Hi,
We run the IAG in Kubernetes as reverse proxies in front of many applications and it generally works well.
One of the pain point is trusted certificate management. In IAG you seems to need to specify any additional trusted certificate in the config file by base64 encoding pem certificates. When a new trusted cert is to be added this setting would need to be modified for every IAG deployment.
I wonder if anyone has been able to preload extra CA certificates for IAG during the build phase in the Dockerfile.
I even experimented with something like this:
===
RUN find /tmp/preload-certs/*crt | xargs -n1 -I % /usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -add -file % -db /opt/pdweb/config.template/shared/keytab/default.kdb -stashed
===
But it seems the kdb files cannot be found during the build phase before the webseld proces starts and I really cannot figure out where webseald get the inital kdb keystore from.
Has anyone else here managed to preload more CA certificates onto IAG? It seems it would be the proper way to do it.
Regards,
Peter
------------------------------
Peter Lindqvist
------------------------------