Event Endpoint Management uses TLS to secure all network communication between the Event Endpoint Management components and Kafka clients and clusters.
All Event Manager endpoints are secured by the <instance name>-ibm-eem-manager
certificate. UI and admin API users see this certificate when they connect to the Event Manager. If you want to replace <instance name>-ibm-eem-manager
with your own certificate, then you must supply this certificate during installation.
The Event Gateways secure their endpoint with the <gateway group>-<gateway name>-ibm-egw-cert
certificate. Kafka client applications see this certificate when they connect to the Event Gateway. You configure this certificate when you install the Event Gateway.
The certificates used to secure mTLS controls are configured in the Event Endpoint Management UI. For more information about configuring mTLS control certificates, see Managing mTLS control certificates.
The certificates used to secure communication between the Event Endpoint Management and Kafka clusters are configured in the Event Endpoint Management UI. See adding the cluster.
Key points
- Cert-manager is used to create and maintain the Event Manager and Event Gateway endpoint certificates. If you require the use of your own organization’s certificates, then you can override the default cert-manager certificates during installation.
- Event Endpoint Management TLS certificates are stored in Kubernetes Secrets.
- The Certificate objects that cert-manager creates contain pointers to a Kubernetes Secret (of the same name) that contains the actual X.509 certificate strings.
- Cert-manager monitors and renews all the certificates that it creates.
- You are responsible for monitoring and renewing any custom certificates that you provide.
- Your certificates must be included in your back up. They are required for disaster recovery.
The following table lists the secrets that contain the TLS certificates that secure your Event Endpoint Management endpoints:
Secret name | Description |
---|---|
<gateway group>-<gateway name>-ibm-egw-cert |
Server certificate that secures the Event Gateway endpoint (the certificate that Kafka clients see when they contact the gateway). |
<gateway group>-<gateway name>-certs |
CA certificate for the Event Gateway endpoint. Signs the <gateway group>-<gateway name>-ibm-egw-cert . |
<instance name>-ibm-eem-manager |
Server certificate of the Event Manager (the certificate that UI and admin API users see when they connect to the Event Manager). |
<instance name>-ibm-eem-manager-ca |
CA certificate for <instance name>-ibm-eem-manager . |
Default Event Manager TLS configuration
If you do not specify any custom certificates when you install your Event Manager instance, then the Event Endpoint Management operator uses cert-manager to generate a CA certificate with a self-signed issuer. The operator uses this self-signed CA certificate to generate the leaf certificate that secures your Event Manager endpoints. Cert-manager stores the CA certificate in a secret called <my-instance>-ibm-eem-manager-ca
.
Cert-manager and the Event Endpoint Management operator create the following objects in the Event Manager namespace:
-
Issuers:
<my-instance>-ibm-eem-manager
<my-instance>-ibm-eem-manager-selfsigned
-
Certificates:
<my-instance>-ibm-eem-manager-ca
<my-instance>-ibm-eem-manager
-
Secrets:
<my-instance>-ibm-eem-manager-ca
<my-instance>-ibm-eem-manager
Certificate customization options
If you want to customize your Event Manager certificates, you have the following options:
- Customize only the UI endpoint certificate. This is the certificate that Event Endpoint Management UI user’s browser sees when it connects to the UI. If the user’s browser does not trust this certificate, then the browser presents a warning to the user.
- Customize the Event Manager CA certificate. The Event Endpoint Management operator uses the custom CA certificate to sign the endpoint server certificate that it creates.
- Customize the Event Manager endpoint server certificate.
These options are mutually exclusive.
Custom UI certificate
A separate custom certificate can be configured for the UI endpoint. This certificate is presented to the browser when a user accesses the Event Endpoint Management UI. To supply a custom certificate to the UI, follow these steps:
- Ensure that you have the certificate files
tls.crt
,ca.crt
, andtls.key
in PEM format, and that the Subject Alternative Name (SAN) intls.crt
includes your UI endpoint. -
Create a Kubernetes secret from your certificate files:
kubectl -n <namespace> create secret generic custom-ui-cert-secret --from-file=ca.crt=ca.crt --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key
- Set
spec.manager.tls.ui.secretName
tocustom-ui-cert-secret
. - Set
spec.manager.tls.trustedCertificates
to include thecustom-ui-cert-secret
CA certificate. - If you are updating an existing Event Endpoint Management instance, then confirm that the manager pod restarts.
Example custom UI certificate configuration:
apiVersion: events.ibm.com/v1beta1
kind: EventEndpointManagement
# ...
spec:
license:
# ...
manager:
tls:
ui:
secretName: custom-ui-cert-secret
trustedCertificates:
- secretName: custom-ui-cert-secret
certificate: ca.crt
# ...
Note: On Red Hat OpenShift Container Platform, if you already have a Kubernetes secret that you want to use for your UI endpoint, and it does not use the property names ca.crt
, tls.crt
, and tls.key
to store the certificate strings (for example: data.ca_cert.crt
instead of data.ca.crt
), then complete the following additional steps:
- Edit your Event Manager custom resource.
