8.1.5 or Later OVA: Installing a self-signed certificate

To set up secure access from an LDAP server to a Turbonomic platform that was initially installed as version 8.1.5 or later, complete the following steps. This process assumes that you have authorization to get a certificate from the LDAP server, as well as admin authority on the Turbonomic platform.

  1. Open an SSH terminal session to your Turbonomic instance.

    Log in with the System Administrator that you set up when you installed Turbonomic:

    • Username: turbo

    • Password: [your_private_password]

  2. Download your LDAP Server certificate to the Turbonomic instance.

    Acquire a certificate from your LDAP administrator, and download it to the Turbonomic platform. For example, you can download it to the file /tmp/ldapserver.crt.

  3. Import the .crt file to the Turbonomic TrustStore by using the keytool utility.

    Note:

    This step modifies the cacerts file on the Turbonomic platform.

    1. If an alias for an LDAP certificate already exists, delete that certificate. For example, assuming the alias ldapcert1, run the following command:

      keytool -delete -alias ldapcert1 -keystore cacerts -storepass changeit
    2. Import your new certificate to the TrustStore.

      keytool -import -alias ldapcert1 -file /tmp/ldapserver.crt -keystore cacerts -deststoretype jks -storepass changeit -noprompt
  4. Create an auth secret from the cacerts file.

    base64 cacerts > auth-secrets.yaml
  5. Open the secrets file for editing.

    vi auth-secrets.yaml
  6. Edit the file to make it a valid yaml file.

    1. Indent every line of the certificate by four spaces.

      When you created the file, you concatenated the contents of the certificate. The first step is to indent the certificate by four spaces. For example, in a vi editor, run the following command:

      :%s/^/    /g
    2. Add data fields to the secrets file.

      Add the following text to the upper section of the file:

      apiVersion: v1
      kind: Secret
      metadata:
        name: auth-secret
      data:
        cacerts: |
    3. Save your changes.

    The output is similar to the following example:

    apiVersion: v1
    kind: Secret
    metadata:
      name: auth-secret
    data:
      cacerts: |
        /u3+7QAAAAIAAAABAAAAAgAFY2VydDEAAAF5H2lEigAFWC41MDkAAAYQMIIGDDCCBPSgAwIBAgIT
        HAAAARHIFJdLbG90sAAAAAABETANBgkqhkiG9w0BAQUFADBcMRMwEQYKCZImiZPyLGQBGRYDY29t
        MRcwFQYKCZImiZPyLGQBGRYHdm10dXJibzEUMBIGCgmSJomT8ixkARkWBGNvcnAxFjAUBgNVBAMT
        DWNvcnAtREVMTDEtQ0EwHhcNMjEwNDA4MDM0OTEyWhcNMjIwNDA4MDM0OTEyWjAhMR8wHQYDVQQD
        ExZkZWxsMS5jb3JwLnZtdHVyYm8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
        sCXuh2MTrFERyU/aKgdbgyjLezNuwF6nmZveZUhDaJDpfLHJlzhwfyYRTGfSSusVo4polJS4WqPZ
        T3Zk8f2IaX04RpfpQErq5N3uY/BxFkATWLMDiquSd0Di798k2diYXAxXvzMmfmIkBBYJta9oztum
        uXyh/42dXOGznQ5fFuxosgAksZ6CnXGDKrTBlb0bHpST1z1Pdg+fJ+f9Tq7IffOYdVbuedFTwsik
        Z0JgDCIRrmmsOJphiHdBqJ6ZLdbSeEzBIbboiQs81pAELw7V0ZZUfKV6y8+zMTACGwpVPJSFv7LX
        RlW1TWcqhXVAOmroe2WcU8KJE6XZTBxp7z7dzwIDAQABo4IDADCCAvwwLwYJKwYBBAGCNxQCBCIe
        IABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
        BgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgICAIAw
        DgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsG
        CWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzBCBgNVHREEOzA5oB8GCSsGAQQBgjcZAaAS
        BBDswjlHut/nQZ0uK2aUglGbghZkZWxsMS5jb3JwLnZtdHVyYm8uY29tMB0GA1UdDgQWBBR6M7Hb
        BiirpjIXQ3PXXScB8LkmRDAfBgNVHSMEGDAWgBRjs9l3el7SuKUDMlrHHRhBkENgaDCB0QYDVR0f
        BIHJMIHGMIHDoIHAoIG9hoG6bGRhcDovLy9DTj1jb3JwLURFTEwxLUNBLENOPWRlbGwxLENOPUNE
        UCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
        LERDPWNvcnAsREM9dm10dXJibyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNl
        P29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHHBggrBgEFBQcBAQSBujCBtzCBtAYI
        KwYBBQUHMAKGgadsZGFwOi8vL0NOPWNvcnAtREVMTDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
        eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y29ycCxEQz12bXR1
        cmJvLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1
        dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAQEADP6OYLONkZ2j6gaBdfdoIJtvn1g1qXTsRrtFuUcF
        C9mUxL0G5Tudr0VlyEnLH2wtj10CGsIi54+aPGYiElXijThEe1WTHaO2hklRLdNrM8KxUp3tUNb/
        cP4d+EYt297wVWgxpl9MStiND8+7M2+65daoEu5IOLtq4lC7YlCSXay19N5HdiGBHV5L07PTZ261
        qDzShSb0ZWtG7++5VkqveVEIfs3hUYdaItz0Zu6sym90aUcvn5wohV1GPPqGDvVCg5Kf50hsZfmy
        ltNlaqiiqLMnYVMa93CkpFFjoP9gmGFJky0yTfh6G8HuqbI7guddDsUqMQTT3uv3EBwSYeImOya7
        Zye5C4NnsAfnx8kOwXdsVERC
  7. Apply this secrets file to the platform environment.

    kubectl apply -f auth-secrets.yaml
  8. Update the platform's Operator Chart to use the cacerts certificate that you created in the secrets file.
    1. Open the chart file for editing.

      /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
    2. Add the certification secret as an authorization spec for the component options.

      In the chart file, find the spec: section. Within that section, find the auth: subsection.

      This should be the second subsection in spec:, after global:. If there is no auth: subsection, you can add it to spec:.

    3. Add the certification secret to the file:

      Add the secret's path to a javaComponentOptions: statement within the auth: subsection. Add the path as a -D option. The auth: subsection should be similar to the following example, with auth indented by two spaces and javaComponentOptions indented by four spaces:

      # Pass in the JAVA_OPTS to the auth POD to set up additional options such as
      # a trustStore for AD Certificate(s) for LDAPS (Secure LDAP)
      auth:
       javaComponentOptions: "-Djavax.net.ssl.trustStore=/home/turbonomic/data/helper_dir/cacerts"
    4. Apply the Operator Chart changes to the Turbonomic platform.

      kubectl apply -f /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml

      The authorization component restarts so that it can use the new setting.