How to renew pssg, dssg and tssg certificates on tenant gateway integrated with API Portal.
Release: 4.5 and 5.x
Component: APIPRD
Portal self-signed certificates, should have an expiring date of 3 years.
With that said, in order to re-generate a new set of self-singed certificate:
On the Portal Server:
1. Make a backup/snapshot of the portal.
2. stop portal
docker stack rm portal
Remove all certificates from /<PORTAL_FOLDER>/certs folder
3. Run ./portal.sh script to re-generate new certificates
NOTE: If the script end with error "failed to create service portal_tenant-provisioner: Error response from daemon: network portal_private not found", please stop and start Docker service and re-run portal.sh script
On the Tenant Gateway enrolled with Portal
1 Go to Policy Manager > Tasks > Global Settings > Manage Cluster-Wide Properties
2.Retrieve the value (hostname) for the following 3 cluster-wide properties
portal.config.pssg.sync.host
portal.config.dssg.datalake.host
portal.config.apim.host
3. Go to Policy Manager > Tasks > Certificate, Keys and Secret > Manage Certificate
4. Delete pssg, dssg and tssg certificates
5. Click on ADD
6. Select "Retrieve via SSL Connection (HTTPS or LDAPS Url)" and in the URL field, construct the URL by using https:// + hostname retrieved in step 2 + port 9443 (for example https://apim-pssg.local:9443) and click NEXT
7. If a hostname mismatch warning appears, click Accept.
8. Click NEXT and in the "Select one or more certificate usage options", check Outbound SSL Connections then click NEXT
9.Check "Certificate is a Trust Anchor" and finally click FINISH
10. Repeat step from 5 to 9 for the remaining 2 certificates.
How to update tls-automator template if needed
Version [2.0.3] mentioned in the build pipeline. After we changed it to 2.1.1, the certs got updated successfully.
The process would be to update the helm chart to get the latest templates. The process will depend on how they are using them.