Enabling SSL Connections

This procedure describes how to enable SSL connections in HPE Ezmeral Container Platform deployments for which SSL was not enabled during the initial deployment process.

1. Either generate or obtain an SSL certificate that includes the correct set of hostnames in the Common Name (CN) or Subject Alternative Name (SAN) field:
   Include the following hostnames:

   • HPE Ezmeral Container Platform Controller hostname.
   • Common HPE Ezmeral Container Platform Gateway hostname
   • If the deployment has more than one Gateway host, include the additional HPE Ezmeral Container Platform Gateway hostnames.

   If Platform HA is enabled, also include the following hostnames:

   • The HPE Ezmeral Container Platform Shadow Controller hostname.
   • If your deployment uses a cluster IP address, then also include the hostname associated with that cluster IP address.
2. Place both the host SSL certificate and the private key on the Controller host.

   The certificate and key files must be readable by the webserver process, according to Linux file permissions and the SELinux configuration. A standard way to do this is to assign 644 permissions to both files and place them in the /etc/pki/tls/certs directory.

   The remainder of this procedure assumes that the certificate and key files are located in /etc/pki/tls/certs/server.crt and /etc/pki/tls/private/server.key, respectively.

3. Use the bdconfig tool to update the /etc/bluedata/bluedata.conf file with the certificate and key file locations.
   For example:

   bdconfig --set "bds_prechecks_sslcert=/etc/pki/tls/certs/server.crt"
   bdconfig --set "bds_prechecks_sslkey=/etc/pki/tls/private/server.key"

4. Execute the following commands:

   cd /opt/bluedata/bundles/hpe-cp-*/scripts
   exec 4>&2; source iucomponents/ha/common/ha-common.sh; set +x; exec 2>&4

   If you change to a new login shell when you perform the next steps, you must execute the commands in this step in the new shell.

5. Use one of the functions defined in Step 3 to edit various config files, and then restart the webserver:

   
   setup_https
   
   
   CentOS: service httpd restart
   
   SLES: systemctl restart apache2
   
   'get_rpc_cmd' bd_mgmt_config init ""
   'get_rpc_cmd' bd_mgmt_web stop ""

6. Verify that the HPE Ezmeral Container Platform web interface accepts HTTPS connections and that unsecure HTTP connections are no longer accepted.
7. If Platform HA is enabled, do the following:
   1. Replicate the SSL certificate and private key on the Shadow host with the same directories and permissions as the Controller host by executing the following commands:

      CERT_DIR=$(dirname "$bds_prechecks_sslcert")
      KEY_DIR=$(dirname "$bds_prechecks_sslkey")
      util_remote_exec $bds_global_user $HA_PEER "mkdir -p $CERT_DIR"
      util_remote_exec $bds_global_user $HA_PEER "mkdir -p $KEY_DIR"
      util_remote_sudo_copy $bds_global_user $HA_PEER $bds_prechecks_sslcert $bds_prechecks_sslcert
      util_remote_sudo_copy $bds_global_user $HA_PEER $bds_prechecks_sslkey $bds_prechecks_sslkey

   2. Update the configuration on the Shadow host by executing the following commands on the Controller host:

      util_remote_exec $bds_global_user $HA_PEER "bdconfig --set \"bds_prechecks_sslcert=$bds_prechecks_sslcert\""
      util_remote_exec $bds_global_user $HA_PEER "bdconfig --set \"bds_prechecks_sslkey=$bds_prechecks_sslkey\""

8. If your HPE Ezmeral Container Platform deployment has one or more existing Kubernetes clusters, change the secret that used by the hpecp-agent operator to communicate with the control plane for creating services:

   On each Kubernetes Master node, execute the following commands:

   URL=$(kubectl -n hpecp get secrets/hpecp-session-secret -o jsonpath='{.data.k8s-cluster-services-url}' | base64 --decode)
   MOD_URL=$(echo -n $URL | sed 's/http/https/g' | base64 -w 0)
   kubectl -n hpecp patch secret hpecp-session-secret --type='json' -p="[{\"op\" : \"replace\" ,\"path\" : \"/data/k8s-cluster-services-url\" ,\"value\" : \"$MOD_URL\"}]"

   The preceding commands fetch the current secret, change http to https, and then update the secret with the modified option.

9. In the Gateway Settings tab, enable SSL termination using the same SSL certificate file you created or obtained at the beginning of this procedure.