Securing Mobile Foundation deployments on IBM Cloud Private using your own security certificates
Krishna K Chandrasekar November 04, 2018
Mobile_Foundation MobileFirst_Foundation Security IBM_Cloud_PrivateIBM Mobile Foundation deployments on ICP has https
enabled by default with NodePort. To configure using your own security certificates (for both NodePort and ingress) follow the steps below.
Case A : During setting up of Mobile Foundation on ICP
In general, we enable https
by configuring keystore and truststore during the deployment at the time of intial setting up of Mobile Foundation on ICP as follows.
-
Create a secret with
keystore.jks
,keystore-password.txt
,truststore.jks
,truststore-password.txt
and provide the secret name in the field keystores.keystoresSecretName. -
Keep the files
keystore.jks
and its password in a file namedkeystore-password.txt
andtruststore.jks
and its password in a file namedtruststore-password.jks
. -
Execute the following from the command line:
kubectl create secret generic mfpf-cert-secret --from-file keystore-password.txt --from-file truststore-password.txt --from-file keystore.jks --from-file truststore.jks
Note: The names of the files should be the same as mentioned, i.e, keystore.jks, keystore-password.txt, truststore.jks and truststore-password.txt. Make sure you provide the name of the secret in keystoresSecretName to override the default keystores
Case B: Post Mobile Foundation deployment on ICP
In the case of Mobile Foundation being already deployed on ICP and if one wants to enable HTTPS, below are the steps.
- Follow the steps 1-3 listed in Case A above.
- Run the following command to get the values from the helm deployment:
bash helm get values <helm-name> > values.yaml
-
Make sure the following entries are added to the
values.yaml
(in addition to the appropriate data according to your own environments) and make sure that the yaml is validingress: enabled: true hostname: <host-name> sslPassThrough: false tlsEnabled: true tlsSecretName: "<cluster-name>" keystores: keystoresSecretName: "mfpf-cert-secret"
- Unzip the mfp-icp PPA archive (downloaded from passport advantage) used to load the images of mfp.
- Locate the
charts
directory within the extracted artifacts -
Perform the helm upgrade
helm upgrade <helm-release-name> ./ibm-mfpf-server-prod-<chart_version>.tgz -f values.yaml
Sample command for adding the certificate to the trust store
keytool -import -storepass <worklight-storepass> -noprompt -alias icp -keystore ./usr-mfpf-server/security/truststore.jks -trustcacerts -file <mycert-loc>/wildcardcert.crt
For more details on Enabling SSL on IBM Liberty on ICP, refer to the documentation.
Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.