Enabling TLS Certs for HTTPS (Optional)

This step is required to enable HTTPS for ConfigUI, Platform API, and Traffic Manager services. These services can also be exposed as plain HTTP URIs.

ConfigUI

This is optional and only required if HTTPS is enabled for configui. HTTPS support for Configui requires a certificate (preferably signed by CA or intermediate-CA) and a key securing the certificate.

Enabling HTTPS for ConfigUI

Procedure

1. Create the key.

   $ cd <extract_location>
   $ mkdir -p certs/configui
   $ cd certs/configui
   $ openssl genrsa -out tml-cm-key.pk8 2048
   $ cat tml-cm-key.pk8
   -----BEGIN PRIVATE KEY-----
   rkLq1Ah5mJiZ8iHK62ylqoJqGzjQKAoUa0FCtM4W/9jYetFucFaS0JmLjw9+MujB
   ...........................TRUNCATE OUTPUT..................................
   efGsNi4iRQdNrJkQqh1o8F9a
   -----END PRIVATE KEY-----
   $	

2. Create the certificate.

   $ openssl req -new -x509 -sha256 -key tml-cm-key.pk8 -out tml-cm-crt.pem -days 360 -subj
   "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.example.com"
   $ cat tml-cm-crt.pem
   -----BEGIN CERTIFICATE-----
   MIID0zCCArugAwIBAgIEY5kWuDANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
   .............................TRUNCTAED OUTPUT.......................
   TrvRgjZ3xRLIGViUK7eG+wjxi5aGUUs=
   -----END CERTIFICATE-----

3. Sign the certificate.

   note

   Contact your system administrator for signing certificates.

4. Create the Kubectl secret for TLS key.

   $ kubectl create secret generic configui-key-secret --from-file=tml-cm-key.pk8

5. Create the Kubectl secret for the TLS certificate.

   kubectl create secret generic configui-certificate-secret --from-file=tml-cm-crt.pem

Platform API

TLS certificates and keys are required if HTTPS is enabled for Platform API service. HTTPS support for the Platform API requires a certificate (preferably signed by CA or intermediate-CA) and a key securing the certificate.

Enabling HTTPS for Platform API

Procedure

1. Navigate to the extracted folder. Create a folder certs if it does not exist.

   cd <extracted tar location>
   mkdir -p certs/platformapi
   cd certs/platformapi

2. Create or copy the file tml-cm.jks.

3. Create the file .ssl.password. Then, add the password in the file such as changename.

4. Create K8s secret YAML file. This step creates the YAML files with entries encoded in base64.

   kubectl create secret generic platformapi-keystore-secret --from-file=tml-cm.jks --from-file=.ssl.password -o yaml --dry-run=client > platformapi-keystore-secret.yaml

5. Optional: Encrypt SSL password in generated YAML.

   1. Encrypt password.

   $ apim_crypto -s <secret> -n <nonce> -t 'text to encrypt'
   Example$ apim_crypto -s 'abcd1234efgh5678' -n '1234abcd5678efgh' -t
   'certpass'MTlkYzk4ZTNkYzQ0YTFlMmIzMzA1Y2I0ZDAxZDMxZDQ2MTJjMDM3NjZ
   mNGE1NDA2NjIzMTM0MzAzMzMyMzAzMjM0MzEzODMxMzYzNDM1NjUtQEBA
   2. base64 encoded secret and nonce.

   $ echo -n 'abcd1234efgh5678' | base64
   YWJjZDEyMzRlZmdoNTY3OA==$ echo -n '1234abcd5678efgh' | base64
   MTIzNGFiY2Q1Njc4ZWZnaA==

