Managing Certificates for TLS
IT Asset Management
(Cloud)
On a regular interval (by default, once every 24 hours, or the setting you provide
through the
‑‑inventory‑interval
flag), the Lightweight Kubernetes Inventory Agent
uploads its collected inventory to a single inventory beacon, for which the
URL is specified in the --beacon
flag or alternative environment
variables (for details, see Options for the Lightweight Kubernetes Agent). If this URL
is not specified, the Lightweight Kubernetes Inventory Agent immediately exits with an error
printed to stdout
, and viewable with the following command
(replacing the placeholder with the appropriate pod
name):kubectl logs -n flexera lwkPod
As
always, the complete URL must include the protocol (HTTP or HTTPS). If your inventory beacon is configured for HTTPS communication, secure communications are
protected with Transport Layer Security (TLS). Tip: Currently the
Lightweight Kubernetes Inventory Agent supports only standard (single-sided) TLS, and does
not support mutual TLS.
TLS requires that the inventory beacon
presents a server certificate that can be validated by the client (in this case, the
Lightweight Kubernetes Inventory Agent) against a certificate chain culminating in a root
certificate for the issuing Certificate Authority (CA). This means that the CA root
certificate (and any intermediate certificates, as applicable) must be present and
accessible on the client device. Otherwise, the Lightweight Kubernetes Inventory Agent will refuse
the connection to the inventory beacon because of an untrusted certificate
(but see also ‑‑ibm-licensing-tls-verify
inOptions for the Lightweight Kubernetes Agent).To validate the server certificate presented by the inventory beacon, the Lightweight Kubernetes Inventory Agent checks for a file mounted into the container at the path /beacon.pem. If this is found, the certificates it contains are appended to the trust bundle for the Lightweight Kubernetes Inventory Agent.
Certificate bundle constraints
- The CA certificate bundle must use the PEM encoding.
- The server certificate used by the inventory beacon
must use the
Subject Alternative Name
extension. (This is because the Lightweight Kubernetes Inventory Agent is implemented in Go [version 1.16 or later]. After Go version 1.5, clients no longer support server identification using theCommon Name
attribute of the certificate.) If your current certificate for the relevant inventory beacon does not currently include theSubject Alternative Name
, you need to generate a new CSR, with theCommon Name
attribute the same as in the current certificate, and reissue the certificate.
To configure the Lightweight Kubernetes Inventory Agent for a custom CA certificate bundle:
deployment.yaml
file
customized for the CA certificate bundle, you can resume your installation process,
whether it is Scripted Installation or Manual Installation.IT Asset Management (Cloud)
Current