IBM Support

How to renew the TLS certificates for Cloud Pak for Security v 1.10.x

How To


Summary

When the TLS certificates expire, the customer needs to request new certificates.
To install the new certificates, they can use the steps that I verified today on a customer environment.

Objective

The documentation is mostly correct but not always clear. Here are the steps that I verified today.

Environment

Valid for any supported OpenShift environment.

Steps

Renew the CP4S certificate

QRadar Suite Software provides the set_cert action to the TLS certificates that are used to secure in-flight communication in the cluster when it expires or to update the existing certificates.

Before you begin

Install the command-line interface (CLI) utility cpctl from the cp-serviceability pod. For more information, see Installing the cpctl utility.

For more information about certificate requirements, see Domain name and TLS certificates.

About this task

Important: Do not run the set_cert action if your QRadar Suite Software platform uses the same TLS certificate that your Red Hat OpenShift Container Platform cluster uses. If you need to update the TLS certificate for QRadar Suite Software in that case, see Synchronizing QRadar Suite Software Certificates with the cluster certificate.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    1. Using a username and password. 
      oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
      Using a token. 
      oc login --token=<token> --server=<openshift_url>
      If needed, change to the namespace used for CP4S, for example
      oc project cp4s
  2. To make sure that the list of available cpctl actions is up to date, enter the following command. 
    cpctl load
    The cpctl load command retrieves all of the available actions that can be run on QRadar Suite Software. The actions are cached to your local environment.
  3. Update the certificate with the following command. Please note that the certificate and key need to be in clear text. 
    cpctl tools update_cert --key "$(cat tls.key)" --cert "$(cat tls.crt)" --token "$(oc whoami -t)"

Renew the certificate for IBM Common Services

For updating the Common Services certificate we used the documentation https://www.ibm.com/docs/en/cloud-paks/1.0?topic=cloudpaks_start/cert-manager/3.x.x/cert_mgmt_ingress.htm#use-your-own-certificate-for-the-console-and-api-version-3-6-3-and-earlier- even if the header said (version 3.6.3 and earlier)

  1. Update the managementingress CR so that ibm-management-ingress-operator does not re-create the route-cert certificate and the route-tls-secret secret. “Unmanaged” is case-sensitive.

    oc -n ibm-common-services patch managementingress default --type merge --patch '{"spec":{"managementState":"Unmanaged"}}'
    After this change, the ibm-management-ingress-operator pod will continue to run but it will do nothing. In the log of the pod, you see this message:
    do nothing for the managementingress: ibm-common-services/default because its state is unmanaged

  2. Get your TLS certificate as described in Before you begin. Remember to include the external hostname for the foundational services endpoint in the subjectAltName list of your certificate.

  3. Get the destinationCACertificate value from the current cp-console route.

     oc -n ibm-common-services get route cp-console -o jsonpath="{.spec.tls.destinationCACertificate}" > dest-ca.crt

  4. Update the cp-console route.

    a. Save the certkey, and ca-cert of your certificate in the same directory as the destinationCACertificate. For example,

       # ls -l
   total 68
   -rw-r--r-- 1 root root  2021 Oct 19 18:17 ca.crt
   -rw-r--r-- 1 root root  1168 Oct 19 18:28 dest-ca.crt
   -rw-r--r-- 1 root root  1777 Oct 19 18:18 tls.crt
   -rw-r--r-- 1 root root  1675 Oct 19 18:17 tls.key
    You must have your full certificate chain if the CA certificate you bring is not self-signed. The full certificate chain includes all the CA certificates that signed each intermediate CA certificate that signed your CA certificate and your root CA. Save the full certificate chain in ca.crt.

    b. Get the hostname from the current cp-console route. For example, cp-console.apps.demo.cp.fyre.ibm.com.

       oc -n ibm-common-services get route cp-console -o jsonpath="{.spec.host}"
    c. Regenerate the route spec. In the following command, replace HOSTNAME with the hostname you got in step b.
       oc -n ibm-common-services create route reencrypt cp-console --service=icp-management-ingress  --cert=./tls.crt  --key=./tls.key  --ca-cert=./ca.crt  --dest-ca-cert=./dest-ca.crt  --hostname=HOSTNAME  --insecure-policy='Redirect'  --dry-run=true -o yaml  > cp-console.yaml
    d. Apply the change.
       oc -n ibm-common-services  apply -f cp-console.yaml

  5. Re-create the route-tls-secret with your certificate.

    a. Delete the related certificate resource so that cert manager does not re-create your updated secret.

       oc -n ibm-common-services delete certificates.v1alpha1.certmanager.k8s.io route-cert
    b. Re-create the secret from your certificate.
       oc -n ibm-common-services delete secret route-tls-secret
   oc -n ibm-common-services create secret generic route-tls-secret --from-file=ca.crt=<your path>/ca.crt  --from-file=tls.crt=<your path>/tls.crt  --from-file=tls.key=<your path>/tls.key
    Re-create the ibm-cloud-cluster-ca-cert secret with your certificate.
  6. oc -n ibm-common-services delete secret ibmcloud-cluster-ca-cert
oc -n ibm-common-services create secret generic ibmcloud-cluster-ca-cert --from-file=ca.crt=<your path>/ca.crt
    Restart auth-idp pods.
  7.  oc -n ibm-common-services delete pod -l app=auth-idp
    Restart operand-deployment-lifecycle-manager pods.
  8.  # oc -n ibm-common-services delete pod -l name=operand-deployment-lifecycle-manager
    Access the console to verify that the certificate is used.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m3p000000F8yvAAC","label":"Cloud Pak for Security (CP4S)"},{"code":"a8m3p000000F8z6AAC","label":"Cloud Pak for Security (CP4S)-\u003ECertificate"}],"ARM Case Number":"TS018636515","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.10.0"}]

Document Information

Modified date:
03 March 2025

UID

ibm17184677

Page Feedback