Setting up SSL certificates on AWS
Netezza Performance Server for Cloud Pak for Data
Learn how to set up your own SSL certificates for Netezza Performance Server on AWS.
Before you begin
- The domain/server SSL certificate
Make sure it's in the
.pemformat. If it's not, convert it. You also must rename it toserver-cert.pem. - The server key.
You must rename it to
server-key.pem. - The CA certificate or root certificate.
- You must rename it to
cacert.pem. - The namespace.
Procedure
- Log in to the Red Hat OpenShift cluster. You can log in into the Red Hat OpenShift cluster from the command line by running the following command.
oc login https://api.<CLUSTER_NAME>.<ROUTE53_DNS>:6443 --insecure-skip-tls-verify -u kubeadmin -p <password>The installation script writes the Red Hat OpenShift cluster login details to <installation_script_execution_directory>/envs/<CLUSTER_NAME>/assets/oc_login_details. Red Hat OpenShift creates a default userkubeadminwith the rolecluster-adminduring installation. The password for the cluster is saved in the <installation_script_execution_directory>/envs/<CLUSTER_NAME>/assets/auth/kubeadmin-password file. -
Replace the default SSL secrets with your secrets.
export NAMESPACE=<ns> oc -n $NAMESPACE delete secret ssl-secret oc -n $NAMESPACE create secret generic ssl-secret --from-file=cacert.pem --from-file=server-cert.pem --from-file=server-key.pem - Restart the Netezza Performance Server
console.
oc -n $NAMESPACE delete pod -l app=console # wait for the pod to restart, be RUNNING and Ready=1/1 # then press Ctrl-C oc -n $NAMESPACE get pod -w -l app=console NAME READY STATUS RESTARTS AGE console-8696c4f97c-wbjtq 0/1 Running 0 67s console-8696c4f97c-wbjtq 1/1 Running 0 86s ^C - Verify whether the SSL certificate matches the
host nameanddomain namethat were specified during the installation of Netezza Performance Server.You can check the SLL certificate in the installation directory in which you ran the nz-cloud command.# eg On the system that nz-cloud was run from, in the install directory cat envs/lontest2/assets/cp4d_login_details cp4d_USERNAME=admin cp4d_PASSWORD=...... cp4d_CONSOLE_URL=https://zen-cpd-zen.apps.{cluster-name}.ibmnzcloud.com #If the SSL certificate uses the cluster domain, skip to Step 4.
If your SSL certificate is valid for*.{ssl-cert-domain}.com, but your cluster was installed as*.{cluster-name}.foobar.com, do the following sub steps.- In your cloud providers DNS entries, add the following
CNAMEaliases.{cluser-name}-cpd.{ssl-cert-domain}.comThis alias is for the URL of the Cloud Pak for Data web console.
Make sure theCNAMEpoints tozen-cpd-zen.apps.{cluster-name}.ibmnzcloud.com.{cluser-name}-console.{ssl-cert-domain}.comThis alias is for the URL of the Netezza Performance Server web console.
Make sure theCNAMEpoints to the web console.oc -n $NAMESPACE get svc console | awk '{print $4}'{cluster-name}-nps.{ssl-cert-domain}.comThis alias is for the Netezza Performance Server database itself.
Make sure theCNAMEpoints to the Netezza Performance Server service.oc -n $NAMESPACE get svc ipshost-external | awk '{print $4}'- Setup Red Hat OpenShift routes to reflect and use these
aliases.
oc create route passthrough --service=console --port=443 -n $NAMESPACE \ --hostname={cluster-name}-console.{ssl-cert-domain}.com oc create route passthrough -n zen --service=ibm-nginx-svc --port=ibm-nginx-https-port \ --hostname={cluster-name}-cpd.{ssl-cert-domain}.com - Recycle the Netezza Performance Server console
pod.
oc -n $NAMESPACE scale deployment -l app=console --replicas=0 oc -n $NAMESPACE get pods -w -l app=console # ... wait until all console pods go away and then press Ctrl-C oc -n $NAMESPACE set env deployment -l app=console CPD_HOST={cluster-name}-cpd.{ssl-cert-domain}.com oc -n $NAMESPACE scale deployment -l app=console --replicas=1 oc -n $NAMESPACE get pods -w -l app=console # ... wait until console pods go to Running state then press Ctrl-C
- In your cloud providers DNS entries, add the following
- Follow this Cloud Pak for Data guide to set your SSL certificates to
the Cloud Pak for Data portal. Note: When you are doing Step 7 from the guide, make sure you rename your SSL certificates to
cert.crtand key tocert.key.