Configure authentication and TLS for inter-pod communication

Authentication and TLS of inter-pod communication are enabled by default starting with v12.0.3.2.

About this task

Authentication and TLS of inter-Pod communication can be configured using Secret resources. Steps to configure the password for ibm-wex-prod resources are following. If you don't enable this feature, see the last step below.


  1. Pull the ibm-wex-ee Docker image from the private registry. The image is pushed to the private registry when the Passport Advantage archive is loaded, for example:
    docker pull
    Note: Change the WEX_LOADED_NAMESPACE and the IMAGE_TAG to match your actual namespace and image tag names.
  2. Decide passwords for your release and create a Secret object, like the following:
    mkdir certs
    chmod 777 certs
    docker run --rm --entrypoint="" -v "`pwd`/certs":"/certs" -w "/certs" -e STORE_PASSWORD="${storePassword}" "${onewexDockerImage}" bash -c "/opt/ibm/wex/sbin/ && cp -r /wexdata/config/certs/* ."
    cat <<EOF | kubectl create -f -
    apiVersion: v1
    kind: Secret
    type: Opaque
      name: "ibm-wex-prod-authentication-tls-secret"
        release: "YOUR_RELEASE_NAME"
        component: "authentication-tls-secret"
      storePassword: $(echo -n ${storePassword} | base64 | tr -d '\n')
      databasePassword: $(echo -n ${databasePassword} | base64 | tr -d '\n')
      discoveryPassword: $(echo -n ${discoveryPassword} | base64 | tr -d '\n')
      mtls.jks: $(cat "certs/service/mtls.jks" | base64 | tr -d '\n')
      mtls_trust.jks: $(cat "certs/service/mtls_trust.jks" | base64 | tr -d '\n')
  3. When an ibm-wex-prod release is configured, select Enable authentication and TLS of internal communication, and input your secret name - for example, ibm-wex-prod-authentication-tls-secret - into the Secret name for authentication and TLS of internal communication textbox, on the Configure page. When you don't need to configure this feature, clear the textbox.