8.1.4 or Earlier OVA: Installing a self-signed certificate
To set up secure access from an LDAP server to a Turbonomic platform that was initially installed before version 8.1.5, complete the following steps. This process assumes that you have authorization to get a certificate from the LDAP server, as well as admin authority on the Turbonomic platform.
-
Open an SSH terminal session to your Turbonomic instance.
Log in with the System Administrator that you set up when you installed Turbonomic:
Username:
turbo
Password:
[your_private_password]
Download your LDAP Server certificate to the Turbonomic instance.
Acquire a certificate from your LDAP administrator, and download it to the Turbonomic platform. For example, you can download it to the file
/tmp/ldapserver.pem
:-
Import the
.pem
file to the Turbonomic TrustStore by using thekeytool
utility.Note:This step modifies the
cacerts
file on the Turbonomic platform.-
Install the
keytool
utility in/usr/bin/keytool
.sudo yum install java-1.8.0-openjdk
-
If an alias for an LDAP certificate already exists, delete that certificate. For example, assuming the alias
ldapcert1
, run the following command:keytool -delete -alias ldapcert1 -keystore cacerts -storepass changeit
-
Import your new certificate to the TrustStore.
keytool -import -alias ldapcert1 -file /tmp/ldapserver.pem -keystore cacerts -deststoretype jks -storepass changeit -noprompt
-
Add the TrustStore to the Turbonomic authorization pod.
kubectl cp cacerts $auth_pod:/home/turbonomic/data/cacerts
-
Update the platform's Operator Chart to use the TrustStore.
-
Open the chart file for editing.
/opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
-
Add the TrustStore as an authorization spec for the component options.
In the chart file, find the
spec:
section. Within that section, find theauth:
subsection.This should be the second subsection in
spec:
, afterglobal:
. If there is noauth:
subsection, you can add it tospec:
. -
Add the TrustStore to the
auth:
subsection.Add the TrustStore path to a
javaComponentOptions:
statement within theauth:
subsection. Add the path as a-D
option. Use the same path that you copied thecacerts
file to in the Turbonomic authorization pod. In the previous example, you copied it to$auth_pod:/home/turbonomic/data/cacerts
.Following the previous example, the
auth:
subsection should be similar to the following, withauth
indented by two spaces andjavaComponentOptions
indented by four spaces:# Pass in the JAVA_OPTS to the auth POD to set up additional options such as # a trustStore for AD Certificate(s) for LDAPS (Secure LDAP) auth: javaComponentOptions: "-Djavax.net.ssl.trustStore=/home/turbonomic/data/cacerts"
- Save the
charts_v1alpha1_xl_cr.yaml
file.
-
-
Apply the Operator Chart changes to the Turbonomic platform.
kubectl apply -f /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
The authorization component restarts so that it can use the new setting. As the component restarts, the
rsyslog
output should include the following message:-Djavax.net.ssl.trustStore=/home/turbonomic/data/cacerts