-
Specify the property names that are used in your UI endpoint secret as shown:
apiVersion: events.ibm.com/v1beta1 kind: EventEndpointManagement # ... spec: license: # ... manager: tls: ui: # ... caCertificate: "ca_cert.crt" serverCertificate: "server_cert.crt" key: "private_key.key" # ...
Custom CA certificate for Event Manager
You can provide your own custom CA certificate to the Event Manager instance. Cert-manager then uses the custom CA certificate to generate the server certificate that secures your Event Manager endpoints.
To configure Event Manager to use your custom CA certificate, complete the following steps:
- Ensure that you have the
ca.crt
andtls.key
files for your CA certificate in PEM format. -
Create a Kubernetes secret called
custom-ca-secret
that contains your CA certificate files:kubectl -n <namespace> create secret generic custom-ca-secret --from-file=ca.crt=ca.crt --from-file=tls.crt=ca.crt --from-file=tls.key=tls.key
- Edit your Event Manager custom resource and set
spec.manager.tls.caSecretName
tocustom-ca-secret
. -
If you are updating an existing Event Endpoint Management instance, then follow these extra steps:
a. Regenerate the endpoint server certificate so that it is re-created as signed-by
custom-ca-secret
:kubectl -n <namespace> delete secret <instance name>-ibm-eem-manager
b. Restart the Event Manager pod:
kubectl -n <namespace> delete <manager pod name>
c. If your Event Manager instance has any registered Event Gateways, then update the Event Gateway with the new Event Manager CA certificate. The Event Manager CA certificate is stored in the gateway’s
BACKEND_CA_CERTIFICATES
environment variable. WhereBACKEND_CA_CERTIFICATES
is set depends on your gateway deployment type:- Operator-managed gateway:
spec.template.pod.spec.containers.env[BACKEND_CA_CERTIFICATES]
. - Kubernetes Deployment gateway:
spec.template.spec.containers.env[BACKEND_CA_CERTIFICATES]
. - Docker gateway:
-e BACKEND_CA_CERTIFICATES
.
- Operator-managed gateway:
Custom server certificates for Event Manager
If you want to supply your own server certificate for all your Event Manager endpoints, then you can create a Kubernetes secret that contains your TLS certificate strings and configure your Event Manager to use this secret.
Subject Alternative Name (SAN) requirements
Subject Alternative Names (SANs) are extensions to X.509 digital certificates that allow multiple domain names, IP addresses, or other identifiers to be associated with a single TLS certificate.
The certificate that secures your Event Manager must include your endpoints as SAN entries.
On OpenShift Container Platform, your SANs must include the following entries:
<instance name>-ibm-eem-manager
<instance name>-ibm-eem-manager.<namespace>
<instance name>-ibm-eem-manager.<namespace>.svc
<instance name>-ibm-eem-manager.<namespace>.svc.cluster.local
<instance name>-ibm-eem-apic-<namespace>.<cluster api>
<instance name>-ibm-eem-gateway-<namespace>.<cluster api>
<instance name>-ibm-eem-manager-<namespace>.<cluster api>
<instance name>-ibm-eem-admin-<namespace>.<cluster api>
eem.<instance name>-ibm-eem-server-<namespace>.<cluster api>
Where:
<instance name>
is the name of the Event Manager instance.<namespace>
is the namespace of your Event Manager instance.<cluster api>
is derived from the URL of your OpenShift Container Platform cluster. If the URL ishttps://console-openshift-console.apps.clusterapi.com/
then<cluster api>
isapps.clusterapi.com
.
On other Kubernetes platforms, your SANs must include the service endpoints that you define during installation.
Additional points to consider:
- Include any additional routes or ingresses to your Event Manager that you create.
- If you plan to integrate with IBM API Connect, then include the
apic
endpoint hostnames. - Wildcard SAN entries are supported.
- If you use LOCAL authentication, then include a SAN entry for the local cluster network.
