Setting up SSL certificates on IBM Cloud

Netezza Performance Server for Cloud Pak for Data

Learn how to set up your own SSL certificates for Netezza Performance Server on IBM Cloud.

Before you begin

Ensure you have the following certificates and items:
  • The domain/server SSL certificate

    Make sure it's in the .pem format. If it's not, convert it. You also must rename it to server-cert.pem.

  • The server key.

    You must rename it to server-key.pem.

  • The CA certificate or root certificate.
  • You must rename it to cacert.pem.
  • The NPS namespace

Procedure

  1. Upload the SSL certificate to Cloud Pak for Data.

    Follow the instructions from this link.

  2. Create an Red Hat OpenShift route. 
    oc -n zen get route | grep zen-cpd | awk '{print $2}'

    The command returns output similar to:

    zen-cpd-zen.cloudfra2-c53ede7a97cd8444aa95117584ecff64-0000.eu-de.containers.appdomain.cloud
  3. Create a CNAME entry n your NDS Record Manager system.

    Map the information that you obtained in Step 2 to a CNAME of your choice.

    concerto-miniconfig-cpd.<domain-suffix> to zen-cpd-zen.cloudfra2-c53ede7a97cd8444aa95117584ecff64-0000.eu-de.containers.appdomain.cloud

    concerto-miniconfig-cpd refers to the Cloud Pak for Data console.

  4. Create a route to tie the CNAME entry to the actual service. 
    oc create route passthrough --service=ibm-nginx-svc --port=ibm-nginx-https-port --hostname=concerto-miniconfig-cpd.<domain-suffix> -n zen

    You can now access the Cloud Pak for Data console by using the CNAME entry with the correct domain suffix.

Uploading SSL certificates into Netezza Performance Server entities

You can upload SSL certificates into the Netezza Performance Server console and engine.

Procedure

  1. Log in to the Red Hat OpenShift cluster.
    You can log in into the Red Hat OpenShift cluster from the command line by running the following command.
    oc login https://api.<CLUSTER_NAME>.<ROUTE53_DNS>:6443 --insecure-skip-tls-verify -u kubeadmin -p <password>
    The installation script writes the Red Hat OpenShift cluster login details to <installation_script_execution_directory>/envs/<CLUSTER_NAME>/assets/oc_login_details. Red Hat OpenShift creates a default user kubeadmin with the role cluster-admin during installation. The password for the cluster is saved in the <installation_script_execution_directory>/envs/<CLUSTER_NAME>/assets/auth/kubeadmin-password file.
  2. Replace the default SSL secrets with your secrets. 
    export NAMESPACE=<ns>
oc -n $NAMESPACE delete secret ssl-secret
oc -n $NAMESPACE create secret generic ssl-secret --from-file=cacert.pem --from-file=server-cert.pem --from-file=server-key.pem
  3. Restart the Netezza Performance Server console. 
    oc -n $NAMESPACE delete pod -l app=console
# wait for the pod to restart, be RUNNING and Ready=1/1
# then press Ctrl-C
oc -n $NAMESPACE get pod -w -l app=console
NAME                       READY   STATUS    RESTARTS   AGE
console-8696c4f97c-wbjtq   0/1     Running   0          67s
console-8696c4f97c-wbjtq   1/1     Running   0          86s
^C
  4. Create Route and A Record entries for the console. 
    export NAMESPACE=<your_namespace_name>
    1. Create an Red Hat OpenShift Route. 
      oc create route passthrough --service=cyclops-svc --port=443 --hostname=concerto-miniconfig-console.<suffix-name> -n $NAMESPACE
      concerto-miniconfig-console refers to the Netezza Performance Server web console.
    2. Get the load balancer IP. 
      oc -n $NAMESPACE get svc | grep -i console | awk '{print $4}'
    3. Create a A Record in your DNS Record Management System by using the IP from the previous substep.
  5. Create A Record and Route entries for the Netezza Performance Server host.
    1. Create an Red Hat OpenShift Route. 
      oc create route passthrough --service=ipshost-external --port=443 --hostname=concerto-miniconfig-nps.<suffix-name> -n $NAMESPACE
      concerto-miniconfig-nps refers to the Netezza Performance Server web console.
    2. Get the load balancer IP. 
      oc -n $NAMESPACE get svc | grep -i ipshost-external | awk '{print $4}'
    3. Create an A Record in your DNS Record Management System by using the IP from the previous substep.
    4. Bounce the Netezza Performance Server pod. 
      oc -n $NAMESPACE scale deployment -l app=console --replicas=0
oc -n $NAMESPACE get pods -w -l app=console 
# ... wait until all console pods go away and then press Ctrl-C


oc -n $NAMESPACE set env deployment -l app=console CPD_HOST={cluster-name}-cpd.{ssl-cert-domain}.com
oc -n $NAMESPACE scale deployment -l app=console --replicas=1
oc -n $NAMESPACE get pods -w -l app=console 
# ... wait until console pods go to Running state then press Ctrl-C

Results

You can now use the new SSL certificates to work with both the Netezza Performance Server web console and the REST server.