How To
Summary
Self-signed CA certificate refresh does not automatically refresh leaf certificates resulting in unavailable services. This document describes how to refresh these certificates for each component of Cloud Pak for Integration. Section 1 covers the necessary steps to refresh the certificates, and the subsequent sections are optional dependent on which capabilities are deployed.
Objective
Steps
- 3. Event Streams within Cloud Pak for Integration
- 4. Operations Dashboard within Cloud Pak for Integration
- 5. Asset Repository within Cloud Pak for Integration
- 6. API Connect and DataPower within Cloud Pak for Integration
- 7. App Connect Enterprise within Cloud Pak for Integration
- 8. IBM MQ within Cloud Pak for Integration
- 9. Platform Navigator within Cloud Pak for Integration
oc describe certificate cs-ca-certificate -n ibm-common-services
oc delete secret cs-ca-certificate-secret -n ibm-common-services
Include this step if you refreshed
cs-ca-certificate
in the previous step, or if it was already refreshed by cert-manager. This step forces the leaf certificates to be updated with the new ca.
mkdir secret_backup
cd secret_backup
oc get certs -o custom-columns=:spec.secretName,:spec.issuerRef.name --no-headers |egrep "cs-ca-clusterissuer|cs-ca-issuer" | while read secretName issuerName
do
oc get secret $secretName -o yaml -n ibm-common-services > secret.$secretName.yaml
oc delete secret $secretName -n ibm-common-services
done
oc delete pod -l app=auth-idp -n ibm-common-services
oc delete pod -l app=auth-pap -n ibm-common-services
oc delete pod -l app=auth-pdp -n ibm-common-services
ibmcloud-cluster-ca-cert
ibmcloud-cluster-ca-cert
secret must be refreshed to pick up the refreshed ca.crt
. The ibm-management-ingress-operator
will re-create the secret.
oc delete secret ibmcloud-cluster-ca-cert -n ibm-common-services
cp-console
routecp-console
route must be deleted and re-created to use the refreshed leaf certificate route-tls
(secret route-tls-secret
). The ibm-management-ingress-operator
re-creates the route.
oc delete route cp-console -n ibm-common-services
cs-ca-certificate
yaml file to add the duration
and renewBefore
parametersrenewBefore: 240h
duration
value is set to two years and the renewBefore
value is set to 10 days.
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: cs-ca-certificate
namespace: ibm-common-services
labels:
app.kubernetes.io/instance: ibm-cert-manager-operator
app.kubernetes.io/managed-by: ibm-cert-manager-operator
app.kubernetes.io/name: cert-manager
certmanager.k8s.io/issuer-kind: Issuer
certmanager.k8s.io/issuer-name: cs-ss-issuer
spec:
commonName: cs-ca-certificate
isCA: true
issuerRef:
kind: Issuer
name: cs-ss-issuer
secretName: cs-ca-certificate-secret
duration: 17520h
renewBefore: 240h
status:
conditions:
- lastTransitionTime: '2020-12-08T04:20:27Z'
message: Certificate is up to date and has not expired
reason: Ready
status: 'True'
type: Ready
notAfter: '2021-03-08T04:20:27Z'
oc delete secret cs-ca-certificate-secret -n ibm-common-services
cs-ca-certificate
Include this step if you refreshed
cs-ca-certificate
in the previous step, or if it was already refreshed by cert-manager. This step forces the leaf certificates to be updated with the new ca.
mkdir secret_backup
cd secret_backup
oc get certs -o custom-columns=:spec.secretName,:spec.issuerRef.name --no-headers |egrep "cs-ca-clusterissuer|cs-ca-issuer" | while read secretName issuerName
do
oc get secret $secretName -o yaml -n ibm-common-services > secret.$secretName.yaml
oc delete secret $secretName -n ibm-common-services
done
oc delete pod -l app=auth-idp -n ibm-common-services
oc delete pod -l app=auth-pap -n ibm-common-services
oc delete pod -l app=auth-pdp -n ibm-common-services
ibmcloud-cluster-ca-cert
ibmcloud-cluster-ca-cert
secret must be refreshed to pick up the refreshed ca.crt
. The ibm-management-ingress-operator
will re-create the secret.
oc -n ibm-common-services delete secret ibmcloud-cluster-ca-cert
cp-console
routecp-console
route must be deleted and re-created to use the refreshed leaf certificate route-tls
(secret route-tls-secret
). The ibm-management-ingress-operator
re-creates the route.
oc delete route cp-console -n ibm-common-services
Additional Information
Once deleted, the event streams operator will reconcile and recreate the secret after a minute or two.
