Configuring TLS encryption with Red Hat OpenShift Container Platform

Follow this procedure when the proxy certificate has been automatically created and signed by the Red Hat® OpenShift® Container Platform cluster CA during deployment.


  1. From the event source client, ensure that a connection can be made to the proxy. You must know the proxy address and port numbers. How you find this information depends on how the OpenShift cluster network is configured and whether a ClusterIP or NodePort service type is used.

    Refer to these values as ${PROXY_ADDRESS}, ${AGGP_PROXY_PORT}, and ${AGGB_PROXY_PORT}.

    Use the ping command to test network address resolution:
    ping ${PROXY_ADDRESS}
  2. From the event source client, use the OpenSSL command to retrieve the x.509 certificate that is presented by the proxy and identify the certificate common name (CN).
    # openssl s_client -connect ${PROXY_ADDRESS} ${AGGP_PROXY_PORT}
    depth=1 CN = openshift-service-serving-signer@1578571170
    verify error:num=19:self signed certificate in certificate chain
    Certificate chain
     0 s:/CN=m125-proxy.default.svc                                                        <<<<<<<<<<<<<<
     1 s:/CN=openshift-service-serving-signer@1578571170
    Where: In the preceding example, the Common Name of the certificate that is presented by the proxy is m125-proxy.default.svc. Refer to this value as ${PROXY_COMMON_NAME}.
  3. Using the Red Hat OpenShift Container Platform Cluster CLI, extract the Red Hat OpenShift Container Platform cluster signer certificate by running the following command:
    oc get secrets/signing-key -n openshift-service-ca -o template='{{index .data "tls.crt"}}' | base64 --decode > cluster-ca-cert.pem
  4. From the event source client, check that the ${PROXY_COMMON_NAME} address can be resolved. Run the following command:
    If this command fails, because the name cannot be resolved, ask your DNS administrator to add this entry or use the following commands to add this host to your /etc/hosts file.
    From the event source client, in the network hosts file map the certificate common name to the IP address of an OpenShift controller node, running, for example:
    echo "${PROXY_ADDRESS} ${PROXY_COMMON_NAME}" >> /etc/hosts
    • ${PROXY_ADDRESS} is the address of a cluster controller node from step 1.
    • ${PROXY_COMMON_NAME} is the proxy certificate common name from step 2.
  5. From the event source client, import the OpenShift cluster signer certificate that is obtained in step 3 into the event source client keystore as a trusted certificate. Complete the following steps:
    1. If necessary, create the keystore by using one of the following commands:
      $NCHOME/bin/nc_gskcmd -keydb -create -db "$NCHOME/etc/security/keys/omni.kdb" -pw password -stash -expire 366
      For more information about creating a keystore, see external linkNetcool/OMNIbus documentation.
    2. Import a privacy enhanced mail (PEM) encoded signer certificate by running one of the following commands:
      $NCHOME/bin/nc_gskcmd -cert -add -file cluster-ca-cert.pem -db $NCHOME/etc/security/keys/omni.kdb -stashed
      For more information about adding certificates from CA, see link Netcool/OMNIbus documentation.
  6. Note: To successfully complete the TLS handshake and establish a secure TLS connection, the ObjectServer address, which is specified in the omni.dat file, must exactly match the certificate subject CN value.
    From the event source client, edit the client's omni.dat file to configure and add the proxy Common Name value from step 2 as the server address and the proxy port number in the omni.dat file, as displayed in the following example:
            Primary: ${PROXY_COMMON_NAME} ssl ${AGGP_PROXY_PORT}
            Primary: ${PROXY_COMMON_NAME} ssl ${AGGB_PROXY_PORT}
    For more information, see Identifying the proxy listening port.
  7. Run the following command to generate the interfaces file:
  8. You can now make a secure TLS connection to both the primary and backup ObjectServers running in the Netcool Operations Insight® on Red Hat OpenShift deployment, by using the server names defined in step 6, for example: OCP_AGG_P_TLS and OCP_AGG_B_TLS.