   3. Edit the generated secret file platformapi-keystore-secret.yaml. Ensure that attribute names are not changed.

      1. Replace .ssl_password with the encrypted value from Encrypt_password (refer to step 5 (a.))

      2. Provide secret and nonce using base64 values from base_64_encoded_secret_and_nonce (refer to step 5 (b.))

            apiVersion: v1
            kind: Secret
            metadata:
            name: platformapi-keystore-secret
            data:
            tml-cm.jks: /u3+7QAAAAIAAAABAAAAAQAHZGVmeM1ejC08KAaAfpU/R//7VK7DmgEW5GZ
            .....................TRUNCATED OUTPUT.................................
            /CavGiVvVHpQqslogY0P0QXVuvfqAy+UJJOcOYp96rr5sZDNv33KBmX8JZhLqDaL1I3CaZc3JeN 
            .ssl.password: MTlkYzk4ZTNkYzQ0YTFlMmIzMzA1Y2I0ZDAxZDMxZDQ2MTJjMDM3NjZmNGE1NDA2NjIzMTM0MzAzMzMyMzAzMjM0MzEzODMxMzYzNDM1NjUtQEBA
            .ssl_aeadsecret: YWJjZDEyMzRlZmdoNTY3OA==
            .ssl_aeadnonce: MTIzNGFiY2Q1Njc4ZWZnaA==
         

6. Create K8s secret.

   $ kubectl apply -f platformapi-keystore-secret.yaml

Traffic Manager

info

The trafficmanager samples are located at this path: samples/trafficmanager.

TLS keystore and key are required if HTTPS is enabled for the Traffic Manager service. HTTPS support for Traffic Manager requires a certificate (preferably signed by CA or intermediate-CA) and a key securing the certificate.

Truststore for Traffic Manager has the CA certificates used by Traffic Manager to communicate with clients in mutual TLS. Clients must present certificates issued by trusted CA(s) when communicating with the Traffic Manager in mutual TLS.

Enabling HTTPS for Traffic Manager

Procedure

1. Navigate to the extracted folder. Create a folder if it does not exist.

   cd <extracted tar location>
   mkdir -p certs/trafficmanager
   cd certs/trafficmanager

2. Create or copy trafficmanager.jks.

3. Create or copy .ssl.password.

4. Create or copy .ssl.keypassword, and add the password in the file, such as changename.

5. Create K8s secret YAML file. This step creates the YAML files with entries encoded in base64.

   kubectl create secret generic trafficmanager-keystore-secret --from-file=trafficmanager.jks --from-file=.ssl.password --from-file=.ssl.keypassword -o yaml --dry-run=client > trafficmanager-keystore-secret.yaml

   tip

   Use a dry run because you need the output for the next step, as it will not create any resources in the cluster.

6. Optional: Encrypt keystore password and password.

   1. Encrypt SSL password.

      $ apim_crypto -s <secret> -n <nonce> -t 'text to encrypt'
      Example$ apim_crypto -s 'abcd1234efgh5678' -n '1234abcd5678efgh' -t 'certpass'
      
      MjE5YzE2NjIzNDRjM2IzOTQ5ZDMyNGE1NmU2NTU1ZjRkOTY2MWI4Mjc3ZGNiYz
      c2NjIzMTM0MzAzMzMyMzAzMjM0MzEzOTMxMzUzNDMxNjUtQEBA

   2. Encrypt the key password using the same secret and nonce.

      $ apim_crypto -s <secret> -n <nonce> -t 'text to encrypt'
      Example$ apim_crypto -s 'abcd1234efgh5678' -n '1234abcd5678efgh' -t 'certpass'
      
      NzU2MzM0ZTIxYjU5ZjA2YmQxNzI4NzhlZDcyZDBjNmI1ZGVhYTViZTZhYWIzY2M4
      NjIzMTM0MzAzMzMyMzAzMjM0MzEzOTMxMzYzMDMwNjUtQEBA

   3. base64 encoded secret and nonce.

      $ echo -n 'abcd1234efgh5678' | base64
      YWJjZDEyMzRlZmdoNTY3OA==$ echo -n '1234abcd5678efgh' | base64
      MTIzNGFiY2Q1Njc4ZWZnaA==

   4. Edit the generated secret file trafficmanager-keystore-secret.yaml.

      1. Replace .ssl.password with the encrypted value from Encrypt_ssl_password_traffic_manager (refer to step 6 (a.))

      2. Replace .ssl.keypassword with the encrypted value from Encrypt_key_password_using_the_same_secret_and_nonce_traffic_manager (refer to step 6 (b.)).

