Enable management CA verification on REST API calls
Enable the portal and gateway to validate the management subsystem's REST API server certificates.
About this task
After you install API Connect, you can enable
the portal and gateway to verify the REST API server certificate when they make calls to the REST
API. The gateway and portal subsystems make calls to the management subsystem REST API during their
normal operations. The gateway makes calls to the platform REST API, and the portal makes calls to
the platform REST API and the consumer REST API. To verify the CA certificates of the REST API
endpoints, enter the secret names of the CA certificates into the portal and gateway subsystem
sections of the top-level CR.
Note:
If you are not sure of the secret names, follow these steps to determine their names:
- Check the management subsystem CR with
oc describe mgmt, and identify the issuer of the platform and consumer API endpoints:oc describe mgmt -n <namespace> ... Platform API Endpoint: Annotations: cert-manager.io/issuer: <instance name>-ingress-issuer ... Consumer API Endpoint: Annotations: cert-manager.io/issuer: <instance name>-ingress-issuer - Describe the issuer with
oc describe issuer, and identify the secret name:oc describe issuer <instance name>-ingress-issuer -n <namespace> ... Spec: Ca: Secret Name: <instance name>-ingress-ca ...
Note: If you are using
in-cluster communication (see In-cluster service communication between subsystems), then the portal and gateway make REST calls on
the service endpoints, instead of the external endpoints. In the steps documented
in this topic, replace mgmtPlatformEndpointCASecret with
mgmtPlatformEndpointSvcCASecret, and mgmtConsumerEndpointCASecret
with mgmtConsumerEndpointSvcCASecret. For secretName, the default
for the service endpoints is mgmt-ca or <apic instance
name>-mgmt-ca.