hybrid only icon

Creating a custom certificate for Red Hat OpenShift

A custom certificate is required for the Runbook Automation and Netcool®/Impact integration on Red Hat® OpenShift®.

About this task

Note: This information only applies to a hybrid deployment of Netcool Operations Insight®. For more information, see Installing on a hybrid architecture.
You must perform the steps in this task if the following conditions apply:
  • You plan to run fully automated runbooks whenever some events match some filter conditions.
  • The Runbook Automation component is running on Red Hat OpenShift. Regardless of whether Netcool/Impact is also running on Red Hat OpenShift, or if you have a hybrid deployment and Netcool/Impact is running on a traditional environment.

If you are still using the default Red Hat OpenShift ingress certificate, you must update this to a certificate that has the correct Subject Alternate Names set. The default certificate has only *.apps.cluster-domain and this is not sufficient for external connections to Netcool Operations Insight to be trusted.

The custom certificate must have at least the following Subject Alternate Names:
  • If Netcool/Impact is also running on OCP:
    • *.apps.cluster-domain
    • *.noi-cr-name.apps.custer-domain
  • If you have a hybrid deployment, and Netcool/Impact is not running on OCP, then ensure to cover the fully qualified domain name part of the URL where you can reach the Runbook Automation UI. For example, if the URL begins with https://netcool.n163.apps.mycluster.com, then specify the following Subject Alternate Names:
    • *.apps.mycluster.com
    • *.n163.apps.mycluster.com

For full details of how to configure a custom ingress certificate on Red Hat OpenShift, go to https://docs.openshift.com/container-platform/4.6/networking/ingress-operator.html and https://docs.openshift.com/container-platform/4.6/security/certificates/replacing-default-ingress-certificate.html

The following instructions describe how to create a certificate that contains the required Subject Alternate Names and apply it to the Red Hat OpenShift ingress configuration. You can either create a self-signed certificate, or create a certificate that is signed by a certificate authority (CA). If you plan to create a signed certificate, you need to deploy both the certificate of the CA itself and the signed certificate to the cluster, along with potential intermediate certificates. This enables the system to validate the signed certificate against the CA certificate. The certificates need to be deployed to the Netcool/Impact servers as well.

Procedure

  1. Log in to a system where you have access to the OCP CLI.
  2. Create an OpenSSL configuration file req.conf similar to the following example. Update the fields to your requirements and update the values for [alt_names] to cover your domain names.
    [req]
    distinguished_name = req_distinguished_name
    x509_extensions = v3_req
    prompt = no
    [req_distinguished_name]
    C = US
    ST = VA
    L = SomeCity
    O = MyCompany
    OU = MyDivision
    CN = apps.custer-domain
    [v3_req]
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = *.apps.custer-domain
    DNS.2 = *.noi-cr-name.apps.custer-domain
    Adjust the value for the -days property (that defines for how long the certificate remains valid) as required by your organization.
  3. Create the certificate:
    1. To create a self-signed certificate "server.crt" and the matching private key file run the following command:
      openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout server.key -out server.crt -config req.conf -extensions 'v3_req'
      This creates two files - the key and the certificate.
    2. To create a signed certificate: use the CA to create a certificate that is based on the configuration in req.conf. In the subsequent steps it's assumed that this signed certificate is called "server.crt" and is based on the private key file "server.key".
  4. Run the following commands to configure Red Hat OpenShift to use the new certificate.
    1. If you created a self signed certificate, run the following commands:
      oc --namespace openshift-ingress create secret tls custom-certs-default --cert=server.crt --key=server.key
      oc patch --type=merge --namespace openshift-ingress-operator ingresscontrollers/default --patch '{"spec":{"defaultCertificate":{"name":"custom-certs-default"}}}'
    2. If you created a signed certificate:
      1. Deploy the CA root certificate "carootcert.pem" as "my-ca" (adjust the names in the commands as needed):
        oc -n openshift-config create configmap my-ca --from-file=ca-bundle.crt=./carootcert.pem
        oc patch proxy/cluster --type=merge --patch='{"spec":{"trustedCA":{"name":"my-ca"}}}'
      2. Add the application certificate, all required intermediate certificates, and the CA root certificate to a single file "chain.pem", for example:
        cat server.crt >chain.pem; cat caintermediatecert.pem >>chain.pem; cat carootcert.pem >>chain.pem
      3. Create a secret "my-cert" that uses the certificate chain document and the private key:
        oc create secret tls my-cert --cert=./chain.pem --key=server.key -n openshift-ingress
      4. Update the ingress controller with the new secret "my-cert":
        oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "my-cert"}}}' -n openshift-ingress-operator
      5. Verify that the operation was successful. At this point, you should see your signed certificate being used on both the Red Hat OpenShift console and the Netcool Operations Insight console. Your browser should be automatically trusting the presented certificates (assuming the CA is trusted by your browser). Click on the browser "lock" icon and view the presented certificate chain to ensure that it is using the trusted certificate and the CA certificate for both OCP and NOI consoles. Do not proceed until you have that working.
  5. Log in to the system or pod where Netcool/Impact is running.

