Managing SSL certificates

The IBM Storage Enabler for Containers supports two SSL modes, when communicating with its components: the require mode and the verify-full mode.

You can choose one of the following SSL modes:

require: This SSL mode is activated when no validation is required. The IBM Storage Enabler for Containers server generates self-signed certificates as required during run-time. In this mode, you can skip the procedure detailed below and continue from Performing installation.
verify-full: This SSL mode is activated when the user is expected to provide the relevant certificates. When enabled, this SSL mode requires additional configuration steps.

Follow these steps to manage the SSL certificates when using the

verify full
mode:

When operating in the verify-full mode, you need to generate the following three pairs of the public-private keys:
- IBM Storage Enabler for Containers (ubiquity) service object.
- IBM Storage Enabler for Containers database (ubiquity-db) service object.
- IBM Spectrum Scale Management API server (GUI) – This might already exist.

Verify the following:

The SSL certificates that you have generated are valid and signed by root CA.

The SSL certificates have valid common and alternative names.

The alternative names list must contain valid DNS names and/or IP addresses of the IBM Spectrum Scale Management API server (GUI), ubiquity service object, and ubiquity-db service object.

Run the following script to obtain the required network parameters for the ubiquity and ubiquity-db services:

$> ./ubiquity_installer.sh -s create-services

The script generates two Kubernetes services, which provide the required DNS/IP address combinations.

Note: Ensure that the following conditions are met before running the installation script:

The private certificate and certificate key files must have the following names:
- ubiquity.crt and ubiquity.key for the ubiquity service object.
- ubiquity-db.crt and ubiquity-db.key for the ubiquity-db service object.
The trusted CA files contain the root CA certificate and have the following names:
- The file name spectrumscale-trusted-ca.crt for the IBM Spectrum Scale Management API server (GUI).
- The file name ubiquity-trusted-ca.crt for the ubiquity service object.
- The file name ubiquity-db-trusted-ca.crt for the ubiquity-db service object.
All the *.crt and *.key files generated are copied into a dedicated directory.

Run the $> ubiquity_installer.sh -s create-secrets-for-certificates -t <certificatedirectory> command to create the following ConfigMap and secrets:
- The ConfigMap ubiquity-public-certificates for all the trusted CA files.
- The ubiquity-private-certificate secret for the private certificates used by the ubiquity service object.
- The ubiquity-db-private-certificate secret for the private certificates used by the ubiquity-db service object.