SSL certificates

Adding CA certificate chain for the outgoing SSL connection

To connect IBM Process Mining to an external endpoint that needs a self-signed certificate to validate the connection, you must add the certificates in CRD.


Tip: You can use the same configuration of adding certificate in CRD to connect Mongo database, Monitoring Rest API, and Kafka topic.


You can add all the certificates to a Secret that is manually created (see 'Figure 1. Adding the certificates to a Secret').

To add the certificate to a Secret, do the following:

  1. Enter a name for the secret in the Secret name field.

  2. Add tls.crt in the Key field.

  3. Upload your values in the Values field. The values can be a list of certificates, which is a CA chain.

Add certificates to a secret

Figure 1. Adding the certificates to a Secret

In the CRD, you must specify the secret name, <my-secret-for-ca>, for the CA that contains the user certificates in the additionalcabundle attribute.

apiVersion: processmining.ibm.com/v1beta1
kind: ProcessMining
metadata:
  name: pm1
spec:
  version: 1.14.1
  license:
    accept: true
    cloudPak: IBM Cloud Pak for Business Automation
  defaultStorageClassName: rook-cephfs
  additionalcabundle: 'my-secret-for-ca'

Self-signed certificates

Self-signed certificates are automatically generated by default. They are provided by Bedrock Zen UI. Refer the Zen documentation for more details.

Certificates for exposed endpoints

To configure your IBM Process Mining instance with your own certificates, you must create a secret which contains the certificate, the key, and the certificate authority. Once this secret has been created, you must specify the name of that secret the IBM Process Mining CRD.

Here is an example of CRD configuration for IBM Process Mining and IBM Task Mining which shows the configuration syntax of custom SSL Certificate:

apiVersion: processmining.ibm.com/v1beta1
kind: ProcessMining
metadata:
  name: pm1
  namespace: processmining
spec:
  version : 1.14.1
  license:
    accept: true
    cloudPak: IBM Cloud Pak for Business Automation
  defaultStorageClassName: rook-cephfs
  processmining:
    tls:
      ui:
        secretname: 'processmining_tls_secret_name'
        certificate: 'tls.crt'
        key: 'tls.key'
        ca: 'ca.crt'
apiVersion: processmining.ibm.com/v1beta1
kind: ProcessMining
metadata:
  name: pm1
  namespace: processmining
spec:
  version : 1.14.1
  license:
    accept: true
    cloudPak: IBM Cloud Pak for Business Automation
  defaultStorageClassName: rook-cephfs
  taskmining:
    tls:
      ui:
        secretname: 'taskmining_tls_secret_name'
        certificate: 'tls.crt'
        key: 'tls.key'
        ca: 'ca.crt'

TLS certificates are mandatory to secure the exposed routes of the application.

The certificates are required for the following routes:

  • IBM Process Mining public Rest API
  • IBM Task Mining Rest API for Agent integration

In a default installation, self-signed certificates are automatically created by the operator and no further action is required. However, for a production environment, your own certificates that are issued by a trusted CA must be provided within the IBM Process Mining CSV.