    If Netcool Operations Insight is deployed on a Red Hat OpenShift cluster, include the oc exec -it evtmanager-nciserver-0 - bash command as shown in the following example.

    Before you run the command, replace the <namespace-name> variable with the name of your Netcool Operations Insight namespace.

    oc project <namespace-name>
    oc exec -it evtmanager-nciserver-0 - bash
    cat << EOF > /tmp/cert.crt
    .... certificate contents ....
    EOF
    1. If you created a self signed certificate: copy the file server.crt that you just created to this location. Then run the following command on the Netcool/Impact server to import server.crt into the Netcool/Impact truststore:
      $IMPACT_HOME/sdk/bin/keytool -import -alias 'rbacertalias' -file 'path to server.crt on impactserver' -keystore $IMPACT_HOME/wlp/usr/servers/$IMPACT_BACKEND_SERVER/resources/security/trust.jks
      Where $IMPACT_BACKEND_SERVER is the name of your Netcool/Impact server, for example NCI or NCIP.
    2. If you created a signed certificate: import the CA certificate, all intermediate certificates, and the signed certificate to the Netcool/Impact trust store.
      Note: Import the CA and intermediate certificates first, and only then run the "import_cert" script to import the signed certificate because this script will also restart the liberty servers to make it all live, so the order is important.
      1. Import the CA certificate to the Netcool/Impact backend server:
        export IMPACT_HOME=/opt/IBM/tivoli/impact
        $IMPACT_HOME/sdk/bin/keytool -import -alias 'my-ca' -file ./carootcert.pem -keystore $IMPACT_HOME/wlp/usr/servers/$IMPACT_BACKEND_SERVER/resources/security/trust.jks
        Where $IMPACT_BACKEND_SERVER is the name of your Netcool/Impact server, for example NCI or NCIP.
      2. Import the CA certificate to the Netcool/Impact UI server:
        $IMPACT_HOME/sdk/bin/keytool -import -alias 'my-ca' -file ./carootcert.pem -keystore $IMPACT_HOME/wlp/usr/servers/ImpactUI/resources/security/trust.jks
      3. If you have intermediate certificates in your chain, then repeat the previous two steps for each intermediate certificate separately.
      4. Import the signed certificate and restart the Netcool/Impact servers:
        $IMPACT_HOME/sdk/bin/keytool -import -alias 'rbacertalias' -file 'path to server.crt on impactserver' -keystore $IMPACT_HOME/wlp/usr/servers/$IMPACT_BACKEND_SERVER/resources/security/trust.jks
        Where $IMPACT_BACKEND_SERVER is the name of your Netcool/Impact server, for example NCI or NCIP.