Complete the following steps on the first master host listed in the Ansible host inventory file, by default /etc/ansible/hosts.
-
To ensure that communication between the remote basic authentication server and {product-title} is trustworthy, create a set of Transport Layer Security (TLS) certificates to use during the other phases of this set up. Run the following command:
# openshift start \ --public-master=https://openshift.example.com:8443 \ --write-config=/etc/origin/The output inclues the /etc/origin/master/ca.crt and /etc/origin/master/ca.key signing certificates.
-
Use the signing certificate to generate keys to use on the remote basic authentication server:
# mkdir -p /etc/origin/remote-basic/ # oc adm ca create-server-cert \ --cert='/etc/origin/remote-basic/remote-basic.example.com.crt' \ --key='/etc/origin/remote-basic/remote-basic.example.com.key' \ --hostnames=remote-basic.example.com \ (1) --signer-cert='/etc/origin/master/ca.crt' \ --signer-key='/etc/origin/master/ca.key' \ --signer-serial='/etc/origin/master/ca.serial.txt'-
A comma-separated list of all the host names and interface IP addresses that must access the remote basic authentication server.
NoteThe certificate files that you generate are valid for two years. You can alter this period by changing the
--expire-daysand--signer-expire-daysvalues, but for security reasons, do not make them greater than 730.ImportantIf you do not list all host names and interface IP addresses that must access the remote basic authentication server, the HTTPS connection will fail.
-
-
Copy the necessary certificates and key to the remote basic authentication server:
# scp /etc/origin/master/ca.crt \ [email protected]:/etc/pki/CA/certs/ # scp /etc/origin/remote-basic/remote-basic.example.com.crt \ [email protected]:/etc/pki/tls/certs/ # scp /etc/origin/remote-basic/remote-basic.example.com.key \ [email protected]:/etc/pki/tls/private/