8.1.4 or Earlier OVA: Installing a self-signed certificate

To set up secure access from an LDAP server to a Turbonomic platform that was initially installed before version 8.1.5, complete the following steps. This process assumes that you have authorization to get a certificate from the LDAP server, as well as admin authority on the Turbonomic platform.

  1. Open an SSH terminal session to your Turbonomic instance.

    Log in with the System Administrator that you set up when you installed Turbonomic:

    • Username: turbo

    • Password: [your_private_password]

  2. Download your LDAP Server certificate to the Turbonomic instance.

    Acquire a certificate from your LDAP administrator, and download it to the Turbonomic platform. For example, you can download it to the file /tmp/ldapserver.pem:

  3. Import the .pem file to the Turbonomic TrustStore by using the keytool utility.

    Note:

    This step modifies the cacerts file on the Turbonomic platform.

    1. Install the keytool utility in /usr/bin/keytool.

      sudo yum install java-1.8.0-openjdk
    2. If an alias for an LDAP certificate already exists, delete that certificate. For example, assuming the alias ldapcert1, run the following command:

      keytool -delete -alias ldapcert1 -keystore cacerts -storepass changeit
    3. Import your new certificate to the TrustStore.

      keytool -import -alias ldapcert1 -file /tmp/ldapserver.pem -keystore cacerts -deststoretype jks -storepass changeit -noprompt
  4. Add the TrustStore to the Turbonomic authorization pod.

    kubectl cp cacerts $auth_pod:/home/turbonomic/data/cacerts
  5. Update the platform's Operator Chart to use the TrustStore.

    1. Open the chart file for editing.

      /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
    2. Add the TrustStore as an authorization spec for the component options.

      In the chart file, find the spec: section. Within that section, find the auth: subsection.

      This should be the second subsection in spec:, after global:. If there is no auth: subsection, you can add it to spec:.

    3. Add the TrustStore to the auth: subsection.

      Add the TrustStore path to a javaComponentOptions: statement within the auth: subsection. Add the path as a -D option. Use the same path that you copied the cacerts file to in the Turbonomic authorization pod. In the previous example, you copied it to $auth_pod:/home/turbonomic/data/cacerts.

      Following the previous example, the auth: subsection should be similar to the following, with auth indented by two spaces and javaComponentOptions indented by four spaces:

      # Pass in the JAVA_OPTS to the auth POD to set up additional options such as
      # a trustStore for AD Certificate(s) for LDAPS (Secure LDAP)
      auth:
       javaComponentOptions: "-Djavax.net.ssl.trustStore=/home/turbonomic/data/cacerts"
    4. Save the charts_v1alpha1_xl_cr.yaml file.
  6. Apply the Operator Chart changes to the Turbonomic platform.

    kubectl apply -f /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml

    The authorization component restarts so that it can use the new setting. As the component restarts, the rsyslog output should include the following message:

    -Djavax.net.ssl.trustStore=/home/turbonomic/data/cacerts