Symptoms
Misconfiguration of your network and TLS can cause various issues in Event Endpoint Management, such as:
-
The page does not load when you attempt to access the Event Endpoint Management UI.
-
The Event Gateways page shows the status of
This Event Gateway might require attention
. -
Event Gateway pod logs show:
Failed to register with Event Manager
.
Causes
The following are the most common causes of Event Manager connection errors:
- Kubernetes ingresses and OpenShift Container Platform routes are misconfigured and not directing client requests to the Event Manager.
- Firewalls blocking access to the Event Manager.
- Load-balancers in front of the Event Manager are terminating TLS connections. TLS pass-through must be enabled on your load-balancer.
- Event Manager CA certificate not trusted by clients.
- Event Manager server certificate was not updated after the CA certificate was updated.
Resolving the problem
Check for network problems
-
Verify that the endpoint that the client is attempting to connect to matches a route or ingress in your Kubernetes environment.
-
Try to connect to the endpoint from within your Kubernetes environment by using the following curl command:
curl -k -L https:<endpoint>
If the local connection attempt is successful, then the problem is in the network connection from your client to your Kubernetes environment.
Check Event Manager TLS configuration
Verify that the Event Manager CA and server certificates are configured correctly.
By default, the Event Manager endpoints are secured by the <instance name>-ibm-eem-manager
certificate, which is signed by <instance name>-ibm-eem-manager-ca
.
To see what certificate an endpoint is secured with, you can use the following OpenSSL command:
openssl s_client -connect <endpoint>:443 -servername <endpoint> -showcerts
The following are common problems with Event Manager TLS configuration, and ways to resolve them:
-
The CA certificate was updated, but not the leaf certificate that it signs. To resolve this problem, complete step 4 on custom CA certificate for Event Manager.
-
The Event Manager endpoint certificates were updated, but the client’s truststore was not updated with the new Event Manager CA certificate.
It might still be possible to access the Event Endpoint Management UI because you can enable your browser to trust the new certificate when you connect, but any registered Event Gateways must be manually updated with the new Event Manager CA certificate.
Update the Event Manager CA certificate on your Event Gateways with the following steps:
-
Extract the CA certificate from the
<instance name>-ibm-eem-manager-ca
secret in the Event Manager namespace by running the following command:kubectl -n <manager namespace> get -o yaml secret quick-start-manager-ibm-eem-manager-ca | grep ca.crt | awk '{print $2}' | base64 -d`
The command returns the CA certificate in PEM format, for example:
----BEGIN CERTIFICATE---- MIIDbTCCAlWgA... ... n4AsuumaDi8d5oLmPEMV+Gk= -----END CERTIFICATE-----
-
Update your gateway as follows depending on the deployment type:
-
For operator-managed gateways:
a. Edit the gateway custom resource:
kubectl -n <gateway namespace> edit eventgateway
b. Update the property
spec.template.pod.spec.containers.env[BACKEND_CA_CERTIFICATES]
with the new Event Manager CA certificate. -
For Kubernetes Deployment gateways:
a. Edit the gateway deployment:
kubectl -n <gateway namespace> edit deploy <gateway deployment name>
b. Update the property
spec.template.spec.containers.env[BACKEND_CA_CERTIFICATES]
with the new Event Manager CA certificate. -
For Docker gateways: Restart the Docker gateway with the CA certificate specified in
-e BACKEND_CA_CERTIFICATES
.
-
-