Cannot access the IBM Cloud Private management console on macOS

You are unable to access the management console with the update macOS version Catalina.

Symptoms

An error message appears when you attempt to log in to your cluster and you are unable to access the console. See the following error message example: 

   icp-console.apps.<cluster_CA_domain>.nip.io normally uses encryption to protect your information. When Google Chrome tried to connect to icp-console.apps.<cluster_CA_domain>.nip.io this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be icp-console.apps.<cluster_CA_domain>.nip.io, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit icp-console.apps.<cluster_CA_domain>.nip.io right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

Cause

When you access your IBM Cloud Private console from Google Chrome, you are unable to log in. The latest update of macOS (Catalina) or later offers greater security constraints. The increased security constraints block the connection of the IBM Cloud Private deployment because of the self-signed certificate.

Resolving the problem

Complete the following steps to update the access permissions for your certificates:

  1. Extract the IBM Cloud Private Root CA Certificate from the cluster-ca-cert.pem file by running the following command:

    • For macOS, run the following command:

      kubectl get secret cluster-ca-cert -n kube-system -o jsonpath="{.data['tls\.crt']}" | base64 -D > cluster-ca-cert.pem

    • For Linux, run the following command:

      kubectl get secret cluster-ca-cert -n kube-system -o jsonpath="{.data['tls\.crt']}" | base64 --decode > cluster-ca-cert.pem

    • When you set the NavTLSGEnerate parameter to True, in the namespace where IBM Cloud Pak for Multicloud Management is installed, run the following command to extract the Root CA Certificate:

       kubectl get secret icip-navigator-tls-secret -n cp4int -o jsonpath="{.data['tls.crt']}" | base64 -D > cluster-ca-cert.pem

  2. Add the certificate file to your local file system.

  3. Update the trust store for your macOS. Select the Launch Pad application.

  4. Locate and select the Keychain Access application.

  5. Move your cluster-ca-cert.pem certificate file into the Keychain Access application.

  6. From the Certificates section, verify that the certificate is added.

  7. Update the access permissions by double-clicking the certificate that you added. Update the When using this certificate parameter to Always Trust.

  8. Return to your Chrome browser and refresh the management console.

You can log in to your management console with access to the product.