Importing the certificate of an external service

To integrate with an external service, you must first import its Transport Layer Security (TLS) certificate into the containers trusted list.

Procedure

If the root certificate authority (CA) of the external service is not already trusted, provide the TLS certificate of the external service to the component truststore.

  1. Get the root CA that is used to sign your external service and save it to a certificate, for example external-service-cert.crt.
    See OpenSSL for instructions to export the root CA of your external service.

    The following example command gets the certificate chain of cloud.ibm.com by using OpenSSL.

    echo | openssl s_client -showcerts -connect cloud.ibm.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > external-service-cert.crt 

    The following example command gets the certificate chain of cloud.ibm.com by using keytool.

    keytool -printcert -sslserver cloud.ibm.com:443 -rfc > external-service-cert.crt
  2. Create a secret by running the following command in the namespace.
    kubectl create secret generic myTrustServiceSecret --from-file=tls.crt=your_cert_path/external-service-cert.crt
    Substitute your own values for the placeholders myTrustServiceSecret and your_cert_path/external-service-cert.crt. The certificate and key files must be in Privacy Enhanced Mail (PEM) format.
  3. Add the secret to the component truststore.
    Specify the customization.trustedCertificateList parameter in the configuration of your ODM instance.
    For example,
    customization.trustedCertificateList={"myTrustServiceSecret"\, "myTrustServiceSecret1"...}
    The {"myTrustServiceSecret"\, "myTrustServiceSecret1"...} variable is an array. You can enter a comma-delimited list of secret names, as shown in the example.