8.1.5 or Later OVA: Installing a self-signed certificate
To set up secure access from an LDAP server to a Turbonomic platform that was initially installed as version 8.1.5 or later, complete the following steps. This process assumes that you have authorization to get a certificate from the LDAP server, as well as admin authority on the Turbonomic platform.
-
Open an SSH terminal session to your Turbonomic instance.
Log in with the System Administrator that you set up when you installed Turbonomic:
Username:
turbo
Password:
[your_private_password]
Download your LDAP Server certificate to the Turbonomic instance.
Acquire a certificate from your LDAP administrator, and download it to the Turbonomic platform. For example, you can download it to the file
/tmp/ldapserver.crt
.-
Import the
.crt
file to the Turbonomic TrustStore by using thekeytool
utility.Note:This step modifies the
cacerts
file on the Turbonomic platform.-
If an alias for an LDAP certificate already exists, delete that certificate. For example, assuming the alias
ldapcert1
, run the following command:keytool -delete -alias ldapcert1 -keystore cacerts -storepass changeit
-
Import your new certificate to the
TrustStore
.keytool -import -alias ldapcert1 -file /tmp/ldapserver.crt -keystore cacerts -deststoretype jks -storepass changeit -noprompt
-
-
Create an
auth
secret from thecacerts
file.base64 cacerts > auth-secrets.yaml
-
Open the secrets file for editing.
vi auth-secrets.yaml
-
Edit the file to make it a valid yaml file.
-
Indent every line of the certificate by four spaces.
When you created the file, you concatenated the contents of the certificate. The first step is to indent the certificate by four spaces. For example, in a
vi
editor, run the following command::%s/^/ /g
-
Add data fields to the secrets file.
Add the following text to the upper section of the file:
apiVersion: v1 kind: Secret metadata: name: auth-secret data: cacerts: |
Save your changes.
The output is similar to the following example:
apiVersion: v1 kind: Secret metadata: name: auth-secret data: cacerts: | /u3+7QAAAAIAAAABAAAAAgAFY2VydDEAAAF5H2lEigAFWC41MDkAAAYQMIIGDDCCBPSgAwIBAgIT HAAAARHIFJdLbG90sAAAAAABETANBgkqhkiG9w0BAQUFADBcMRMwEQYKCZImiZPyLGQBGRYDY29t MRcwFQYKCZImiZPyLGQBGRYHdm10dXJibzEUMBIGCgmSJomT8ixkARkWBGNvcnAxFjAUBgNVBAMT DWNvcnAtREVMTDEtQ0EwHhcNMjEwNDA4MDM0OTEyWhcNMjIwNDA4MDM0OTEyWjAhMR8wHQYDVQQD ExZkZWxsMS5jb3JwLnZtdHVyYm8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA sCXuh2MTrFERyU/aKgdbgyjLezNuwF6nmZveZUhDaJDpfLHJlzhwfyYRTGfSSusVo4polJS4WqPZ T3Zk8f2IaX04RpfpQErq5N3uY/BxFkATWLMDiquSd0Di798k2diYXAxXvzMmfmIkBBYJta9oztum uXyh/42dXOGznQ5fFuxosgAksZ6CnXGDKrTBlb0bHpST1z1Pdg+fJ+f9Tq7IffOYdVbuedFTwsik Z0JgDCIRrmmsOJphiHdBqJ6ZLdbSeEzBIbboiQs81pAELw7V0ZZUfKV6y8+zMTACGwpVPJSFv7LX RlW1TWcqhXVAOmroe2WcU8KJE6XZTBxp7z7dzwIDAQABo4IDADCCAvwwLwYJKwYBBAGCNxQCBCIe IABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgICAIAw DgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsG CWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzBCBgNVHREEOzA5oB8GCSsGAQQBgjcZAaAS BBDswjlHut/nQZ0uK2aUglGbghZkZWxsMS5jb3JwLnZtdHVyYm8uY29tMB0GA1UdDgQWBBR6M7Hb BiirpjIXQ3PXXScB8LkmRDAfBgNVHSMEGDAWgBRjs9l3el7SuKUDMlrHHRhBkENgaDCB0QYDVR0f BIHJMIHGMIHDoIHAoIG9hoG6bGRhcDovLy9DTj1jb3JwLURFTEwxLUNBLENOPWRlbGwxLENOPUNE UCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u LERDPWNvcnAsREM9dm10dXJibyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNl P29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHHBggrBgEFBQcBAQSBujCBtzCBtAYI KwYBBQUHMAKGgadsZGFwOi8vL0NOPWNvcnAtREVMTDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y29ycCxEQz12bXR1 cmJvLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1 dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAQEADP6OYLONkZ2j6gaBdfdoIJtvn1g1qXTsRrtFuUcF C9mUxL0G5Tudr0VlyEnLH2wtj10CGsIi54+aPGYiElXijThEe1WTHaO2hklRLdNrM8KxUp3tUNb/ cP4d+EYt297wVWgxpl9MStiND8+7M2+65daoEu5IOLtq4lC7YlCSXay19N5HdiGBHV5L07PTZ261 qDzShSb0ZWtG7++5VkqveVEIfs3hUYdaItz0Zu6sym90aUcvn5wohV1GPPqGDvVCg5Kf50hsZfmy ltNlaqiiqLMnYVMa93CkpFFjoP9gmGFJky0yTfh6G8HuqbI7guddDsUqMQTT3uv3EBwSYeImOya7 Zye5C4NnsAfnx8kOwXdsVERC
-
-
Apply this secrets file to the platform environment.
kubectl apply -f auth-secrets.yaml
-
Update the platform's Operator Chart to use the
cacerts
certificate that you created in the secrets file.-
Open the chart file for editing.
/opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
-
Add the certification secret as an authorization spec for the component options.
In the chart file, find the
spec:
section. Within that section, find theauth:
subsection.This should be the second subsection in
spec:
, afterglobal:
. If there is noauth:
subsection, you can add it tospec:
. -
Add the certification secret to the file:
Add the secret's path to a
javaComponentOptions:
statement within theauth:
subsection. Add the path as a-D
option. Theauth:
subsection should be similar to the following example, withauth
indented by two spaces andjavaComponentOptions
indented by four spaces:# Pass in the JAVA_OPTS to the auth POD to set up additional options such as # a trustStore for AD Certificate(s) for LDAPS (Secure LDAP) auth: javaComponentOptions: "-Djavax.net.ssl.trustStore=/home/turbonomic/data/helper_dir/cacerts"
-
Apply the Operator Chart changes to the Turbonomic platform.
kubectl apply -f /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
The authorization component restarts so that it can use the new setting.
-