DataPower

DataPower

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Creating Keys and Certificates for DP Containers

  • 1.  Creating Keys and Certificates for DP Containers

    Posted Thu February 16, 2023 03:19 AM
    Edited by Roshan Rama Thu February 16, 2023 05:15 AM

    Hi,

    I have been testing the Appliance to Container migration for DataPower on OCP by following the documented steps found on the KC - Migrating to containers

    For certs, I am using pem format and have created a "Secret" of type "Opaque". This seems to work as I do not see any errors in the pod start up logs and can also confirm this by seeing the Crypto Certificate object in an "up" state when "attach" into the Container. 

    While experimenting, I noticed that the Crypto Certificate object does not like the "Bag Attributes" at the top of the pem file when creating the Secret. 

    I am struggling to get the private keys working and am out of options. I've tried two combinations of creating a Secret of Type "Opaque" with just the private-key in it and of Type "kubernetes.io/tls" with the public and private keys. Neither methods have worked.

    I keep getting the below error of "File is unreadable".

    20230216T074743.740Z [common][0x806000db][crypto][error] key(DataPower): tid(111): key file 'sharedcert:///sit-testdomain-com-privkey.pem' unreadable
20230216T074743.740Z [common][0x00f30002][mgmt][error] key(DataPower): tid(111): File is unreadable
20230216T074743.740Z [0x8240001b][audit][error] : tid(111): (admin:common:system:*): key 'DataPower' - File is unreadable
20230216T074743.740Z [common][0x00f30002][cli][error] key(DataPower): File is unreadable
20230216T074743.740Z [common][0x806000db][crypto][error] key(sit.testdomain.com): tid(111): key file 'sharedcert:///sit-testdomain-com-privkey.pem' unreadable
20230216T074743.740Z [common][0x00f30002][mgmt][error] key(sit.testdomain.com): tid(111): File is unreadable
20230216T074743.740Z [0x8240001b][audit][error] : tid(111): (admin:common:system:*): key 'sit.testdomain.com' - File is unreadable
20230216T074743.740Z [common][0x00f30002][cli][error] key(sit.testdomain.com): File is unreadable
20230216T074743.741Z [common][0x81000228][cli][error] : tid(22694): *** Wrong number of arguments 2, expected between 3 and 22.
20230216T074743.741Z [common][][cli][error] : tid(22694): (config:///datapower-operator-common-init.cfg:90): sslproxy TEST_WAFW ""
20230216T074743.742Z [common][0x8120001b][ssl][error] ssl-client(DataPower): tid(111): Identification Credentials 'DataPower' is not yet up
20230216T074743.742Z [common][0x8120001f][ssl][error] ssl-server(DataPower): tid(111): Identification Credentials 'DataPower' is not yet up
20230216T074743.743Z [common][0x8120001f][ssl][error] ssl-server(iibrouter): tid(111): Identification Credentials 'sit.testdomain.com' is not yet up

    Does the DataPower YAML need a "keys" element which is not documented like how there is a "certs" element?

    For example:

    domains:
- name: "common"
  certs:
  - certType: "usrcerts"
    secret: "default-cert"
  - certType: "sharedcerts"
    secret: "shared-cert"

  keys:
  - keyType: "sharedcerts"
    secret: "shared-key"

    Any guidance on how to get this going will be appreciated.

    Thanks in advance.



    ------------------------------
    Rosh
    ------------------------------



Related Content