Configuring TLS encryption with Red Hat OpenShift Container Platform
Follow this procedure when the proxy certificate has been automatically created and signed by the Red Hat® OpenShift® Container Platform cluster CA during deployment.
Procedure
- From the event source client, ensure that a connection can be made to the proxy. You must know the proxy address and port numbers. How you find this information depends on how the OpenShift cluster network is configured and whether a ClusterIP or NodePort service type is used.
- For ClusterIP service types, use the LoadBalancer ingress address and port numbers (from Identifying the proxy listening port) to access the proxy. For more information, see Exposing ObjectServer ClusterIP services by using the LoadBalancer service and Identifying the proxy listening port.
-
For NodePort service types, use a cluster controller node address and the NodePort numbers to access the proxy. For more information, see: Identifying the proxy listening port
Refer to these values as ${PROXY_ADDRESS}, ${AGGP_PROXY_PORT}, and ${AGGB_PROXY_PORT}.
Use the ping command to test network address resolution:ping ${PROXY_ADDRESS}
- From the event source client, use the OpenSSL command to retrieve the x.509 certificate
that is presented by the proxy and identify the certificate common name (CN).
Where:# openssl s_client -connect ${PROXY_ADDRESS} ${AGGP_PROXY_PORT} CONNECTED(00000003) depth=1 CN = openshift-service-serving-signer@1578571170 verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/CN=m125-proxy.default.svc <<<<<<<<<<<<<< i:/CN=openshift-service-serving-signer@1578571170 1 s:/CN=openshift-service-serving-signer@1578571170 i:/CN=openshift-service-serving-signer@1578571170 ---
- ${PROXY_ADDRESS} is the address of the proxy from step 1.
- ${AGG_PROXY_PORT} is the cluster port identified by Identifying the proxy listening port
m125-proxy.default.svc
. Refer to this value as ${PROXY_COMMON_NAME}. - Using the Red Hat
OpenShift Container Platform Cluster CLI, extract the
Red Hat
OpenShift Container Platform cluster signer
certificate by running the following command:
oc get secrets/signing-key -n openshift-service-ca -o template='{{index .data "tls.crt"}}' | base64 --decode > cluster-ca-cert.pem
- From the event source client, check that the ${PROXY_COMMON_NAME}
address can be resolved. Run the following
command:
If this command fails, because the name cannot be resolved, ask your DNS administrator to add this entry or use the following commands to add this host to your /etc/hosts file.ping ${PROXY_COMMON_NAME}
From the event source client, in the network hosts file map the certificate common name to the IP address of an OpenShift controller node, running, for example:echo "${PROXY_ADDRESS} ${PROXY_COMMON_NAME}" >> /etc/hosts
Where:- ${PROXY_ADDRESS} is the address of a cluster controller node from step 1.
- ${PROXY_COMMON_NAME} is the proxy certificate common name from step 2.
- From the event source client, import the OpenShift cluster signer certificate that is obtained in step 3 into the event
source client keystore as a trusted certificate. Complete the following steps:
- If necessary, create the keystore by using one of the following commands:
$NCHOME/bin/nc_ikeyman
Or$NCHOME/bin/nc_gskcmd -keydb -create -db "$NCHOME/etc/security/keys/omni.kdb" -pw password -stash -expire 366
For more information about creating a keystore, see https://www.ibm.com/docs/en/SSSHTQ_8.1.0/omnibus/wip/install/task/omn_con_ssl_creatingkeydbase.html Netcool/OMNIbus documentation. - Import a privacy enhanced mail (PEM) encoded signer certificate by running one of the
following commands:
$NCHOME/bin/nc_ikeyman
Or$NCHOME/bin/nc_gskcmd -cert -add -file cluster-ca-cert.pem -db $NCHOME/etc/security/keys/omni.kdb -stashed
For more information about adding certificates from CA, see https://www.ibm.com/docs/en/SSSHTQ_8.1.0/omnibus/wip/install/task/omn_con_ssl_addingcerts.html Netcool/OMNIbus documentation.
- If necessary, create the keystore by using one of the following commands:
- Note: To successfully complete the TLS handshake and establish a secure TLS connection, the ObjectServer address, which is specified in theFrom the event source client, edit the client's
omni.dat
file, must exactly match the certificate subject CN value.omni.dat
file to configure and add the proxy Common Name value from step 2 as the server address and the proxy port number in the omni.dat file, as displayed in the following example:[OCP_AGG_P_TLS] { Primary: ${PROXY_COMMON_NAME} ssl ${AGGP_PROXY_PORT} } [OCP_AGG_B_TLS] { Primary: ${PROXY_COMMON_NAME} ssl ${AGGB_PROXY_PORT} }
For more information, see Identifying the proxy listening port. - Run the following command to generate the interfaces file:
$NCHOME/bin/nco_igen
- You can now make a secure TLS connection to both the primary and backup ObjectServers running in the Netcool Operations Insight® on Red Hat OpenShift deployment, by using the server names defined in step 6, for example: OCP_AGG_P_TLS and OCP_AGG_B_TLS.