Securing Mobile Foundation deployments on IBM Cloud Private using your own security certificates
IBM Mobile Foundation deployments on ICP has
https enabled by default with NodePort. To configure using your own security certificates (for both NodePort and ingress) follow the steps below.
Case A : During setting up of Mobile Foundation on ICP
In general, we enable
https by configuring keystore and truststore during the deployment at the time of intial setting up of Mobile Foundation on ICP as follows.
Create a secret with
truststore-password.txtand provide the secret name in the field keystores.keystoresSecretName.
Keep the files
keystore.jksand its password in a file named
truststore.jksand its password in a file named
Execute the following from the command line:
kubectl create secret generic mfpf-cert-secret --from-file keystore-password.txt --from-file truststore-password.txt --from-file keystore.jks --from-file truststore.jks
Note: The names of the files should be the same as mentioned, i.e, keystore.jks, keystore-password.txt, truststore.jks and truststore-password.txt. Make sure you provide the name of the secret in keystoresSecretName to override the default keystores
Case B: Post Mobile Foundation deployment on ICP
In the case of Mobile Foundation being already deployed on ICP and if one wants to enable HTTPS, below are the steps.
- Follow the steps 1-3 listed in Case A above.
- Run the following command to get the values from the helm deployment:
bash helm get values <helm-name> > values.yaml
Make sure the following entries are added to the
values.yaml(in addition to the appropriate data according to your own environments) and make sure that the yaml is valid
ingress: enabled: true hostname: <host-name> sslPassThrough: false tlsEnabled: true tlsSecretName: "<cluster-name>" keystores: keystoresSecretName: "mfpf-cert-secret"
- Unzip the mfp-icp PPA archive (downloaded from passport advantage) used to load the images of mfp.
- Locate the
chartsdirectory within the extracted artifacts
Perform the helm upgrade
helm upgrade <helm-release-name> ./ibm-mfpf-server-prod-<chart_version>.tgz -f values.yaml
Sample command for adding the certificate to the trust store
keytool -import -storepass <worklight-storepass> -noprompt -alias icp -keystore ./usr-mfpf-server/security/truststore.jks -trustcacerts -file <mycert-loc>/wildcardcert.crt
For more details on Enabling SSL on IBM Liberty on ICP, refer to the documentation.