Chapter 2. Preparing to deploy AMQ Interconnect on OpenShift Container Platform

Before deploying AMQ Interconnect on OpenShift Container Platform, you must complete several preparatory tasks.

2.1. Verifying the availability of AMQ Interconnect templates

You must verify that the AMQ Interconnect application templates are available in the OpenShift Container Platform Catalog. Some versions of OpenShift Container Platform include the templates, so you must check to verify that they are available in your environment. If they are not available, you must install them.

Procedure

  1. Log in to OpenShift as a cluster administrator:

    $ oc login -u system:admin
  2. Switch to the openshift project.

    $ oc project openshift
  3. Verify that the latest version of the AMQ Interconnect image stream is available:

    $ oc get imagestreamtag -n openshift | grep amq-interconnect:latest

    If the latest version of the image stream is available in your environment, you should see amq-interconnect:latest in the command output.

  4. Is the latest version of AMQ Interconnect image stream available?

    • If yes, proceed to the next step.
    • If no, install the latest version of the image stream.

      This command imports the latest AMQ Interconnect image stream into the openshift namespace:

      $ oc import-image amq-interconnect:latest -n openshift --from=registry.access.redhat.com/amq7/amq-interconnect --confirm
  5. Install the AMQ Interconnect application templates:

    $ curl https://raw.githubusercontent.com/jboss-container-images/amq-interconnect-1-openshift-image/amq-interconnect-1.3/templates/amq-interconnect-1-basic.yaml | oc create -f -
    
    $ curl https://raw.githubusercontent.com/jboss-container-images/amq-interconnect-1-openshift-image/amq-interconnect-1.3/templates/amq-interconnect-1-tls-auth.yaml | oc create -f -
    
    $ curl https://raw.githubusercontent.com/jboss-container-images/amq-interconnect-1-openshift-image/amq-interconnect-1.3/templates/amq-interconnect-1-sasldb-auth.yaml | oc create -f -

    This creates three AMQ Interconnect application templates, which you can use to deploy AMQ Interconnect on OpenShift Container Platform:

    amq-interconnect-1-basic.yaml
    Deploys a router with a basic, default configuration and no security.
    amq-interconnect-1-tls-auth.yaml
    Deploys a router with both inter-router and client traffic secured by TLS authentication.
    amq-interconnect-1-sasldb-auth.yaml
    Deploys a router with inter-router traffic secured by TLS authentication and client traffic secured by SASL user name and password authentication.

2.2. Creating secrets for SSL/TLS authentication

OpenShift uses objects called Secrets to hold sensitive information such as SSL/TLS certificates. If you want to secure inter-router traffic, client traffic, or both, then you must create the SSL/TLS certificates and private keys and provide them to OpenShift as secrets.

Procedure

  1. If you do not have an existing certificate authority (CA) certificate for inter-router connections, create one.

    These commands create a self-signed CA certificate for inter-router connections:

    # Create a new directory for the inter-router certificates.
    $ mkdir internal-certs
    
    # Create a private key for the CA.
    $ openssl genrsa -out internal-certs/ca-key.pem 2048
    
    # Create a certificate for the CA.
    $ openssl req -new -batch -key internal-certs/ca-key.pem -out internal-certs/ca-csr.pem
    
    # Self sign the certificate.
    $ openssl x509 -req -in internal-certs/ca-csr.pem -signkey internal-certs/ca-key.pem -out internal-certs/ca.crt
  2. Create a certificate for the router signed by the CA.

    These commands create a private key and a certificate, and sign the certificate using the CA created in the previous step:

    # Create a private key.
    $ openssl genrsa -out internal-certs/tls.key 2048
    
    # Create a certificate for the router.
    $ openssl req -new -batch -subj "/CN=amq-interconnect.myproject.svc.cluster.local" -key internal-certs/tls.key -out internal-certs/server-csr.pem
    
    # Sign the certificate using the CA.
    $ openssl x509 -req -in internal-certs/server-csr.pem -CA internal-certs/ca.crt -CAkey internal-certs/ca-key.pem -out internal-certs/tls.crt -CAcreateserial
  3. Create a secret containing the private key, router certificate, and CA certificate.

    This command creates the secret using the key and certificates that were created in the previous steps:

    $ oc create secret generic inter-router-certs --from-file=tls.crt=internal-certs/tls.crt  --from-file=tls.key=internal-certs/tls.key  --from-file=ca.crt=internal-certs/ca.crt
  4. If you want to use SSL/TLS to authenticate client connections (as opposed to authenticating clients using SASL), create a CA certificate for client connections.

    These commands create a self-signed CA certificate for client connections:

    # Create a new directory for the client certificates.
    $ mkdir client-certs
    
    # Create a private key for the CA.
    $ openssl genrsa -out client-certs/ca-key.pem 2048
    
    # Create a certificate for the CA.
    $ openssl req -new -batch -key client-certs/ca-key.pem -out client-certs/ca-csr.pem
    
    # Self sign the certificate.
    $ openssl x509 -req -in client-certs/ca-csr.pem -signkey client-certs/ca-key.pem -out client-certs/ca.crt
  5. Create a certificate for client connections signed by the CA.

    These commands create a private key and a certificate, and then sign the certificate using the CA created in the previous step:

    # Create a private key.
    $ openssl genrsa -out client-certs/tls.key 2048
    
    # Create a certificate for the client connections.
    $ openssl req -new -batch -subj "/CN=myclient" -key client-certs/tls.key -out client-certs/client-csr.pem
    
    # Sign the certificate using the CA.
    $ openssl x509 -req -in client-certs/client-csr.pem -CA client-certs/ca.crt -CAkey client-certs/ca-key.pem -out client-certs/tls.crt -CAcreateserial
  6. Create a secret containing the CA certificate used to sign client certificates.

    This command creates the secret using the certificate that was created in the previous steps:

    $ oc create secret generic client-ca --from-file=ca.crt=client-certs/ca.crt

2.3. Creating secrets for SASL authentication

To authenticate clients against user name and password pairs stored in a SASL database, you must create a list containing the user names and passwords, and provide it to OpenShift as a secret.

When using SASL user name and password authentication to connect to a router, you must provide the user name qualified with the domain. For a router running in OpenShift, the domain is the application name (amq-interconnect by default).

Procedure

  1. Create a text file containing the client user names and passwords.

    Use the following syntax: <username>=<password>.

    In this example, the user names and passwords are defined for three users:

    users.txt

    guest=guest
    admin=admin123
    dev=dev123

  2. Create a secret containing the user names and passwords.

    This command creates a secret (users) containing the users.txt file created in the previous step.

    $ oc create secret generic users --from-env-file=./users.txt --dry-run=true -o yaml | oc apply -f -