Maximo

Maximo

Come for answers, stay for best practices. All we're missing is you.

 View Only

Using Let’s Encrypt SSL certificates with Maximo Application Suite in AWS

By Brian Zhu posted Sat October 08, 2022 09:21 PM

  
 Let’s Encrypt makes it easy to secure Maximo Application Suite with SSL/TLS. This blog shows how to configure Let’s Encrypt, IBM Certificate Manager and AWS Route53 to secure Maximo Application Suite.

A few basics:
  • a domain or subdomain. If you don't have one, ask your aws account admin to register one through AWS Route53. Write down the host zone id for the public domain.
  • a valid AWS access key id and secret access key. If you don't it, ask your aws account admin to create one in IAM service with appropriate permissions role as below 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "route53:GetChange",
      "Resource": "arn:aws:route53:::change/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets"
      ],
      "Resource": "arn:aws:route53:::hostedzone/*"
    },
    {
      "Effect": "Allow",
      "Action": "route53:ListHostedZonesByName",
      "Resource": "*"
    }
  ]
}
​


Pre-requisite: Install IBM Cert-Manager. Maximo Application Suite uses IBM Cert-Manager. The operator usually is under ibm-commom-services. For installation detail, check https://github.com/ibm-mas/ansible-devops/tree/master/ibm/mas_devops/roles/cert_manager

Create a cluster-issuer with Lets encrypt:
  • run below script and replace <aws secret access key>, <aws access key id> <your email> <aws region> <public domain host zone id> 
    #!/bin/bash

# create a secret called prod-route53-credentials-secret

SECRET_ACCESS_KEY=<your aws secret access key>
oc create secret generic prod-route53-credentials-secret --from-literal=secret-access-key=${SECRET_ACCESS_KEY} -n ibm-common-services

# create a cluster issuer

cat <<EOF > cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: prod-route53-issuer
  namespace: ibm-common-services
spec:
  acme:
    email: <your email address>
    preferredChain: ''
    privateKeySecretRef:
      name: letsencrypt-prod
    server: 'https://acme-v02.api.letsencrypt.org/directory'
    solvers:
      - dns01:
          route53:
            accessKeyID: <your aws access key id>
            hostedZoneID: <the hosted zone id for the public domain>
            region: <aws region> e.g. us-east-1
            secretAccessKeySecretRef:
              key: secret-access-key
              name: prod-route53-credentials-secret
EOF
oc apply -f cluster-issuer.yaml

Configure the recursive nameservers
  • log on openshift console
  • go to project ibm-common-services
  • go to workloads -> deployment -> ibm-cert-manager-operator, on details tab, scale down the pod from 1 to 0
  • go to deployment, select cert-manager controller, then click on yaml tab, add below two lines 
    - '--dns01-recursive-nameservers-only'
- '--dns01-recursive-nameservers=8.8.8.8:53'
  • the sample yaml looks like below 
         image: >-
            icr.io/cpopen/cpfs/icp-cert-manager-controller@sha256:1927c16a4dd369c56fa6d2d1897d3ea3d333a3217b8c05ea32b6617c94833a0e
          args:
            - >-
              --acme-http01-solver-image=icr.io/cpopen/cpfs/icp-cert-manager-acmesolver@sha256:e8f50ee7b08dc96627e138e9b0d98ed5848c7b4ad92491962c13ef32b2866591
            - '--cluster-resource-namespace=ibm-common-services'
            - '--leader-election-namespace=ibm-common-services'
            - '--dns01-recursive-nameservers-only'
            - '--dns01-recursive-nameservers=8.8.8.8:53'
      serviceAccount: ibm-cert-manager-controller
      dnsPolicy: ClusterFirst



Specify the cluster-issuer to install MAS core.
  • Below is the sample how to use the cluster-issuer in oneclick_core playbook. Check this link for more details about the oneclick_core playbook 
    #!/bin/bash

export MAS_CUSTOM_CLUSTER_ISSUER=prod-route53-issuer
export MAS_INSTANCE_ID=inst1
export MAS_ENTITLEMENT_KEY=<your entitlemment key>
export IBM_ENTITLEMENT_KEY=<your entitlemment key>
export MAS_CONFIG_DIR=/root/masconfig-sno
export SLS_LICENSE_FILE=/root/masconfig-sno/license.dat
export SLS_LICENSE_ID=<license id that can be found in the license.dat>
export SLS_ENTITLEMENT_KEY=<your entitlemment key>
export UDS_CONTACT_EMAIL=<contact email>
export UDS_CONTACT_FIRSTNAME=<first name>
export UDS_CONTACT_LASTNAME=<last name>
export PROMETHEUS_STORAGE_CLASS=gp2
export PROMETHEUS_ALERTMGR_STORAGE_CLASS=gp2
export GRAFANA_INSTANCE_STORAGE_CLASS=gp2
export MONGODB_STORAGE_CLASS=gp2
export UDS_STORAGE_CLASS=gp2
ansible-playbook ibm.mas_devops.oneclick_core

#Maximo
#AssetandFacilitiesManagement
1 comment
54 views

Permalink

https://community.ibm.com/community/user/blogs/brian-zhu/2022/10/08/using-lets-encrypt-ssl-certificates-with-maximo-ap

Comments

Maulik Modi
Thu May 11, 2023 11:46 AM

@Brian Zou , I have a few questions
1. Can you point me to a location Where MAS_CUSTOM_CLUSTER_ISSUER variable is defined in https://github.com/ibm-mas/ansible-devops/blob/master/ibm/mas_devops/playbooks/oneclick_core.yml ?

2. Are we not required to create CName records as mentioned on this page if we follow instructions on this page?

3. When do we need to use MAS_DOMAIN variable mentioned on suite_dns role?

4. Is it necessary to execute steps before installing MAS core OR we can execute steps after installing MAS core?