B SSL Certificates
This appendix provides information on generating your SSL certificates.
The following DNs entries require a CA-signed certificate,
based on the services you use for your production environment. Alternatively, you use a
CA-signed certificate with wildcard for the corresponding <hostSuffix>. For example: *.uim.org.
You use self-signed certificates for a development environment.
Note:
- DNs for Message Bus are required only when the service is accessed by Traditional UIM or by any external system such as Assurance. The number of DNS entries for Message Bus are in proportional to the number of Kafka brokers configured.
- OpenSearch can be installed in
<project>namespace or a different namespace<opensearch-namespace>. CA-Signed certificateopensearch-cluster-master.<opensearch-namespace>.svc.cluster.localis required with the namespace when OpenSearch is deployed.
Table B-1 DNS Entries for Services
| DNS Entry | Service |
|---|---|
| <instance>.<project>.<hostSuffix> | UIM CN |
| admin.<instance>.<project>.<hostSuffix> | UIM CN |
| t3.<instance>.<project>.<hostSuffix> | UIM CN |
| <instance>.<project>.topology.<hostSuffix> | ATA |
<INSTANCE>.<PROJECT>.messaging.broker0.<hostSuffix> <instance>.<project>.messaging.broker<N>.<hostSuffix> <instance>.<project>.messaging.bootstrap.<hostSuffix> |
Message Bus |
| <instance>.<project>.opensearch.<hostSuffix> | Open Search |
| opensearch-cluster-master.<opensearch-namespace>.svc.cluster.local | Open Search |
<INSTANCE>.<PROJECT>.oam.<hostSuffix> |
OAM |
<INSTANCE>.<PROJECT>.ohs.<hostSuffix> |
OAM |
Generating Self-signed Certificates
To generate self-signed certificates:
- Create the certs folder under the $COMMON_CNTK
directory.
mkdir $COMMON_CNTK/certs - Update the following command with the appropriate values of INSTANCE,
PROJECT, and hostSuffix names and execute it to generate a common self-signed
certificate and key that can be used for OAM, Message Bus, UIM, and ATA. You can add
or remove the DNS entries from the below command based on
requirements.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $COMMON_CNTK/certs/commonkey.pem -out $COMMON_CNTK/certs/commoncert.pem -subj "/CN=<INSTANCE>.<PROJECT>.admin.<hostSuffix>" -extensions san -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]';echo 'subjectAltName=@alt_names'; \echo '[alt_names]'; \ echo 'DNS.1=<INSTANCE>.<PROJECT>.admin.<hostSuffix>'; \ echo 'DNS.2=<INSTANCE>.<PROJECT>.oam.<hostSuffix>'; \ echo 'DNS.3=<INSTANCE>.<PROJECT>.ohs.<hostSuffix>'; \ echo 'DNS.4=<INSTANCE>.<PROJECT>.topology.<hostSuffix>'; \ echo 'DNS.5=<INSTANCE>.<PROJECT>.<hostSuffix>'; \ echo 'DNS.6=admin.<INSTANCE>.<PROJECT>.<hostSuffix>'; \ echo 'DNS.7=t3.<INSTANCE>.<PROJECT>.<hostSuffix>'; \ echo 'DNS.8=<INSTANCE>.<PROJECT>.messaging.broker0.<hostSuffix>'; \ echo 'DNS.9=<INSTANCE>.<PROJECT>.messaging.broker<N>.<hostSuffix>'; \ echo 'DNS.10=<INSTANCE>.<PROJECT>.messaging.bootstrap.<hostSuffix>'; \ echo 'DNS.11=opensearch-cluster-master.<opensearch-namespace>.svc.cluster.local'; \ echo 'DNS.12=<INSTANCE>.<PROJECT>.opensearch.<hostSuffix>'; \ ) - You can add or remove the DNS entries in the above sample certificate. Check the
following scenarios for removing or adding the DNS entries:
- If the Message Bus ingress listener is not enabled, you can remove the
following DNS
entries:
quick.sr.messaging.broker0.uim.org quick.sr.messaging.broker1.uim.org quick.sr.messaging.bootstrap.uim.org - For traditional UIM, you can remove the following DNS entries and add the
hostnames of traditional UIM
servers:
quick.sr.uim.org admin.quick.sr.uim.org t3.quick.sr.uim.org - If OAM is not used as IdP, you can remove following hostnames from the
certificate:
quick.sr.admin.uim.org quick.sr.oam.uim.org quick.sr.ohs.uim.org - If the DNS entry is for ATA:
quick.sr.topology.uim.org - If the DNS entry is for OpenSearch service:
opensearch-cluster-master.sr.cluster.local - If the DNS entry is for OpenSearch dashboard:
quick.sr.opensearch.uim.org
- If the Message Bus ingress listener is not enabled, you can remove the
following DNS
entries:
Generating Self-Signed Wild Card SSL Certificate
To generate self-signed wild card SSL certificate:
- Create the certs folder in $COMMON_CNTK directory as
follows:
mkdir $COMMON_CNTK/certs - To generate a wild card SSL certificate you can update <hostSuffix> value. The
default is uim.org and run following
command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $COMMON_CNTK/certs/wildcardkey.pem -out $COMMON_CNTK/certs/wildcardcert.pem -subj "/CN=*.<hostSuffix>" -extensions san -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]';echo 'subjectAltName=@alt_names'; \echo '[alt_names]'; \ echo 'DNS.1=*.<hostSuffix>'; \ )
Note:
- To use wild card certificates, you must configure subDomainNameSeperator field as -, in applications.yaml and project.yaml in the spec path location.
- WebLogic by default does not recognizes wild card certificates. In production
environment, you must configure the custom hostname verifier as
weblogic.security.utils.SSLWLSWildcardHostnameVerifier. See WebLogic documentation for setting up hostNameVerifier. - In development environment, you can disable hostname verification.