Follow this procedure when the proxy certificate has been automatically created and
signed by the Red Hat® OpenShift®
cluster CA during deployment.
Procedure
- From the event source client, ensure that a connection can be made to the proxy. You must
know the proxy address and port numbers. How you find this information depends on how the OpenShift
cluster network is configured and whether a ClusterIP or NodePort service type is
used.
Refer to these values as ${PROXY_ADDRESS},
${AGGP_PROXY_PORT}, and ${AGGB_PROXY_PORT}.
Use the ping command to test network address
resolution:
ping ${PROXY_ADDRESS}
- From the event source client, use the OpenSSL command to retrieve the x.509 certificate
that is presented by the proxy and identify the certificate common name (CN).
# openssl s_client -connect ${PROXY_ADDRESS} ${AGGP_PROXY_PORT}
CONNECTED(00000003)
depth=1 CN = openshift-service-serving-signer@1578571170
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/CN=m125-proxy.default.svc <<<<<<<<<<<<<<
i:/CN=openshift-service-serving-signer@1578571170
1 s:/CN=openshift-service-serving-signer@1578571170
i:/CN=openshift-service-serving-signer@1578571170
---
Where:
In the preceding example, the Common Name of the certificate that is presented by the proxy is
m125-proxy.default.svc. Refer to this value as
${PROXY_COMMON_NAME}.
- Using the OpenShift
Cluster CLI, extract the OpenShiftcluster signer certificate by running the following command:
oc get secrets/signing-key -n openshift-service-ca -o template='{{index .data "tls.crt"}}' | base64 --decode > cluster-ca-cert.pem
- From the event source client, check that the ${PROXY_COMMON_NAME}
address can be resolved. Run the following
command:
ping ${PROXY_COMMON_NAME}
If this
command fails, because the name cannot be resolved, ask your DNS administrator to add this entry or
use the following commands to add this host to your
/etc/hosts
file.
From the event source client, in the network hosts file map the certificate common
name to the IP address of an
OpenShift master node, running, for example:
echo "${PROXY_ADDRESS} ${PROXY_COMMON_NAME}" >> /etc/hosts
Where:
- ${PROXY_ADDRESS} is the address of a cluster master node from step 1.
- ${PROXY_COMMON_NAME} is the proxy certificate common name from step 2.
- From the event source client, import the OpenShift cluster signer certificate that is obtained in step 3 into the event
source client keystore as a trusted certificate. Complete the following steps:
- If necessary, create the keystore by using one of the following commands:
Or
$NCHOME/bin/nc_gskcmd -keydb -create -db "$NCHOME/etc/security/keys/omni.kdb" -pw password -stash -expire 366
- Import a privacy enhanced mail (PEM) encoded signer certificate by running one of the
following commands:
Or
$NCHOME/bin/nc_gskcmd -cert -add -file cluster-ca-cert.pem -db $NCHOME/etc/security/keys/omni.kdb -stashed
Note: To successfully complete the TLS handshake and establish a secure TLS
connection, the ObjectServer address, which is specified in the omni.dat file, must
exactly match the certificate subject CN value.
From the event source client, edit the
client's omni.dat file to configure and add the proxy Common Name value from step 2
as the server address and the proxy port number in the omni.dat file, as
displayed in the following example:
[OCP_AGG_P_TLS]
{
Primary: ${PROXY_COMMON_NAME} ssl ${AGGP_PROXY_PORT}
}
[OCP_AGG_B_TLS]
{
Primary: ${PROXY_COMMON_NAME} ssl ${AGGB_PROXY_PORT}
}
- Run the following command to generate the interfaces file:
- You can now make a secure TLS connection to both the primary and backup ObjectServers
running in the Netcool Operations Insight® on Red Hat OpenShift deployment, by
using the server names defined in step 6, for example:
OCP_AGG_P_TLS and
OCP_AGG_B_TLS.
Netcool/OMNIbus documentation.