Accessing External Interfaces of Private Cloud Appliance with Your Own CA Trust Chain
To access the external interfaces of Private Cloud Appliance, you can provide your own custom Certificate Authority (CA) certificates and include them in your own CA trust chain.
Three different CA certificates are required to access all the external interfaces of a Private Cloud Appliance.
-
Admin-accessible
-
admin.<domain_name>
- adminconsole.<domain_name>
-
alertmanager.<domain_name>
-
api.<domain_name>
-
grafana.<domain_name>
-
prometheus.<domain_name>
-
prometheus-gw.<domain_name>
-
rps.<domain_name>
-
-
Regular uplink
-
auth.<domain_name>
-
autoscaling.<domain_name>
-
backup-provider.<domain_name>
-
compute-containers.<domain_name>
-
console.<domain_name>
-
containerengine.<domain_name>
-
dns.<domain_name>
-
filestorage.<domain_name>
-
iaas.<domain_name>
-
identity.<domain_name>
-
limits.<domain_name>
-
network-load-balancer-api.<domain_name>
-
regionregistry.<domain_name>
-
regionrepository.<domain_name>
-
-
Object storage
- objectstorage.<domain_name>
When a new service endpoint is added to Private Cloud Appliance as part of a controller software upgrade, the "Regular uplink" CA certificate must be updated. Repeat the process described in this topic to upload a new CA certificate.
If you need to back out your CA certificate and revert to an Oracle-supplied certificate, contact Oracle for assistance.
The process to set up your own CA trust chain is as follows:
-
Create certificate signing requests (CSRs) from your Private Cloud Appliance.
-
With these CSRs, generate certificates signed by your Certificate Authority.
-
Upload the signed CA certificates and your CA trust chain to your Private Cloud Appliance.
Creating Certificate Signing Requests
Generate certificate signing requests (CSRs) using the Service CLI.
OpenSSH clients must be at least version openssh-clients-7.4p1 or later.
-
Log into the Service CLI.
-
Run the generateCustomerCsr command.
PCA-ADMIN> generateCustomerCsr Data: status = success message = Successfully generated customer csr: Please download all CSR files from: /nfs/shared_storage/certs/customer_csr/
-
You can add Distinguished Names to the generateCustomerCsr command if needed.
PCA-ADMIN> generatecustomerCsr country=IN state=KA locality=blr \ organization=example organizationunit=adminexample,pca email=test@example.com Data: status = success message = Successfully generated customer csr: Please download all CSR files from: /nfs/shared_storage/certs/customer_csr/
Allowable Distinguished Names include country, state, locality, organization unit, and email.
-
Log in to a management node and go to the shared storage directory as indicated in the command output. Download the CSRs.
-
external_tls_term.csr.pem
-
external_admin_tls_term.csr.pem
-
zfssa.csr.pem
-
-
Based on these CSRs, create certificates signed by your CA.
Important
When you generate your certificates you must add the FDQNs (and no IP addresses) from the SAN information in the CSRs.
- DNS Notes
-
If you supply outside certificates to establish a CA trust chain, you must add PTR records to the data center DNS. A PTR (Pointer record) in DNS maps an IP address to a hostname. This behavior is the reverse of the usual IP address lookup for a supplied hostname, which is provided by an A record in DNS.
You must create
ReverseIp
lookup zones for the twoReplicationIps
used in disaster recovery. The DNS requests are forwarded to the Private Cloud Appliance in the same way as requests for the Private Cloud Appliance Service Zone are forwarded. If only thezfsCapacityPoolReplicationEndpoint
is defined, then only a PTR record for that IP address in is needed.To create a
ReverseIp
lookup you need to create a DNS zone for theReverseIp
lookup. You create one or more reverse lookup zones depending on how the Replication IPs are configured. How to create these PTR records depends on the interface for the data center's DNS servers.For example, if the rack domain is
myprivatecloud.example.com
, and the capacity and performance storage pool IPs are10.170.123.98
and10.170.123.99
, Private Cloud Appliance requires two zones with the following mappings:98.123.170.10.in-addr.arpa rtype PTR rdata sn01-dr1.myprivatecloud.example.com 99.123.170.10.in-addr.arpa rtype PTR rdata sn02-dr1.myprivatecloud.example.com
For more information, see these Networking topics:
You can proceed to the uploading process.
Uploading Custom CA Certificates
To complete the setup, you must upload the new signed CA certificates along with the CA trust chain to your Private Cloud Appliance.
Use the uploadCustomerCerts command to upload the CA certificates. This command uses the following parameters to provide the full paths to the certificates and the CA trust chain:
-
caTrustChain
-
externalAdminCert
-
externalCert
-
zfsCert
-
Log into the Service CLI.
-
Copy the CA certificates and your CA trust chain to the
/nfs/shared_storage
directory on the management node. -
Run the uploadCustomerCerts command to upload all the CA certificates. For example:
PCA-ADMIN> uploadCustomerCerts externalcert=/nfs/shared_storage/external_tls_term.cert \ zfsCert=/nfs/shared_storage/certs/zfssa.cert caTrustChain=/nfs/shared_storage/CAPrivate.pem Data: status = success message = Successfully uploaded customer CERTS
Important
Upload your CA trust chain with one of the CA certificate upload commands by using the
caTrustChain
parameter.If your Private Cloud Appliance has the Admin networking feature enabled, the
uploadCustomerCerts
command requires the additionalexternalAdminCert
parameter. For example:PCA-ADMIN> uploadCustomerCerts externalcert=/nfs/shared_storage/external_tls_term.cert \ zfsCert=/nfs/shared_storage/certs/zfssa.cert caTrustChain=/nfs/shared_storage/CAPrivate.pem \ externalAdminCert=/nfs/shared__storage/external_admin_tls_term.cert Data: status = success message = Successfully uploaded customer CERTS