Creating a custom certificate for Red Hat OpenShift
A custom certificate is required for the Runbook Automation and Netcool®/Impact integration on Red Hat® OpenShift®.
About this task
- You plan to run fully automated runbooks whenever some events match some filter conditions.
- The Runbook Automation component is running on Red Hat OpenShift. Regardless of whether Netcool/Impact is also running on Red Hat OpenShift, or if you have a hybrid deployment and Netcool/Impact is running on a traditional environment.
If you are still using the default Red Hat
OpenShift ingress certificate, you
must update this to a certificate that has the correct Subject Alternate Names
set.
The default certificate has only *.apps.cluster-domain
and this is not sufficient
for external connections to Netcool Operations Insight to be
trusted.
Subject Alternate Names
:- If Netcool/Impact is also running on OCP:
*.apps.cluster-domain
*.noi-cr-name.apps.custer-domain
- If you have a hybrid deployment, and Netcool/Impact is not running on OCP, then ensure to cover the fully qualified domain name part of the URL where you can reach the Runbook Automation UI. For example, if the URL begins with
https://netcool.n163.apps.mycluster.com
, then specify the followingSubject Alternate Names
:*.apps.mycluster.com
*.n163.apps.mycluster.com
For full details of how to configure a custom ingress certificate on Red Hat OpenShift, go to https://docs.openshift.com/container-platform/4.14/networking/ingress-operator.html and https://docs.openshift.com/container-platform/4.14/security/certificates/replacing-default-ingress-certificate.html
The following instructions describe how to create a certificate that contains the required Subject Alternate Names and apply it to the Red Hat OpenShift ingress configuration. You can either create a self-signed certificate, or create a certificate that is signed by a certificate authority (CA). If you plan to create a signed certificate, you need to deploy both the certificate of the CA itself and the signed certificate to the cluster, along with potential intermediate certificates. This enables the system to validate the signed certificate against the CA certificate. The certificates need to be deployed to the Netcool/Impact servers as well.