Managing SSL certificates with IBM Storage Enabler for Containers

IBM Storage Enabler for Containers uses SSL certificates for maintaining a secure communication link between the IBM Storage Enabler for Containers server, its database, the Dynamic Provisioner, the FlexVolume, and the Spectrum Control Base server.

Before you begin

Download and extract the IBM Storage Enabler for Containers installer to gain access to the installation script (ubiquity_installer.sh). See steps 1 to 3 of the Performing installation of IBM Storage Enabler for Containers section.

About this task

IBM Storage Enabler for Containers supports two SSL modes, when communicating with its components:
  • require, when no validation is required. The IBM Storage Enabler for Containers server generates self-signed certificates on the fly. In this mode, you can skip the procedure detailed below and continue with the installation of the IBM Storage Enabler for Containers without any special SSL configuration.
  • verify-full, expecting the user to provide relevant certificates. When enabled, this SSL mode requires additional configuration steps as listed below.

Procedure

  1. When operating in the verify-full mode, you will need to generate the following three pairs of the public-private keys for:
    • Spectrum Control Base server. You can upload these certificates to the server, as explained in Managing server certificates.
    • IBM Storage Enabler for Containers (ubiquity) service object.
    • IBM Storage Enabler for Containers database (ubiquity-db) service object.
  2. Verify that:
    • The SSL certificates that you have generated are valid and signed by root CA.
    • The SSL certificates have valid common and alternative names. The alternative names list must contain valid DNS names and/or IP addresses of the SCBE server, ubiquity service object, and ubiquity-db service object.
      Run this command to obtain the required network parameters for the ubiquity and ubiquity-db services:
      $> ./ubiquity_installer.sh -s create-services
      The script generates two Kubernetes services that provide the required DNS/IP address combinations.
    • The private certificate and certificate key files have the following names:
      • ubiquity.crt and ubiquity.key for the ubiquity service object.
      • ubiquity-db.crt and ubiquity-db.key for the ubiquity-db service object.
    • The trusted CA files contain the root CA certificate and have the following names:
      • scbe-trusted-ca.crt for the Spectrum Control Base server.
      • ubiquity-trusted-ca.crt for the ubiquity service object.
      • ubiquity-db-trusted-ca.crt for the ubiquity-db service object.
    • Copy all generated *.crt and *.key files to a dedicated directory.
  3. Run the $> ubiquity_installer.sh -s create-secrets-for-certificates -t <certificate directory> command to create the following ConfigMap and secrets:
    • ConfigMap ubiquity-public-certificates for all the trusted CA files.
    • The ubiquity-private-certificate secret for the private certificates used by the ubiquity service object.
    • The ubiquity-db-private-certificate secret for the private certificates used by the ubiquity-db service object.
  4. Proceed with installation of the IBM Storage Enabler for Containers, as detailed in Performing installation of IBM Storage Enabler for Containers.