我已经创建了TWAS应用程序的图像,并将其部署在OpenShift Pod内的容器中。在我的twas中,我用来访问虚拟机上的节点上的Admin Console WebSphere Environmentstore并设置TLS证书,以便我的应用程序可以在安全通信频道HTTPS中与外部API进行通信。这些证书是公共证书,没有任何私钥。它们是.crt和.pem文件。现在,我想知道如何为我的应用程序在吊舱内以容器运行的应用程序设置第三方TLS证书?我不想对我的J2EE应用程序进行任何代码更改,这些代码从本地VM迁移到OpenShift。
注意:我在这里使用twas基本运行时,而不是在OpenShift上新迁移的J2EE应用程序的Liberty。
I have created an image of my TWAS application and deployed it in a container inside an openshift POD. In my TWAS ND I use to go to the admin console WebSphere environment truststore on a node on a virtual machine and set up TLS certificates so my application can have communication with external API's in the secure communication channel HTTPS. These certificates are public certificates and don't have any private keys. They are .crt and .pem files. Now I am wondering how I can set up my third-party TLS certificates for my application running inside the POD as a container? I don't want to make any code changes to my J2EE application which I have migrated from on-prem VM to Openshift.
Note: I am using TWAS base runtime here and not liberty for my newly migrated J2EE app on openshift.
发布评论
评论(2)
构建应用程序映像时,您可以在configure.sh
根签名者可能不是您拥有的PEM/CRT,这些可能是已发行的证书和签名者。 WebSphere允许您在任何级别设置信托,但是最好信任发行证书的根CA。
When you build your application image, you can add a trusted signer and a short script into /work/ prior to configure.sh
https://www.ibm.com/docs/en/was/9.0.5?topic=tool-signercertificatecommands-command-group-admintask-object#rxml_atsignercert__cmd1
The root signer might not be either the pem/crt you have, those could be the issued certificate and the signers. WebSphere allows you to setup the trust at any level, but it's ideal to trust the root CA that issued the cert.
我们还使用了一种将信任商店导入秘密的技术,并将其安装到豆荚中的预期位置。如果您想将任何证书更改与应用程序构建周期隔离开来,这可能是有道理的。
We've also used a technique of importing a trust store into a Secret and mounting that into the expected location in the pods. This might make sense if you want to isolate any certificate changes from the app build cycle.