이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 2. Preparing to deploy AMQ Interconnect on OpenShift Container Platform


Before deploying AMQ Interconnect on OpenShift Container Platform, perform one of the following procedures:

If you are evaluating AMQ Interconnect, you can skip these steps however Red Hat recommends always securing AMQ Interconnect communication.

2.1. Creating secrets for SSL/TLS authentication

Note

If you installed the Red Hat Integration - AMQ Certificate Manager Operator you can skip this procedure, instructions for securing your network with AMQ Certificate Manager are included in the associated procedures. OpenShift uses objects called Secrets to hold sensitive information such as SSL/TLS certificates. If you want to secure inter-router traffic, client traffic, or both, then you must create the SSL/TLS certificates and private keys and provide them to OpenShift as secrets.

For OpenShift Container Platform 4.6 and greater, this procedure is the only supported method of securing AMQ Interconnect communication.

Procedure

  1. If you do not have an existing certificate authority (CA) certificate for inter-router connections, create one.

    These commands create a self-signed CA certificate for inter-router connections:

    # Create a new directory for the inter-router certificates.
    $ mkdir internal-certs
    
    # Create a private key for the CA.
    $ openssl genrsa -out internal-certs/ca-key.pem 2048
    
    # Create a certificate signing request for the CA.
    $ openssl req -new -batch -key internal-certs/ca-key.pem -out internal-certs/ca-csr.pem
    
    # Self sign the CA certificate.
    $ openssl x509 -req -in internal-certs/ca-csr.pem -signkey internal-certs/ca-key.pem -out internal-certs/ca.crt
  2. Create a certificate for the router signed by the CA.

    These commands create a private key and a certificate, and sign the certificate using the CA created in the previous step:

    # Create a private key.
    $ openssl genrsa -out internal-certs/tls.key 2048
    
    # Create a certificate signing request for the router.
    $ openssl req -new -batch -subj "/CN=amq-interconnect.<project_name>.svc.cluster.local" -key internal-certs/tls.key -out internal-certs/server-csr.pem
    
    # Sign the certificate using the CA.
    $ openssl x509 -req -in internal-certs/server-csr.pem -CA internal-certs/ca.crt -CAkey internal-certs/ca-key.pem -out internal-certs/tls.crt -CAcreateserial

    where <project_name> is the name of the current OpenShift project.

  3. Create a secret containing the private key, router certificate, and CA certificate.

    This command creates the secret using the key and certificates that were created in the previous steps:

    $ oc create secret generic inter-router-certs-secret --from-file=tls.crt=internal-certs/tls.crt  --from-file=tls.key=internal-certs/tls.key  --from-file=ca.crt=internal-certs/ca.crt
  4. If you want to use SSL/TLS to authenticate client connections (as opposed to authenticating clients using SASL), create a CA certificate for client connections.

    These commands create a self-signed CA certificate for client connections:

    # Create a new directory for the client certificates.
    $ mkdir client-certs
    
    # Create a private key for the CA.
    $ openssl genrsa -out client-certs/ca-key.pem 2048
    
    # Create a certificate signing request for the CA.
    $ openssl req -new -batch -key client-certs/ca-key.pem -out client-certs/ca-csr.pem
    
    # Self sign the certificate.
    $ openssl x509 -req -in client-certs/ca-csr.pem -signkey client-certs/ca-key.pem -out client-certs/ca.crt
  5. Create a certificate for client connections signed by the CA.

    These commands create a private key and a certificate, and then sign the certificate using the CA created in the previous step:

    # Create a private key.
    $ openssl genrsa -out client-certs/tls.key 2048
    
    # Create a certificate signing request for the client connections
    $ openssl req -new -batch -subj "/CN=<client_name>" -key client-certs/tls.key -out client-certs/client-csr.pem
    
    # Sign the certificate using the CA.
    $ openssl x509 -req -in client-certs/client-csr.pem -CA client-certs/ca.crt -CAkey client-certs/ca-key.pem -out client-certs/tls.crt -CAcreateserial

    where <client_name> is unique for each router client.

  6. Create a secret containing the CA certificate used to sign client certificates using the certificate that was created in the previous steps:

    $ oc create secret generic client-ca-secret --from-file=ca.crt=client-certs/ca.crt --from-file=tls.crt=client-certs/ca.crt --from-file=tls.key=client-certs/ca-key.pem

2.2. Adding the Red Hat Integration - AMQ Certificate Manager Operator

The Red Hat Integration - AMQ Certificate Manager Operator (cert-manager) is an optional Kubernetes add-on that issues and manages TLS certificates. The Red Hat Integration - AMQ Interconnect uses it to automatically create the TLS certificates needed to secure the router network.

You use OperatorHub to add the Operator to your OpenShift Container Platform cluster.

Note

Installing an Operator requires administrator-level privileges for your OpenShift cluster.

If you are using OpenShift Container Platform 4.6 you must create and manage TLS certificates as described in Section 2.1, “Creating secrets for SSL/TLS authentication”.

When installed, the operator is available to all users and projects in the cluster.

Prerequisites

  • Access to an OpenShift Container Platform 4.5 cluster using a cluster-admin account.

Procedure

  1. In the OpenShift Container Platform web console, navigate to Operators OperatorHub.
  2. Choose Red Hat Integration - AMQ Certificate Manager Operator from the list of available Operators, and then click Install.
  3. On the Operator Installation page, select All namespaces on the cluster (default), and then click Install.

    The Installed Operators page appears displaying the status of the Operator installation.

  4. Verify that the Red Hat Integration - AMQ Certificate Manager Operator Operator is displayed and wait until the Status changes to Succeeded.
  5. If the installation is not successful, troubleshoot the error:

    1. Click Red Hat Integration - AMQ Certificate Manager Operator on the Installed Operators page.
    2. Select the Subscription tab and view any failures or errors.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.