Preparing secrets for TLS encryption

Operations Management can automatically generate TLS certificates for customers who do not have their own certificate authority (CA). However, if you have your own CA and you want to deploy on your own site, then you can manually create a certificate and use your own CA to sign the certificate.

A Kubernetes ingress is a collection of rules that can be configured to give services externally reachable URLs. Each Operations Management component requires its own ingress.. Each ingress must have an associated secret that has the TLS encrypted certificate. If you are using your own CA, then prepare these secrets with the procedure below.
Note: If you are deploying on IBM Cloud® Private with OpenShift skip this topic. OpenShift creates its own TLS certificates, and these can be edited post-install. For more information, see Updating certificate for a route.
  1. Create self-signed certificate key pairs with a command similar to the following: 
    openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem -subj "/CN=ingress.release_name.fqdn/"
    Where:
    • key.pem and certificate.pem are secure key files and must have already been created by your CA when you created your self-signed certificate key pair.
    • Common name (CN) is made up of the following parameters:
      Important: Ensure that the common name (CN) value that you specify in this command for each Operations Management component matches exactly the parameters that are specified below.
      • ingress is the name of the ingress for the relevant Operations Management component. Run this command for each of the following ingress values:
        • impact
        • nci-x where x is for each of the impact instances from 0 - (number of Impact server instances-1). For example, for four impact servers, run for each of these values: nci-0,nci-1,nci-2,nci-3.
        • netcool
        • proxy
        • scala
        • was
        • ibm-hdm-common-ui
      • release_name is the name of the Helm release. Ensure that this is the same release name that you use when you install your Operations Management on IBM Cloud Private deployment, as described in Configuring Installation Parameters.
      • fqdn is the certificate authority (CA) domain to be set in the Master node FQDN (Fully Qualified Domain Name) field when you install your Operations Management on IBM Cloud Private deployment, as described in Configuring Installation Parameters.
  2. Create secrets with your TLS certificate by running the following command for each ingress: 
    kubectl create secret tls release_name-ingress-tls-secret --cert=./certificate.pem --key=./key.pem [--namespace namespace]
    Where
    • release_name is the name of the Helm release. Ensure that this is the same release name that you use when you install your Operations Management on IBM Cloud Private deployment, as described in Configuring Installation Parameters.
    • ingress is the ingress that you are running the command for, and is one of:
      • impact
      • nci-x where x is for each of the impact instances from 0 - (number of Impact server instances-1). For example, for four impact servers, run for each of these values: nci-0,nci-1,nci-2,nci-3.
      • netcool
      • proxy
      • scala
      • was
      • ibm-hdm-common-ui
    • namespace is the name of the namespace into which you want to install Operations Management on IBM Cloud Private.
  3. When installing Operations Management on IBM Cloud Private, you must set the Use existing TLS certificate secrets flag to true. For more information, see Configuring Installation Parameters.