Enable SSL in OMEnvironment

Before you begin

You must have the certificate that is already created for the domain.

The ingress controller is installed on the cluster. But it works for other ingress controllers like traefik. For more information on nginx ingress controller documentations, see Installation Guide and Docker development YouTube series.

Ensure that you have installed the IBM® Sterling Order Management System Software Operator.

Procedure

  1. Create the keystore from the certificate with the following command:
    openssl pkcs12 -export -in <certificate file> \
    -inkey <certificate key> \
    -out tls.p12 \
    -name <yourdomain> \
    -CAfile <CA file>
  2. Create the ingress TLS secret with the SSL certificate. This TLS secret is used for the ingress from client to the controller.
    kubectl create secret tls ingress-secret \
        --namespace <your namespace> \
        --key tls.key \
        --cert tls.crt
    
    Note: If you do not want to use the default certificate, you can add your own certificate by creating the secret from it and using it in the common.ingress.ssl.identitySecretName.
  3. Mount the tls.p12 file into the pods by passing it to the /shared store location by using any of the following ways:
    • Pass tls.p12 inside the shared volume and specify it under the security section as shown in the following example.
      security:
         ssl:
           trust:
             # This is the `tls.p12` file that you created in the earlier step. 
             storeLocation: /shared/tls.p12
             storeType: PKCS12
    • Pass tls.p12 through a secret, storage or a config map by using additionalMounts. For more information about mounting into pods, see Configuring additionalMounts parameter. The following example uses a secret to mount into pods.
      additionalMounts:
        secrets:
          - mountPath: /shared/tls.p12
             name: truststoreconfigmap
             subPath: tls.p12
  4. Deploy in OMEnvironment instance with the following command:
    # (truncated)
    # ...
    
    common:
        ingress:
          host: <your domain>
          ssl:
            # enable SSL
            enabled: true
            # this is the secret created in the earlier step
            identitySecretName:  ingress-secret
    
    security:
        ssl:
          trust:
            # this is the `tls.p12` file you created in the earlier step
            storeLocation: /shared/tls.p12
            storeType: PKCS12
    
    # ...
    # (truncated)
    

What to do next

After the deployment is completed, access the application ingresses in the browser and check the following points:

  • The applications are accessible.
  • Click the lock icon in the URL bar to check whether the correct certificate is shown.