Open in app

Sign in

Write

Sign in

Noopur Agarwal
IBM Cloud
Published in
5 min readNov 30, 2020

--

Why is accessing the IBM Cloud Pak for Multicloud Management console using a customized domain useful?

Authors: Noopur Agarwal, Ranjeet Singh

You might want to use your own custom domain in-line with your organization certificates to securely access the resources that are provisioned through IBM Cloud Pak for Multicloud Management. If you do, read on, you can complete these easy steps to configure your domain to access the IBM Cloud Pak for Multicloud Management URL after IBM Cloud Pak for Multicloud Management is installed. You can choose your own domain and configure it quickly.

The IBM Cloud Pak for Multicloud Management enables the organization to securely manage applications, no matter how they are designed or where they are deployed. The IBM Cloud Pak for Multicloud Management is a set of open, pluggable tools built around a core application and governance

model. This core architecture helps organizations model applications and application dependencies, manage the lifecycles of both applications and infrastructure, consistently govern and secure applications and their deployment models; and deliver observability for the application’s full-stack.

Prerequisites

1. Choose a custom domain to access IBM Cloud Pak for Multicloud Management using a custom url.

2. This custom domain must be registered in DNS.

3. Some knowledge of IBM Cloud Pak for Multicloud Management. For more information, refer to IBM Cloud Pak for Multicloud Management overview

The solution

To customize the URL to access IBM Cloud Pak for Multicloud Management with a user-specific host for example mcm.cp4mcm.com (*.domain.com), complete the following steps.

Step 1. Create the self-signed certificate/ Use CA-signed certificate

To create the route for your custom URL, you need a self-signed certificate. If you do not have a CA-signed certificate already, complete this step to create one. Ignore this step if you already have one. You can use the existing certificate to create a route for the custom URL/host of your choice.

Complete the following steps to create a self-signed certificate. Run the following commands to create a self-signed certificate:-

$ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048.

$ openssl rsa -passin pass:x -in server.pass.key -out server.key

$ openssl req -new -key server.key -out server.csr

Note- When you run the 3rd command above, it requests a common name, enter the same custom URL/host that you used previously as a value for it. For example, if a user chooses a custom host mcm.cp4mcm.com where cp4mcm.com is a domain, then you can provide the domain with a wildcard: *.cp4mcm.com as the common name or use the complete host mcm.cp4mcm.com itself.

Next, run the following command to generate an SSL certificate:-

$ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key - out server.crt

The four commands previously listed are displayed for your reference in the following screenshot. These commands create an SSL certificate.

Step 2. Create a route using the certificate created in step-1

Now, a self-signed certificate is generated. You can use it to create a route for IBM Cloud Pak for Multicloud Management.

$ oc create route reencrypt — service=icp-management-ingress — cert=server.crt — key=server.key — dest-ca-cert=destca.crt — hostname=mcm.cp4mcm.com

  • icp-management-ingress is the service name created for the management-ingress pod in the ibm-common-services project.
  • destca.crt is the destination CA certificate of (the cp-console route for service icp-management-ingress) the route in ibm-common-services created for IBM Cloud Pak for Multicloud Management initially during IBM Cloud Pak Multicloud Management deployment.
  • mcm.cp4mcm.com is the user-chosen custom host for Multicloud Management.

Step 3. Update the OIDC registration

After completing the previous steps, the custom URL to access the IBM Cloud Pak for Multicloud Management is registered for OIDC. Next, complete the instructions here given to configure the custom URL for OIDC.

Alternatively, you can complete the following step to configure the custom URL for OIDC. The following steps are quicker and easier.

a. Copy the content in the registration-json configmap into the registration.yaml file.

$ kubectl get cm registration-json -n ibm-common-services -o yaml > registration.yaml

b. Create a platform-oidc-registration.json file. Copy the contents of the data- section in the registration.yaml file into the platform-oidc- registration.json file.

c. Add the following piece of configuration into the platform-oidc- registration.json file to allow regex with your custom URL for IBM Cloud Pak for Multicloud Management.

“allow_regexp_redirects”:”true”,

Add/append your custom URIs in the “redirect_uris” and “post_logout_redirect_uris” parameters of the platform-oidc- registration.json file and then save it.

d. Define following variables on the command line to run the command for OIDC registration.

  • Save the client secret:-

$ OAUTH2_CLIENT_REGISTRATION_SECRET=$(kubectl -n ibm-common-services get secret platform-oidc-credentials -o yaml | grep OAUTH2_CLIENT_REGISTRATION_SECRET | awk ‘{ print $2}’ | base64 — decode)

  • Save the client ID:-

$ WLP_CLIENT_ID=$(kubectl -n ibm-common-services get secret platform-oidc-credentials -o yaml | grep WLP_CLIENT_ID | awk ‘{ print $2}’ | base64 — decode)

  • Save the access IP:-

$ FIP = <master node IP address>

Note:- FIP is the host name for cp-console route, e.g. cp-console.*****************************.cloud

e. Apply the changes that you made to the platform-oidc-registration.json file by running the following command.

$ curl -kvv -X PUT -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET -H “Content-Type: application/json” -d @<installation directory>/platform-oidc-registration.json https://$FIP/idauth/oidc/endpoint/OP/registration/$WLP_CLIENT_ID

Note:- <installation directory> stands for the absolute path for platform-oidc-registration.json file.

Step 4. Run the following command to set the allowedHostHeader parameter to your chosen custom URL for IBM Cloud Pak for Multicloud Management

$ oc -n ibm-common-services edit managementingress

Update as following key-value pair:

allowedHostHeader: mcm.cp4mcm.com

The configuration to create your own specific custom URL/host to access the IBM Cloud Pak for Multicloud Management console is now complete. You can now use this URL (:- https://mcm.cp4mcm.com) to access the IBM Cloud Pak for Multicloud Management console.

--

--

Noopur Agarwal
IBM Cloud

Written by Noopur Agarwal

7 Followers
Editor for

Software Developer, Hybrid Cloud, IBM India Software Labs

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams