Maximo

 View Only

Using Let’s Encrypt SSL certificates with Maximo Application Suite in AWS

By Brian Zhu posted Sat October 08, 2022 09:21 PM

  
 Let’s Encrypt makes it easy to secure Maximo Application Suite with SSL/TLS. This blog shows how to configure Let’s Encrypt, IBM Certificate Manager and AWS Route53 to secure Maximo Application Suite.

A few basics:
  • a domain or subdomain. If you don't have one, ask your aws account admin to register one through AWS Route53. Write down the host zone id for the public domain.
  • a valid AWS access key id and secret access key. If you don't it, ask your aws account admin to create one in IAM service with appropriate permissions role as below
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "route53:GetChange",
          "Resource": "arn:aws:route53:::change/*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "route53:ChangeResourceRecordSets",
            "route53:ListResourceRecordSets"
          ],
          "Resource": "arn:aws:route53:::hostedzone/*"
        },
        {
          "Effect": "Allow",
          "Action": "route53:ListHostedZonesByName",
          "Resource": "*"
        }
      ]
    }
    ​


Pre-requisite: Install IBM Cert-Manager. Maximo Application Suite uses IBM Cert-Manager. The operator usually is under ibm-commom-services. For installation detail, check https://github.com/ibm-mas/ansible-devops/tree/master/ibm/mas_devops/roles/cert_manager

Create a cluster-issuer with Lets encrypt:
  • run below script and replace <aws secret access key>, <aws access key id> <your email> <aws region> <public domain host zone id>
    #!/bin/bash
    
    # create a secret called prod-route53-credentials-secret
    
    SECRET_ACCESS_KEY=<your aws secret access key>
    oc create secret generic prod-route53-credentials-secret --from-literal=secret-access-key=${SECRET_ACCESS_KEY} -n ibm-common-services
    
    # create a cluster issuer
    
    cat <<EOF > cluster-issuer.yaml
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: prod-route53-issuer
      namespace: ibm-common-services
    spec:
      acme:
        email: <your email address>
        preferredChain: ''
        privateKeySecretRef:
          name: letsencrypt-prod
        server: 'https://acme-v02.api.letsencrypt.org/directory'
        solvers:
          - dns01:
              route53:
                accessKeyID: <your aws access key id>
                hostedZoneID: <the hosted zone id for the public domain>
                region: <aws region> e.g. us-east-1
                secretAccessKeySecretRef:
                  key: secret-access-key
                  name: prod-route53-credentials-secret
    EOF
    oc apply -f cluster-issuer.yaml

Configure the recursive nameservers
  • log on openshift console
  • go to project ibm-common-services
  • go to workloads -> deployment -> ibm-cert-manager-operator, on details tab, scale down the pod from 1 to 0
  • go to deployment, select cert-manager controller, then click on yaml tab, add below two lines
    - '--dns01-recursive-nameservers-only'
    - '--dns01-recursive-nameservers=8.8.8.8:53'
  • the sample yaml looks like below
         image: >-
                icr.io/cpopen/cpfs/icp-cert-manager-controller@sha256:1927c16a4dd369c56fa6d2d1897d3ea3d333a3217b8c05ea32b6617c94833a0e
              args:
                - >-
                  --acme-http01-solver-image=icr.io/cpopen/cpfs/icp-cert-manager-acmesolver@sha256:e8f50ee7b08dc96627e138e9b0d98ed5848c7b4ad92491962c13ef32b2866591
                - '--cluster-resource-namespace=ibm-common-services'
                - '--leader-election-namespace=ibm-common-services'
                - '--dns01-recursive-nameservers-only'
                - '--dns01-recursive-nameservers=8.8.8.8:53'
          serviceAccount: ibm-cert-manager-controller
          dnsPolicy: ClusterFirst



Specify the cluster-issuer to install MAS core.
  • Below is the sample how to use the cluster-issuer in oneclick_core playbook. Check this link for more details about the oneclick_core playbook
    #!/bin/bash
    
    export MAS_CUSTOM_CLUSTER_ISSUER=prod-route53-issuer
    export MAS_INSTANCE_ID=inst1
    export MAS_ENTITLEMENT_KEY=<your entitlemment key>
    export IBM_ENTITLEMENT_KEY=<your entitlemment key>
    export MAS_CONFIG_DIR=/root/masconfig-sno
    export SLS_LICENSE_FILE=/root/masconfig-sno/license.dat
    export SLS_LICENSE_ID=<license id that can be found in the license.dat>
    export SLS_ENTITLEMENT_KEY=<your entitlemment key>
    export UDS_CONTACT_EMAIL=<contact email>
    export UDS_CONTACT_FIRSTNAME=<first name>
    export UDS_CONTACT_LASTNAME=<last name>
    export PROMETHEUS_STORAGE_CLASS=gp2
    export PROMETHEUS_ALERTMGR_STORAGE_CLASS=gp2
    export GRAFANA_INSTANCE_STORAGE_CLASS=gp2
    export MONGODB_STORAGE_CLASS=gp2
    export UDS_STORAGE_CLASS=gp2
    ansible-playbook ibm.mas_devops.oneclick_core

#Maximo
#AssetandFacilitiesManagement
1 comment
46 views

Permalink

Comments

Thu May 11, 2023 11:46 AM

@Brian Zou , I have a few questions
1. Can you point me to a location Where MAS_CUSTOM_CLUSTER_ISSUER variable is defined in https://github.com/ibm-mas/ansible-devops/blob/master/ibm/mas_devops/playbooks/oneclick_core.yml ?

2. Are we not required to create CName records as mentioned on this page if we follow instructions on this page?

3. When do we need to use MAS_DOMAIN variable mentioned on suite_dns role?

4. Is it necessary to execute steps before installing MAS core OR we can execute steps after installing MAS core?