Run Liberty in an environment,
where you must use existing third-party certificates that might be signed by a certificate authority
that provides trust.
Before you begin
- Create a server.crt file that contains the certificate and a
server.key file that contains the private key.
- Use the openssl command and the Java keytool command to
create the trust.jks file and the key.jks file based on the
server.crt file and the server.key file.
Use the
following example to create the keystore and truststore JKS files:
- Export the server CA certificate and key in Public Key Cryptography Standards 12 (PKCS12)
format.
openssl pkcs12 -export -in server.crt -inkey server.key -out key.p12 -name default -passout pass:mypassword
- Import the server PKCS12 file to the keystore key.jks
file.
keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore key.jks -srckeystore key.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias default
- Import the server CA certificate to the keystore trust.jks
file.
keytool -importcert -keystore trust.jks -storepass mypassword -file server.crt -alias default -noprompt
- Determine whether the SSL configuration is already created. To do so, check whether the secrets
exist by running the following command:
kubectl get secrets
If the SSL
configuration exists, then the following secrets are
displayed:
mb-keystore, mb-keystore-password, mb-truststore, mb-truststore-password
Procedure
- If the SSL configuration has not been created, then complete the following steps to
automatically enable SSL with third-party certificates:
- Create the following Kubernetes secret keys. This example uses the Liberty
securityUtility encode command to encode the keystore and truststore password
with XOR encryption.
kubectl create secret generic mb-keystore --from-file=./key.jks
kubectl create secret generic mb-truststore --from-file=./trust.jks
kubectl create secret generic mb-keystore-password --from-literal=password="{xor}Ej4xPjg6MjoxKw =="
kubectl create secret generic mb-truststore-password --from-literal=password="{xor}Ej4xPjg6MjoxKw=="
- Set the following values when you deploy the Liberty Helm chart:
- ssl.enabled=true
- This option tells the Helm chart that the secure protocol, HTTPS, will be used.
- ssl.useClusterSSLConfiguration=true
- This option tells the Helm chart to mount the created certificate, which is used for the
keystore and the truststore.
- ssl.createClusterSSLConfiguration=true
- This option tells Helm to create the Liberty configuration that uses the third-party
certificates and password secrets. When set to true, this option does not overwrite
the certificates and secrets that you just created.
- service.port=secure_port_number
- The default secure port is 9443.
- service.targetPort=secure_port_number
- The default secure port is 9443.
- ingress.secureBackends=true
- If Ingress is enabled, use this option so that Ingress can communicate with the secure Liberty application.
- If the SSL configuration is already created, complete the following steps to automatically
enable SSL:
- Delete the previously created secrets.
kubectl delete secrets mb-keystore mb-keystore-password mb-truststore mb-truststore-password
- Create the following Kubernetes secret keys:
kubectl create secret generic mb-keystore --from-file=./key.jks
kubectl create secret generic mb-truststore --from-file=./trust.jks
kubectl create secret generic mb-keystore-password --from-literal=password="{xor}Ej4xPjg6MjoxKw=="
kubectl create secret generic mb-truststore-password --from-literal=password="{xor}Ej4xPjg6MjoxKw=="
- Set the following values when you deploy the Liberty Helm chart:
- ssl.enabled=true
- This option tells the Helm chart that the secure protocol, HTTPS, will be used.
- ssl.useClusterSSLConfiguration=true
- This option tells the Helm chart to mount the created certificate, which is used for the
keystore and the truststore.
- ssl.createClusterSSLConfiguration=false
- This option tells Helm to not create the Liberty configuration that uses the third-party
certificates and password secrets.
- service.port=secure_port_number
- The default secure port is 9443.
- service.targetPort=secure_port_number
- The default secure port is 9443.
- ingress.secureBackends=true
- If Ingress is enabled, use this option so that Ingress can communicate with the secure Liberty application.