1. Administrator Guide
  2. Hardware Administration
  3. Accessing External Interfaces with Your CA Trust Chain

Accessing External Interfaces with Your CA Trust Chain

In the Oracle Private Cloud Appliance architecture, you can provide your own Certificate Authority (CA) certificates which allows you to use your CA trust chain to access the rack's external interfaces.

You need three different CA certificates to access all external interfaces:
  • Admin-accessible

    • admin.<domain_name>

    • adminconsole.<domain_name>

    • alertmanager.<domain_name>

    • api.<domain_name>

    • grafana.<domain_name>

    • prometheus.<domain_name>

  • Regular uplink

    • autoscaling.<domain_name>

    • console.<domain_name>

    • containerengine.<domain_name>

    • dns.<domain_name>

    • filestorage.<domain_name>

    • iaas.<domain_name>

    • identity.<domain_name>

    • regionregistry.<domain_name>

    • regionrepository.<domain_name>

  • Object storage
    • objectstorage.<domain_name>

The process to use your own CA trusted certificates is simple:

  1. Create certificate signing requests (CSRs) on your Private Cloud Appliance.
  2. Use these CSRs to generate certificates signed by your own CA.
  3. Upload these CA certificates and your CA trust chain toPrivate Cloud Appliance.

Create Certificate Signing Requests

To use your own CA, you must generate CSRs on Private Cloud Appliance and then use the CSRs to generate the certificates signed by your CA.

Note:

OpenSSH clients must be at least version openssh-clients-7.4p1 or later.

Using the Service CLI

To generate the CSRs, use the generateCustomerCsr command.

  1. Log into the Service CLI.
  2. Run the generateCustomerCsr command: 
    PCA-ADMIN> generateCustomerCsr
Command: generateCustomerCsr
Status: Success
Time: 2023-05-17 18:43:55,904 UTC
Data: 
 status = success
 message = Successfully generated customer csr: 
    Please download all CSR files from: /nfs/shared_storage/certs/customer_csr/

  3. You can add Distinguished Names to the generateCustomerCsr command if needed: 

    PCA-ADMIN> generatecustomerCsr country=IN state=KA locality=blr \
  organization=example organizationunit=adminexample,pca email=test@example.com
Command: generatecustomerCsr country=IN state=KA locality=blr  \ 
  organization=example organizationunit=adminexample,pca email=test@example.com
Status: Success
Time: 2023-10-11 22:48:16,718 UTC
Data: 
  status = success 
  message = Successfully generated customer csr: 
     Please download all CSR files from: /nfs/shared_storage/certs/customer_csr/

    Allowable Distinguished Names include country, state, locality, organization, unit, and email.

    You can find the newly-generated CSR files in the /nfs/shared_storage/certs/customer_csr/ directory on the management node:

    • external_tls_term.csr.pem
    • external_admin_tls_term.csr.pem
    • zfssa.csr.pem
  4. Download the CSRs.
  5. Create certificates signed by your CA that are based on the CSRs.

    Important:

    When you generate your certificates you must add the FDQNs (and no IP addresses) from the SAN information in the CSRs.

If you supply outside certificates to establish a CA trust chain, you must add PTR records to the Data Center DNS . A PTR (Pointer record) in DNS maps an IP address to a hostname. This behavior is the reverse of the usual IP address lookup for a supplied hostname, which is provided by an A record in DNS.

You must create ReverseIp lookup zones for the two ReplicationIps used in disaster recovery. The DNS requests are forwarded to the Private Cloud Appliance in the same way as requests for the Private Cloud Appliance Service Zone are forwarded. If only the zfsCapacityPoolReplicationEndpoint is defined, then only a PTR record for that IP address in is needed.

To create a ReverseIp lookup you need to create a DNS zone for the ReverseIP lookup. You create one or more reverse lookup zones depending on how the Replication IPs are configured. How to create these PTR records depends on the interface for the Data Center's DNS servers.

For example, if the rack domain is myprivatecloud.example.com, and the Capacity Pool IP is 10.170.123.98 and the Performance Pool IP is 10.170.123.99, the Private Cloud Appliance requires two zones with the following mappings: 

98.123.170.10.in-addr.arpa rtype PTR rdata sn01-dr1.myprivatecloud.example.com
99.123.170.10.in-addr.arpa rtype PTR rdata sn02-dr1.myprivatecloud.example.com

For more information about DNS and PTR records, see the Networking section of the Oracle Private Cloud Appliance User Guide.

You can proceed to the uploading process.

Uploading Your CA Certificates

When you have the CA certificates, you must upload them along with the CA trust chain to the Private Cloud Appliance.

Using the Service CLI

Use the uploadCustomerCerts command to upload the CA certificates. This command uses the following parameters to provide the full paths to the certificates and the CA trust chain:
  • caTrustChain
  • externalAdminCert
  • externalCert
  • zfsCert
  1. Log into the Service CLI.
  2. Copy the CA certificates you created in Create Certificate Signing Requests and your CA trust chain to the /nfs/shared_storage directory on the management node.
  3. Run the uploadCustomerCerts command to upload all the CA certificates. For example: 
    PCA-ADMIN> uploadCustomerCerts externalcert=/nfs/shared_storage/external_tls_term.cert 
             zfsCert=/nfs/shared_storage/certs/zfssa.cert 
             caTrustChain=/nfs/shared_storage/CAPrivate.pem
Command: uploadCustomerCerts externalcert=/nfs/shared_storage/external_tls_term.cert
             zfsCert=/nfs/shared_storage/certs/zfssa.cert 
             caTrustChain=/nfs/shared_storage/CAPrivate.pem
Status: Success
Time: 2023-05-17 18:43:55,904 UTC
Data: 
 status = success
 message = Successfully uploaded customer CERTS

    Important:

    Upload your CA trust chain with one of the CA certificate upload commands by using the caTrustChain parameter.

Note:

If you need to backout your CA certificate and revert to an Oracle-supplied certificate, contact Oracle.