      3. Provide secret and nonce using base64 values from Base_64_encoded_secret_and_nonce_traffic_manager (refer to step 6 (c.)).

         apiVersion: v1
         kind: Secret
         metadata:
         name: trafficmanager-keystore-secret
         data:
         trafficmanager.jks: /u3+7QAAAAIAAAABAAAAAQAH
         .........Truncted ouput.....................
         .ssl.password:
         MjE5YzE2NjIzNDRjM2IzOTQ5ZDMyNGE1NmU2NTU1ZjRkOTY2MWI4Mjc3Z
         GNiYzc2NjIzMTM0MzAzMzMyMzAzMjM0MzEzOTMxMzUzNDMxNjUtQEBA
         .ssl.keypassword:
         NzU2MzM0ZTIxYjU5ZjA2YmQxNzI4NzhlZDcyZDBjNmI1ZGVhYTViZTZhYWI
         zY2M4NjIzMTM0MzAzMzMyMzAzMjM0MzEzOTMxMzYzMDMwNjUtQEBA
         .ssl_aeadsecret: YWJjZDEyMzRlZmdoNTY3OA==
         .ssl_aeadnonce: MTIzNGFiY2Q1Njc4ZWZnaA==

7. Create K8s secret.

   $ kubectl apply -f trafficmanager-keystore-secret.yaml

8. Create a Secret for the trust store. Navigate to the extracted folder and create a new folder if it does not already exists.

   cd <extracted tar location>
   mkdir -p certs/trafficmanager
   cd certs/trafficmanager

9. Create or copy the file with the .trustStorePassword name, and run the following command: kubectl create secret generic trafficmanager-truststore-secret --from-file=trafficmanager-trust.jks --from-file=.trustStorePassword -o yaml --dry-run=client > trafficmanager-truststore-secret.yaml

   tip

   Use dry run because you need the output for the next step. It does not create any resources in the cluster.

10. Optional: Encrypt trust store password.

    $ apim_crypto -s 'abcd1234efgh5678' -n '1234abcd5678efgh' -t 'certpass'
    OWIzMDNmOTNhNDMwYzk4YTFhMGUyZTM4MWNjOTJlMGRhNzEyOTg1ZTYwM
    mM1NTJlNjIzMTM0MzAzMzMyMzAzMjM0MzEzOTMyMzAzNDMzNjUtQEBA

    1. base64 encoded secret and nonce.

       $ echo -n 'abcd1234efgh5678' | base64
       YWJjZDEyMzRlZmdoNTY3OA==
       $ echo -n '1234abcd5678efgh' | base64
       MTIzNGFiY2Q1Njc4ZWZnaA==

    2. Edit the generated trust store secret YAML file.

       1. Replace .ssl.password with the encrypted value from Encrypt_trust_store_password (refer to step 10).

       2. Replace .ssl.keypassword with the encrypted value.

       3. Provide secret and nonce using base64 values from Base_64_encoded_secret_and_nonce_truststore (refer to step 10 (a.)).

          apiVersion: v1
          kind: Secret
          metadata:
          name: trafficmanager-truststore-secret
          data:
          trafficmanager-trust.jks: /u3+7QAAAAIAAAABAAAAAgAEcm9vd
          ..................TRUNCATED OUTPUT.......................
          RWWCDelna14NkUaJvcu/pyBmbQXmdu0niqV3DHcjkfWP2MuctRKaXK
          .trustStorePassword:
          OWIzMDNmOTNhNDMwYzk4YTFhMGUyZTM4MWNjOTJlMGRhNzEyOTg1Z
          TYwMmM1NTJlNjIzMTM0MzAzMzMyMzAzMjM0MzEzOTMyMzAzNDMzNjUt
          QEBA
          .ts_aeadsecret: YWJjZDEyMzRlZmdoNTY3OA==.ts_aeadnonce:
          MTIzNGFiY2Q1Njc4ZWZnaA==

11. Create the Kubernetes secret. $ kubectl apply -f trafficmanager-keystore-secret.yaml

12. Create OAuth secret. $ kubectl apply -f oauth-authenticator-secrets-sample.yaml

OAuth API Password

important

This field is optional and is required only if you are using the Boomi Cloud API Management - Local Edition OAuth feature.

Attributes

• Do not change the secret name and attribute name.
• .oapipassword: This should be 64 characters or more.
• .oapiusername: The characters can be of any length.

If using AEAD, nonce and secret should be exactly 16 characters. We recommend you to use randomized text.