SSL certificates
Adding CA certificate chain for the outgoing SSL connection
To connect IBM Process Mining to an external endpoint that needs a self-signed certificate to validate the connection, you must add the certificates in CRD.
Tip: You can use the same configuration of adding certificate in CRD to connect Mongo database, Monitoring Rest API, and Kafka topic.
You can add all the certificates to a Secret
that is manually created (see 'Figure 1. Adding the certificates to a Secret
').
To add the certificate to a Secret
, do the following:
-
Enter a name for the secret in the Secret name field.
-
Add
tls.crt
in the Key field. -
Upload your values in the Values field. The values can be a list of certificates, which is a CA chain.
Figure 1. Adding the certificates to a Secret
In the CRD, you must specify the secret name, <my-secret-for-ca>
, for the CA that contains the user certificates in the additionalcabundle
attribute.
apiVersion: processmining.ibm.com/v1beta1
kind: ProcessMining
metadata:
name: pm1
spec:
version: 1.14.1
license:
accept: true
cloudPak: IBM Cloud Pak for Business Automation
defaultStorageClassName: rook-cephfs
additionalcabundle: 'my-secret-for-ca'
Self-signed certificates
Self-signed certificates are automatically generated by default. They are provided by Bedrock Zen UI. Refer the Zen documentation for more details.
Certificates for exposed endpoints
To configure your IBM Process Mining instance with your own certificates, you must create a secret which contains the certificate, the key, and the certificate authority. Once this secret has been created, you must specify the name of that secret the IBM Process Mining CRD.
Here is an example of CRD configuration for IBM Process Mining and IBM Task Mining which shows the configuration syntax of custom SSL Certificate:
apiVersion: processmining.ibm.com/v1beta1
kind: ProcessMining
metadata:
name: pm1
namespace: processmining
spec:
version : 1.14.1
license:
accept: true
cloudPak: IBM Cloud Pak for Business Automation
defaultStorageClassName: rook-cephfs
processmining:
tls:
ui:
secretname: 'processmining_tls_secret_name'
certificate: 'tls.crt'
key: 'tls.key'
ca: 'ca.crt'
apiVersion: processmining.ibm.com/v1beta1
kind: ProcessMining
metadata:
name: pm1
namespace: processmining
spec:
version : 1.14.1
license:
accept: true
cloudPak: IBM Cloud Pak for Business Automation
defaultStorageClassName: rook-cephfs
taskmining:
tls:
ui:
secretname: 'taskmining_tls_secret_name'
certificate: 'tls.crt'
key: 'tls.key'
ca: 'ca.crt'
TLS certificates are mandatory to secure the exposed routes of the application.
The certificates are required for the following routes:
- IBM Process Mining public Rest API
- IBM Task Mining Rest API for Agent integration
In a default installation, self-signed certificates are automatically created by the operator and no further action is required. However, for a production environment, your own certificates that are issued by a trusted CA must be provided within the IBM Process Mining CSV.