Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Chapter 2. Preparing to deploy AMQ Interconnect on OpenShift Container Platform

Before deploying AMQ Interconnect on OpenShift Container Platform, perform one of the following procedures:

If you are evaluating AMQ Interconnect, you can skip these steps however Red Hat recommends always securing AMQ Interconnect communication.

2.1. Creating secrets for SSL/TLS authentication
复制链接

Note

If you installed the Red Hat Integration - AMQ Certificate Manager Operator you can skip this procedure, instructions for securing your network with AMQ Certificate Manager are included in the associated procedures. OpenShift uses objects called Secrets to hold sensitive information such as SSL/TLS certificates. If you want to secure inter-router traffic, client traffic, or both, then you must create the SSL/TLS certificates and private keys and provide them to OpenShift as secrets.

For OpenShift Container Platform 4.6 and greater, this procedure is the only supported method of securing AMQ Interconnect communication.

Procedure

  1. If you do not have an existing certificate authority (CA) certificate for inter-router connections, create one.

    These commands create a self-signed CA certificate for inter-router connections: 

    # Create a new directory for the inter-router certificates.
$ mkdir internal-certs

# Create a private key for the CA.
$ openssl genrsa -out internal-certs/ca-key.pem 2048

# Create a certificate signing request for the CA.
$ openssl req -new -batch -key internal-certs/ca-key.pem -out internal-certs/ca-csr.pem

# Self sign the CA certificate.
$ openssl x509 -req -in internal-certs/ca-csr.pem -signkey internal-certs/ca-key.pem -out internal-certs/ca.crt
    Copy to Clipboard Toggle word wrap

  2. Create a certificate for the router signed by the CA.

    These commands create a private key and a certificate, and sign the certificate using the CA created in the previous step: 

    # Create a private key.
$ openssl genrsa -out internal-certs/tls.key 2048

# Create a certificate signing request for the router.
$ openssl req -new -batch -subj "/CN=amq-interconnect.<project_name>.svc.cluster.local" -key internal-certs/tls.key -out internal-certs/server-csr.pem

# Sign the certificate using the CA.
$ openssl x509 -req -in internal-certs/server-csr.pem -CA internal-certs/ca.crt -CAkey internal-certs/ca-key.pem -out internal-certs/tls.crt -CAcreateserial
    Copy to Clipboard Toggle word wrap

    where <project_name> is the name of the current OpenShift project.

  3. Create a secret containing the private key, router certificate, and CA certificate.

    This command creates the secret using the key and certificates that were created in the previous steps: 

    $ oc create secret generic inter-router-certs-secret --from-file=tls.crt=internal-certs/tls.crt  --from-file=tls.key=internal-certs/tls.key  --from-file=ca.crt=internal-certs/ca.crt
    Copy to Clipboard Toggle word wrap

  4. If you want to use SSL/TLS to authenticate client connections (as opposed to authenticating clients using SASL), create a CA certificate for client connections.

    These commands create a self-signed CA certificate for client connections: 

    # Create a new directory for the client certificates.
$ mkdir client-certs

# Create a private key for the CA.
$ openssl genrsa -out client-certs/ca-key.pem 2048

# Create a certificate signing request for the CA.
$ openssl req -new -batch -key client-certs/ca-key.pem -out client-certs/ca-csr.pem

# Self sign the certificate.
$ openssl x509 -req -in client-certs/ca-csr.pem -signkey client-certs/ca-key.pem -out client-certs/ca.crt
    Copy to Clipboard Toggle word wrap

  5. Create a certificate for client connections signed by the CA.

    These commands create a private key and a certificate, and then sign the certificate using the CA created in the previous step: 

    # Create a private key.
$ openssl genrsa -out client-certs/tls.key 2048

# Create a certificate signing request for the client connections
$ openssl req -new -batch -subj "/CN=<client_name>" -key client-certs/tls.key -out client-certs/client-csr.pem

# Sign the certificate using the CA.
$ openssl x509 -req -in client-certs/client-csr.pem -CA client-certs/ca.crt -CAkey client-certs/ca-key.pem -out client-certs/tls.crt -CAcreateserial
    Copy to Clipboard Toggle word wrap

    where <client_name> is unique for each router client.

  6. Create a secret containing the CA certificate used to sign client certificates using the certificate that was created in the previous steps: 

    $ oc create secret generic client-ca-secret --from-file=ca.crt=client-certs/ca.crt --from-file=tls.crt=client-certs/ca.crt --from-file=tls.key=client-certs/ca-key.pem
    Copy to Clipboard Toggle word wrap

The Red Hat Integration - AMQ Certificate Manager Operator (cert-manager) is an optional Kubernetes add-on that issues and manages TLS certificates. The Red Hat Integration - AMQ Interconnect uses it to automatically create the TLS certificates needed to secure the router network.

You use OperatorHub to add the Operator to your OpenShift Container Platform cluster.

Note

Installing an Operator requires administrator-level privileges for your OpenShift cluster.

If you are using OpenShift Container Platform 4.6 you must create and manage TLS certificates as described in Section 2.1, “Creating secrets for SSL/TLS authentication”.

When installed, the operator is available to all users and projects in the cluster.

Prerequisites

  • Access to an OpenShift Container Platform 4.5 cluster using a cluster-admin account.

Procedure

  1. In the OpenShift Container Platform web console, navigate to Operators OperatorHub.
  2. Choose Red Hat Integration - AMQ Certificate Manager Operator from the list of available Operators, and then click Install.

  3. On the Operator Installation page, select All namespaces on the cluster (default), and then click Install.

    The Installed Operators page appears displaying the status of the Operator installation.

  4. Verify that the Red Hat Integration - AMQ Certificate Manager Operator Operator is displayed and wait until the Status changes to Succeeded.

  5. If the installation is not successful, troubleshoot the error:

    1. Click Red Hat Integration - AMQ Certificate Manager Operator on the Installed Operators page.
    2. Select the Subscription tab and view any failures or errors.

Additional resources

返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat