Red Hat OpenShift: Installing a self-signed certificate

This section describes how to set up secure access from an LDAP server, to a Turbonomic platform. It assumes you have authorization to get a certificate from the LDAP server, as well as admin authority on the Turbonomic platform.

1. Download your LDAP Server certificate to the Turbonomic instance.

   Acquire a certificate from your LDAP administrator, and download it to the Turbonomic platform. For example, you can download it temporarily to the file /tmp/ldapserver.crt.

2. Import the .crt file to the Turbonomic TrustStore by using the keytool utility.

   Note:

   This step modifies the cacerts file on the Turbonomic platform.

   1. Copy the /tmp/ldapserver.crt file inside the auth pod.

      cp ldapserver.crt auth-d6f94c4c7-vx2pp:home/turbonomic/data

   2. Log into the auth pod.

      oc rsh auth-d6f94c4c7-vx2pp

   3. Move the cacertsfile from /etc/pki/ca-trust/extracted/java/cacerts to /home/turbonomic/data/cacerts.

      cp /etc/pki/ca-trust/extracted/java/cacerts /home/turbonomic/data/cacerts

   4. Run the following keytool command inside the auth pod to import your new certificate to the TrustStore:

      keytool -import -alias ldapcert1 -file ldapserver.crt -keystore cacerts -deststoretype jks -storepass changeit -noprompt

3. Add the TrustStore to the Turbonomic authorization pod.

   oc cp cacerts $auth_pod:/home/turbonomic/data/cacerts

4. Update the platform's Operator Chart to use the TrustStore.

   1. Open the yaml file for editing.

      oc edit xl xl-release

      Alternatively, you can edit the file directly in the Red Hat OpenShift UI.

   2. Add the TrustStore as an authorization spec for the component options.

      In the yaml file, find the spec: section. Within that section, find the auth: subsection.

      This should be the second subsection in spec:, after global:. If there is no auth: subsection, you can add it to spec:.

   3. Add the TrustStore to the auth: subsection.

      Add the TrustStore path to a javaComponentOptions: statement within the auth: subsection. Add the path as a -D option. Use the same path that you copied the cacerts file to in the Turbonomic authorization pod.

      The auth: subsection should be similar to the following, with auth indented by two spaces and javaComponentOptions indented by four spaces:

      # Pass in the JAVA_OPTS to the auth POD to set up additional options such as 
      # a trustStore for AD Certificate(s) for LDAPS (Secure LDAP)
      spec:
        auth:
          javaComponentOptions: "-Djavax.net.ssl.trustStore=/home/turbonomic/data/cacerts"

      The authorization component restarts so that it can use the new setting. As the component restarts, the rsyslog output should include the following message or you can exec into auth pod and run ps -ef | grep java.

      -Djavax.net.ssl.trustStore=/home/turbonomic/data/cacerts