-cpd.{ssl-cert-domain}.com
    5. Restart all cyclops console pods. The number of replicas must be set to 3.
      oc scale deployment <deployment-name> --replicas=0
oc scale deployment <deployment-name> --replicas=<number of replicas>
  6. Follow this Cloud Pak for Data guide to set your SSL certificates to the Cloud Pak for Data portal.
    Note: When you are doing Step 7 from the guide, make sure you rename your SSL certificates to cert.crt and key to cert.key