Creating secrets to protect sensitive configuration data
Before you install Application Engine, create secrets manually to protect the configuration data you are going to enter.
Procedure
-
To create the required secrets for Application
Engine and IBM Resource Registry, copy the following
examples into files and edit the files based on your requirements.
Note: To customize the name of secret, you can replace icp4adeploy with your value. Then update the custom resource YAML file.For Application Engine:
whereapiVersion: v1 kind: Secret metadata: name: icp4adeploy-workspace-aae-app-engine-admin-secret type: Opaque stringData: AE_DATABASE_PWD: "Your App Engine database password" AE_DATABASE_USER: "Your App Engine database username" REDIS_PASSWORD: "password"
REDIS_PASSWORD
is required if you are using Redis for session persistence. Otherwise, it is ignored.Optional: For Resource Registry:apiVersion: v1 kind: Secret metadata: name: icp4adeploy-rr-admin-secret type: Opaque stringData: rootPassword: "passw0rd" readUser: "reader" readPassword: "readerpwd" writeUser: "writer" writePassword: "writerpwd"
Notes:readUser
andwriteUser
don't need to be your LDAP or User Management Service (UMS) user.- If you didn't create this secret, the operator generates a secret with random values during installation.
- Save the files as YAML files, for example, rr.yaml and ae.yaml. Make sure you edit the files based on your requirements.
-
For each file, run the following command to create the secrets:
oc create -f xxx.yaml
- Optional: If you want to connect to your database server by SSL, create a
secret for your database server for Application
Engine. Note: Before you begin, make sure your database is configured to connect by SSL:
- For Db2®, see Configuring TLS support in a Db2 instance).
- For Oracle, see the Oracle document Enabling Secure Sockets Layer on how to configure SSL/TLS encrypted connections.
- For Db2:
- Export your certification by running the following command on your local or remote database
server. For example, the following
GSKCapiCmd
command extracts the certificate to a file called mydbserver.crt:gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -label "myselfsigned" -target "mydbserver.crt" -format ascii
- Copy your database certification mydbserver.crt to any directory of your
cluster, and create the secret for your database server by running the following command on your
cluster:
kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-database-certification-path>/mydbserver.crt
- Put the secret
<your-secret-name>
intoapplication_engine_configuration.database.db_cert_secret_name
in the Application Engine configuration parameters (see Application Engine configuration parameters).
- Export your certification by running the following command on your local or remote database
server. For example, the following
- New in 20.0.3 For Oracle:
- Database Server Wallet Secret for Application
Engine:
- Export your certification by running the following command on your local or remote database server (the following example is for Linux®):
orapki wallet export -wallet <the-path-to-your-wallet-file> -pwd <your-wallet-file-password> -dn "CN=`hostname`" -cert /tmp/<your-certification-name>.crt
- Copy your certification exported in the previous step to your cluster, and create the secret for
your database server by running the following command on your
cluster:
kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-certification-name>.crt
- Put the secret
<your-secret-name>
intoapplication_engine_configuration.database.db_cert_secret_name
in the Application Engine configuration parameters (see Application Engine configuration parameters).
- Export your certification by running the following command on your local or remote database server (the following example is for Linux®):
- Database Server Wallet SSO Secret for Application
Engine:
- Get the wallet SSO file cwallet.sso on your local or remote database server. You can find it in the wallet install directory on your database server.
- Copy this wallet SSO file to any directory of your cluster, and create a secret by running the
following command on your
cluster:
kubectl create secret generic <your-oracle-sso-secret-name> --from-file=cwallet.sso=<your-oracle-sso-wallet-file-path>/cwallet.sso
- Put the secret <your-secret-name> into
application_engine_configuration.database.oracle_sso_wallet_secret_name
in the Application Engine configuration parameters (see Application Engine configuration parameters).
Note: For the Oracle SSL configuration, you need to create an Auto-Login Wallet (cwallet.sso
) that is associated with a PKCS#12 wallet. See the Oracle documentation Managing Public Key Infrastructure (PKI) Elements for more details. - Database Server Wallet Secret for Application
Engine:
- New in 20.0.3 For PostgreSQL:
- Get your database certification on your local or remote database server. You can get it from the location /var/lib/pgsql/<version>/data by default.
- Copy your database certification mydbserver.crt to any directory of your
cluster, and create the secret for your database server by running the following command on your
cluster:
kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-database-certification-path>/mydbserver.crt
Note: For your database certification mydbserver.crt, please only keep the following info:-----BEGIN CERTIFICATE----- MIIDHzCCAgegAwIBAgIUQM8TxJNP8kAEwAzJxBmMl4qIRe8wDQYJKoZIhvcNAQEL BQAwHzEdMBsGA1UEAwwUZ3JpcHBlMS5meXJlLmlibS5jb20wHhcNMjAwOTA4MDMy …… …… -----END CERTIFICATE-----
- Put the secret
<your-secret-name>
intoapplication_engine_configuration.database.db_cert_secret_name
in the Application Engine configuration parameters (see Application Engine configuration parameters).