(Optional) Adding a Certificate for Securing the Turbonomic UI

If your company policy requires SSL connections that use a trusted certificate, Turbonomic installs a trusted certificate from a known certificate authority.

Requesting a Certificate

The first step is to acquire a certificate. The following steps describe how to generate a certificate request.

  1. Open a Secure Shell terminal session.

    Open an SSH terminal session on your Turbonomic instance. Log in as turbo, and use the password that you created for the administration account during installation.

    For more information, see Set up the Turbonomic System Administrator account.

  2. Change to the directory where you want to store the private key file.

    If your shell session is on your Turbonomic instance, use the /opt/turbonomic directory.

    cd /opt/turbonomic

  3. Create and save the private key file.

    For this example, the private key file is named myPrivate.key.

    openssl genrsa -out myPrivate.key 2048

    You need this file later. If you are in a session on your Turbonomic instance, copy the file to your local machine.

  4. Create a file to contain the information that generates the signed certificate request (CSR). 

    vi certsignreq.cfg

  5. Add the request data to the certsignreq.cfg file.

    In the file, insert the following code. For any fields marked by angle brackets (for example <city>), provide the indicated value. For example, your country, city, company, and so on.

    
 [req]
 ts = 2048
 prompt = no
 default_md = sha256
 req_extensions = req_ext
 distinguished_name = dn
            
 [dn]
 C=<country, 2 letter code>
 L=<city>
 O=<company>
 OU=<organizational unit name>
 CN=<FQDN>
 emailAddress=<email address>
                        
 [req_ext]
 subjectAltName = @alt_names
                          
 [alt_names]
 DNS.1 = <FQDN>
 DNS.2 = <server’s short name>
 DNS.3 = <server’s IP address>
    Note:

    For the CN field, specify the fully qualified domain name of the Turbonomic instance.

    Alternative names are other ways to access the Turbonomic instance. In the [alt_names] section, the value for the DNS.1 field is required. For DNS.1, specify the fully qualified domain name of the Turbonomic instance. Values for the DNS.2 and DNS.3 are optional. You can add more DNS.x fields if needed.

    For example:

    Alternate names

  6. Write and quit the file.

    Press Esc, type :wq!, and press Enter.

  7. Generate the certificate request file.

    In this example, the file is named myRequest.csr.

    openssl req -new -sha256 -nodes -out myRequest.csr -key myPrivate.key -config certsignreq.cfg

  8. Send the generated request file to your certificate authority.

    If you generated the file on your Turbonomic instance, transfer the file to your local machine. The path to the certificate request file on your remote machine is /opt/turbonomic/myRequest.csr.

    Your certificate authority uses this file to create the certificate for you. If your certificate authority gives you an encoding choice between DER and Base 64, choose Base 64.

  9. When you receive the certificate, save it to disk.

    If you did not receive the certificate encoded in Base 64, you must convert it from DER to Base 64.

    In this example, the certificate is named MyCertificate.crt.

    openssl x509 -inform der -in MyCertificate.der -out MyCertificate.crt

Installing the Signed Certificate in Turbonomic

After you obtain the signed certificate, you can install it on your Turbonomic instance. You use the private key and certificate files that you obtained when requesting the signed certificate:

  • myPrivate.key

  • MyCertificate.crt

To install the signed certificate:

  1. Open an SSH terminal session on your Turbonomic instance.

  2. Add the key and certificate data to your Turbonomic charts.yaml file.

    /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml

    Find the section for global parameters. Under the global parameters, create the ingress:secrets section, and then create entries for certificate, key, and name.

    Your global parameters should be similar to the following example:

    
global:
  ingress:
    secrets:   
      - certificate: |
          -----BEGIN CERTIFICATE-----
          SAMPLE PUBLIC KEY
          -----END CERTIFICATE-----
        key: |
          -----BEGIN RSA PRIVATE KEY-----
          SAMPLE PRIVATE KEY
          -----END RSA PRIVATE KEY-----
        name: nginx-ingressgateway-certs

    For the fields you added:

    • certificate: holds the content of your MyCertificate.crt file. Open that file to copy its contents and paste them here.

    • key: holds the content of your myPrivate.key file. Open that file to copy its contents and paste them here.

    • name: Is required and the name must be nginx-ingressgateway-certs.

  3. Apply the changes that you made to the CR file.

    kubectl apply -f kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml

  4. Restart the nginx pod.

    To require a certificate for HTTPS access, you must restart the nginx pod.

    1. Get the full name of the pod. 

      kubectl get pods -n turbonomic

      In the output, look for the entry for nginx. You should find an entry similar to: 

      nginx-5b775f498-sm2mm                        1/1     Running   0

    2. Restart the pod.

      kubectl delete pod nginx-<UID>

      Where <UID> is the generated ID for the pod instance.

    After the nginx pod restarts Turbonomic requires a certificate for HTTPS access.