Creating secrets to protect sensitive configuration data

Before you install Application Engine, create secrets manually to protect the configuration data you are going to enter.

1. To create the required secrets for Application Engine and IBM Resource Registry, copy the following examples into files and edit the files based on your requirements.
   Note: To customize the name of secret, you can replace icp4adeploy with your value. Then update the custom resource YAML file.

   For Application Engine:

   apiVersion: v1
   kind: Secret
   metadata:
     name: icp4adeploy-workspace-aae-app-engine-admin-secret
   type: Opaque
   stringData: 
     AE_DATABASE_PWD: "Your App Engine database password"
     AE_DATABASE_USER: "Your App Engine database username"
     REDIS_PASSWORD: "password"

   where REDIS_PASSWORD is required if you are using Redis for session persistence. Otherwise, it is ignored.

   Optional: For Resource Registry:

   apiVersion: v1
   kind: Secret
   metadata:
     name: icp4adeploy-rr-admin-secret
   type: Opaque
   stringData:
     rootPassword: "passw0rd"
     readUser: "reader"
     readPassword: "readerpwd"
     writeUser: "writer"
     writePassword: "writerpwd"

   Notes:

   • readUser and writeUser don't need to be your LDAP or User Management Service (UMS) user.
   • If you didn't create this secret, the operator generates a secret with random values during installation.
2. Save the files as YAML files, for example, rr.yaml and ae.yaml. Make sure you edit the files based on your requirements.
3. For each file, run the following command to create the secrets:

   oc create -f xxx.yaml

4. Optional: If you want to connect to your database server by SSL, create a secret for your database server for Application Engine.
   Note: Before you begin, make sure your database is configured to connect by SSL:

   • For Db2®, see Configuring TLS support in a Db2 instance).
   • For Oracle, see the Oracle document Enabling Secure Sockets Layer on how to configure SSL/TLS encrypted connections.
   • For Db2:
     1. Export your certification by running the following command on your local or remote database server. For example, the following GSKCapiCmd command extracts the certificate to a file called mydbserver.crt:

        gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -label "myselfsigned" -target "mydbserver.crt" -format ascii

     2. Copy your database certification mydbserver.crt to any directory of your cluster, and create the secret for your database server by running the following command on your cluster:

        kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-database-certification-path>/mydbserver.crt

     3. Put the secret <your-secret-name> into application_engine_configuration.database.db_cert_secret_name in the Application Engine configuration parameters (see Application Engine configuration parameters).
   •  New in 20.0.3  For Oracle:
     1. Database Server Wallet Secret for Application Engine:
        1. Export your certification by running the following command on your local or remote database server (the following example is for Linux®):

           orapki wallet export -wallet <the-path-to-your-wallet-file> -pwd <your-wallet-file-password> -dn "CN=`hostname`" -cert /tmp/<your-certification-name>.crt

        2. Copy your certification exported in the previous step to your cluster, and create the secret for your database server by running the following command on your cluster:

           kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-certification-name>.crt

        3. Put the secret <your-secret-name> into application_engine_configuration.database.db_cert_secret_name in the Application Engine configuration parameters (see Application Engine configuration parameters).
     2. Database Server Wallet SSO Secret for Application Engine:
        1. Get the wallet SSO file cwallet.sso on your local or remote database server. You can find it in the wallet install directory on your database server.
        2. Copy this wallet SSO file to any directory of your cluster, and create a secret by running the following command on your cluster:

           kubectl create secret generic <your-oracle-sso-secret-name> --from-file=cwallet.sso=<your-oracle-sso-wallet-file-path>/cwallet.sso

        3. Put the secret <your-secret-name> into application_engine_configuration.database.oracle_sso_wallet_secret_name in the Application Engine configuration parameters (see Application Engine configuration parameters).
     Note: For the Oracle SSL configuration, you need to create an Auto-Login Wallet (cwallet.sso) that is associated with a PKCS#12 wallet. See the Oracle documentation Managing Public Key Infrastructure (PKI) Elements for more details.
   •  New in 20.0.3  For PostgreSQL:
     1. Get your database certification on your local or remote database server. You can get it from the location /var/lib/pgsql/<version>/data by default.
     2. Copy your database certification mydbserver.crt to any directory of your cluster, and create the secret for your database server by running the following command on your cluster:

        kubectl create secret generic <your-secret-name> --from-file=tls.crt=<your-database-certification-path>/mydbserver.crt

        Note: For your database certification mydbserver.crt, please only keep the following info:

        -----BEGIN CERTIFICATE-----
        MIIDHzCCAgegAwIBAgIUQM8TxJNP8kAEwAzJxBmMl4qIRe8wDQYJKoZIhvcNAQEL
        BQAwHzEdMBsGA1UEAwwUZ3JpcHBlMS5meXJlLmlibS5jb20wHhcNMjAwOTA4MDMy
        ……
        ……
        -----END CERTIFICATE-----
        

     3. Put the secret <your-secret-name> into application_engine_configuration.database.db_cert_secret_name in the Application Engine configuration parameters (see Application Engine configuration parameters).