3.2. Make sure Common Services refreshed the certificate management-ingress-ibmcloud-cluster-ca-cert . If not delete it and wait for it to be recreated by Common Services again:
oc delete secret management-ingress-ibmcloud-cluster-ca-cert
If the secret has not been created automatically, look for errors or delete operand-deployment-lifecycle-manager-* pod(s) in Common Services namespace (usually ibm-common-services).
kubectl describe secret <cr_name>-ibm-es-ibmcloud-ca-cert
oc get pod --selector app.kubernetes.io/name=admin-api -o name | xargs oc delete
4.1. Switch to the names space where OD installed
oc delete secret management-ingress-ibmcloud-cluster-ca-cert
4.3. Delete the secret <cr name>-ibm-integration-operations-dashboard-com-clustrca
<CR name>-ibm-integration-od-fe-*
<CR name>-ibm-integration-od-hkw-*
<CR name>-ibm-integration-od-job-*
<CR name>-ibm-integration-od-scd-*
oc delete secret management-ingress-ibmcloud-cluster-ca-cert
<CR name>-ibm-integration-asset-repository-ui-*
<CR name>-ibm-integration-asset-repository-api-*
- Identify the "API Connect" capability instance "Name" from your Platform Navigator. This is referred to as <Name> in steps below.
- Identify the K8s namespace in which API Connect instance was deployed, also from the Platform Navigator. This is referred to as <namespace> in steps below.
- The APIC ingress-ca certificate on the stack is called <Name>-ingress-ca and it exists in the <namespace> namespace.
$ oc -n <namespace> edit <Name>-ingress-ca
.
.
.
spec:
duration: 87600h # 10 years
renewBefore: 720h # 30 days
.
.
.
$ oc delete secret <Name>-ingress-ca -n <namespace>
oc delete secret <Name>-a7s-ac-endpoint -n <namespace>
oc delete secret <Name>-a7s-ai-endpoint -n <namespace>
oc delete secret <Name>-a7s-cl-client -n <namespace>
oc delete secret <Name>-a7s-ing-client -n <namespace>
oc delete secret <Name>-mgmt-api-manager -n <namespace>
oc delete secret <Name>-mgmt-consumer-api -n <namespace>
oc delete secret <Name>-mgmt-platform-api -n <namespace>
oc delete secret <Name>-mgmt-admin -n <namespace>
oc delete secret <Name>-ptl-adm-client -n <namespace>
oc delete secret <Name>-ptl-portal-web -n <namespace>
oc delete secret <Name>-ptl-portal-director -n <namespace>
quickstart-cp4i
the pod name would look like quickstart-cp4i-ibm-mq-0
.
oc delete pod quickstart-cp4i-ibm-mq-0
8.2.2 For multi-instance queue manager, first restart the standby queue manager pod and then restart the active queue manager pod.
For example, for a queue manager named quickstart-cp4i
the pod names may look like quickstart-cp4i-ibm-mq-0
and quickstart-cp4i-ibm-mq-1
. You can run dspmq command to identify which pod is running as a standby queuemanager and active queue manager.
oc rsh <queuemanager-pod-name> dspmq
QMNAME(QUICKSTART) STATUS(Running as standby)
In our case the standby queue manager pod is quickstart-cp4i-ibm-mq-0
therefore we will first delete the standby pod.
oc delete pod quickstart-cp4i-ibm-mq-0
oc get pod --selector app.kubernetes.io/instance=quickstart-cp4i
oc rsh quickstart-cp4i-ibm-mq-0 dspmq
quickstart-cp4i-ibm-mq-1
oc delete pod quickstart-cp4i-ibm-mq-1
9.2. Make sure Common Services refreshed the certificate
management-ingress-ibmcloud-cluster-ca-cert
. If not then delete it and ensure it is re-created by Common Services again:
oc delete secret management-ingress-ibmcloud-cluster-ca-cert
oc delete secret ibmcloud-cluster-ca-cert -n ibm-common-services
oc -n ibm-common-services delete pod -l app=auth-idp
9.3. Get the name of the Platform Navigator pod:
oc get pod | grep ibm-integration-platform-navigator-deployment
pn-1-ibm-integration-platform-navigator-deployment-668795fkkxbx 2/2 Running 0 5d2h
<CR name>-ibm-integration-platform-navigator-deployment-<some ID>
9.4. Delete the Platform Navigator pod returned by the previous step. This will force a new Platform Navigator pod to be created:
oc delete pod <pod name>
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
08 June 2021
UID
ibm16381380