Accessing External Interfaces with Your CA Trust Chain
In the Oracle Private Cloud Appliance architecture, you can provide your own Certificate Authority (CA) certificates which allows you to use your CA trust chain to access the rack's external interfaces.
- Admin-accessible
-
admin.<domain_name>
- adminconsole.<domain_name>
-
alertmanager.<domain_name>
-
api.<domain_name>
-
grafana.<domain_name>
-
prometheus.<domain_name>
-
- Regular uplink
-
autoscaling.<domain_name>
-
console.<domain_name>
-
containerengine.<domain_name>
-
dns.<domain_name>
-
filestorage.<domain_name>
-
iaas.<domain_name>
-
identity.<domain_name>
-
regionregistry.<domain_name>
-
regionrepository.<domain_name>
-
- Object storage
- objectstorage.<domain_name>
The process to use your own CA trusted certificates is simple:
- Create certificate signing requests (CSRs) on your Private Cloud Appliance.
- Use these CSRs to generate certificates signed by your own CA.
- Upload these CA certificates and your CA trust chain toPrivate Cloud Appliance.
Create Certificate Signing Requests
To use your own CA, you must generate CSRs on Private Cloud Appliance and then use the CSRs to generate the certificates signed by your CA.
Note:
OpenSSH clients must be at least version openssh-clients-7.4p1 or later.Using the Service CLI
To generate the CSRs, use the generateCustomerCsr
command.
- Log into the Service CLI.
- Run the
generateCustomerCsr
command:PCA-ADMIN> generateCustomerCsr Command: generateCustomerCsr Status: Success Time: 2023-05-17 18:43:55,904 UTC Data: status = success message = Successfully generated customer csr: Please download all CSR files from: /nfs/shared_storage/certs/customer_csr/
-
You can add Distinguished Names to the
generateCustomerCsr
command if needed:PCA-ADMIN> generatecustomerCsr country=IN state=KA locality=blr \ organization=example organizationunit=adminexample,pca email=test@example.com Command: generatecustomerCsr country=IN state=KA locality=blr \ organization=example organizationunit=adminexample,pca email=test@example.com Status: Success Time: 2023-10-11 22:48:16,718 UTC Data: status = success message = Successfully generated customer csr: Please download all CSR files from: /nfs/shared_storage/certs/customer_csr/
Allowable Distinguished Names include country, state, locality, organization, unit, and email.
You can find the newly-generated CSR files in the
/nfs/shared_storage/certs/customer_csr/
directory on the management node:- external_tls_term.csr.pem
- external_admin_tls_term.csr.pem
- zfssa.csr.pem
- Download the CSRs.
- Create certificates signed by your CA that are based on the CSRs.
Important:
When you generate your certificates you must add the FDQNs (and no IP addresses) from the SAN information in the CSRs.
If you supply outside certificates to establish a CA trust chain, you must add PTR records to the Data Center DNS . A PTR (Pointer record) in DNS maps an IP address to a hostname. This behavior is the reverse of the usual IP address lookup for a supplied hostname, which is provided by an A record in DNS.
You must create ReverseIp
lookup zones for the two
ReplicationIps
used in disaster recovery. The DNS requests are forwarded
to the Private Cloud Appliance in the same way as requests
for the Private Cloud Appliance Service Zone are forwarded.
If only the zfsCapacityPoolReplicationEndpoint
is defined, then only a PTR
record for that IP address in is needed.
To create a ReverseIp
lookup you need to create a DNS zone for the
ReverseIP
lookup. You create one or more reverse lookup zones depending on
how the Replication IPs are configured. How to create these PTR records depends on the
interface for the Data Center's DNS servers.
For example, if the rack domain is myprivatecloud.example.com
, and the
Capacity Pool IP is 10.170.123.98
and the Performance Pool IP is
10.170.123.99
, the Private Cloud Appliance
requires two zones with the following mappings:
98.123.170.10.in-addr.arpa rtype PTR rdata sn01-dr1.myprivatecloud.example.com
99.123.170.10.in-addr.arpa rtype PTR rdata sn02-dr1.myprivatecloud.example.com
For more information about DNS and PTR records, see the Networking section of the Oracle Private Cloud Appliance User Guide.
You can proceed to the uploading process.
Uploading Your CA Certificates
When you have the CA certificates, you must upload them along with the CA trust chain to the Private Cloud Appliance.
Using the Service CLI
uploadCustomerCerts
command to upload the CA certificates. This
command uses the following parameters to provide the full paths to the certificates and the
CA trust chain:
caTrustChain
externalAdminCert
externalCert
zfsCert
- Log into the Service CLI.
- Copy the CA certificates you created in Create Certificate Signing Requests and your CA trust chain to the
/nfs/shared_storage
directory on the management node. - Run the
uploadCustomerCerts
command to upload all the CA certificates. For example:PCA-ADMIN> uploadCustomerCerts externalcert=/nfs/shared_storage/external_tls_term.cert zfsCert=/nfs/shared_storage/certs/zfssa.cert caTrustChain=/nfs/shared_storage/CAPrivate.pem Command: uploadCustomerCerts externalcert=/nfs/shared_storage/external_tls_term.cert zfsCert=/nfs/shared_storage/certs/zfssa.cert caTrustChain=/nfs/shared_storage/CAPrivate.pem Status: Success Time: 2023-05-17 18:43:55,904 UTC Data: status = success message = Successfully uploaded customer CERTS
Important:
Upload your CA trust chain with one of the CA certificate upload commands by using thecaTrustChain
parameter.
Note:
If you need to backout your CA certificate and revert to an Oracle-supplied certificate, contact Oracle.