To integrate with an external service, you must first import its Transport Layer Security
(TLS) certificate into the containers trusted list.
Procedure
If the root certificate authority (CA) of the external service is not already trusted,
provide the TLS certificate of the external service to the component truststore.
-
Get the root CA that is used to sign your external service and save it to a certificate, for
example external-service-cert.crt.
See
OpenSSL for instructions to export the root CA of your external
service.
The following example command gets the certificate chain of
cloud.ibm.com
by using
OpenSSL.
echo | openssl s_client -showcerts -connect cloud.ibm.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > external-service-cert.crt
The
following example command gets the certificate chain of cloud.ibm.com
by using
keytool.
keytool -printcert -sslserver cloud.ibm.com:443 -rfc > external-service-cert.crt
- Create a secret by running the following command in the namespace.
kubectl create secret generic myTrustServiceSecret --from-file=tls.crt=your_cert_path/external-service-cert.crt
Substitute your own values for the placeholders
myTrustServiceSecret
and
your_cert_path/external-service-cert.crt
. The
certificate and key files must be in Privacy Enhanced Mail (PEM) format.
- Add the secret to the component truststore.
Specify the customization.trustedCertificateList
parameter in the
configuration of your ODM instance.
For example,
customization.trustedCertificateList={"myTrustServiceSecret"\, "myTrustServiceSecret1"...}
The
{"myTrustServiceSecret"\, "myTrustServiceSecret1"...} variable is an array. You
can enter a comma-delimited list of secret names, as shown in the example.