Example SAN entries for OpenShift Container Platform
When you use LOCAL authentication with the Event Manager, the required SAN entries are as follows:
spec:
dnsNames:
- '*.<NAMESPACE>.svc.cluster.local'
- '*.<CLUSTER_API>'
- eem.*.<CLUSTER_API>'
When you use OIDC authentication with the Event Manager, the required SAN entries are as follows:
spec:
dnsNames:
- '*.<CLUSTER_API>'
- eem.*.<CLUSTER_API>'
The required SAN entries for the Event Gateway are as follows:
spec:
dnsNames:
- '*.<CLUSTER_API>'
Configuring a custom Event Manager certificate
To configure a custom Event Manager server certificate, follow these steps:
-
Ensure that you have the
ca.crt
,tls.crt
, andtls.key
files for the certificate in PEM format. Yourtls.crt
must comply with the SAN requirements. -
Create a Kubernetes secret that contains your TLS certificate strings by running the following command:
kubectl -n <namespace> create secret generic custom-cert-secret --from-file=ca.crt=ca.crt --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key
-
Edit your Event Manager custom resource and set
spec.manager.tls.secretName
tocustom-cert-secret
. If you are updating an existing deployment, then the Event Manager pod restarts. -
If your Event Manager instance has any registered Event Gateways, then update the Event Gateway with the new Event Manager CA certificate. The Event Manager CA certificate is stored in the gateway’s
BACKEND_CA_CERTIFICATES
environment variable. WhereBACKEND_CA_CERTIFICATES
is set depends on your gateway deployment type:- Operator-managed gateway:
spec.template.pod.spec.containers.env[BACKEND_CA_CERTIFICATES]
. - Kubernetes Deployment gateway:
spec.template.spec.containers.env[BACKEND_CA_CERTIFICATES]
. - Docker gateway:
-e BACKEND_CA_CERTIFICATES
.
- Operator-managed gateway:
Renewing certificates
The cert-manager automatically renews the certificates that it manages when they are approaching their expiration. Any custom certificates that you create you must monitor and renew manually.
Example OpenSSL commands to create TLS certificate files
The following examples show how to use OpenSSL to generate TLS certificates that you can use in demonstration and test deployments of Event Endpoint Management.
Creating a CA certificate and key
You can create a CA certificate and key with the following OpenSSL commands:
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -days 730 -out ca.crt
Creating a server certificate
The following example uses OpenSSL and gettext to generate a CA and server certificate for Event Manager on Red Hat OpenShift with LOCAL user authentication.
-
Set the following environment variables:
EMAIL=<email-address> MANAGER_NAME=<name-of-the-event-manager-instance> CLUSTER_API=<cluster-api> NAMESPACE=<event-endpoint-management-installation-namespace>
Where:
- MANAGER_NAME is the name of the Event Manager instance.
- CLUSTER_API is the cluster URL that can be obtained from the cluster. If the URL is
https://console-openshift-console.apps.clusterapi.com/
then the CLUSTER_API must be set toapps.clusterapi.com
.
-
Create a file called
csr_ca.txt
and paste in the following contents:[req] prompt = no default_bits = 4096 default_md = sha256 distinguished_name = dn x509_extensions = usr_cert [dn] C=US ST=New York L=New York O=MyOrg OU=MyOU emailAddress=me@working.me CN = server.example.com [usr_cert] basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer
-
Create a file called
my-eem-manager_answer.txt
and paste in the following contents:[req] default_bits = 4096 prompt = no default_md = sha256 x509_extensions = req_ext req_extensions = req_ext distinguished_name = dn [dn] C=US ST=New York L=New York O=MyOrg OU=MyOrgUnit emailAddress=${EMAIL} CN = ${MANAGER_NAME}-ibm-eem-manager [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = ${MANAGER_NAME}-ibm-eem-manager DNS.2 = ${MANAGER_NAME}-ibm-eem-manager.${NAMESPACE} DNS.3 = ${MANAGER_NAME}-ibm-eem-manager.${NAMESPACE}.svc DNS.4 = ${MANAGER_NAME}-ibm-eem-manager.${NAMESPACE}.svc.cluster.local DNS.5 = ${MANAGER_NAME}-ibm-eem-apic-${NAMESPACE}.${CLUSTER_API} DNS.6 = ${MANAGER_NAME}-ibm-eem-gateway-${NAMESPACE}.${CLUSTER_API} DNS.7 = ${MANAGER_NAME}-ibm-eem-manager-${NAMESPACE}.${CLUSTER_API} DNS.8 = ${MANAGER_NAME}-ibm-eem-admin-${NAMESPACE}.${CLUSTER_API} DNS.9 = eem.${MANAGER_NAME}-ibm-eem-server-${NAMESPACE}.${CLUSTER_API}
-
Generate the required certificates by running the following commands:
a. Generate
ca.key
:openssl genrsa -out ca.key 4096
b. Generate
ca.crt
:openssl req -new -x509 -key ca.key -days 730 -out ca.crt -config <( envsubst < csr_ca.txt )
Note: The
envsubst
utility is available on Linux and can be installed by default as part of thegettext
package.c. Generate
manager.key
:openssl genrsa -out ${MANAGER_NAME}.key 4096
d. Generate
manager.csr
:openssl req -new -key ${MANAGER_NAME}.key -out ${MANAGER_NAME}.csr -config <(envsubst < my-eem-manager_answer.txt )
-
Sign the
csr
to create the manager certificate:openssl x509 -req -in ${MANAGER_NAME}.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ${MANAGER_NAME}.crt -days 730 -extensions 'req_ext' -extfile <(envsubst < my-eem-manager_answer.txt)
-
Verify the manager certificate:
openssl verify -CAfile ca.crt ${MANAGER_NAME}.crt