How do I update the NSP TLS certificate for remote authentication?

The TLS certificate for LDAPS or OpenID Connect remote authentication must be current, or the remote authentication attempts fail.

Perform this procedure if the TLS certificate of the LDAPS or OpenID Connect remote authentication server is updated.

CAUTION

Service Disruption

Performing the procedure requires a restart of each NSP cluster, which is service-affecting.

You must perform the procedure only during a scheduled maintenance period.

Note: You must perform the procedure on each NSP cluster.

In a DR deployment, you must perform the steps first on the standby NSP cluster.


1	Obtain the new certificate.
2	Ensure that the authentication server TLS certificate is specified in the trustedCertificates parameter in nsp-config.yml: /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml Example: `trustedCertificates: ["/opt/certs/ldap.pem", “/opt/certs/openid.pem”, “/opt/certs/otherCert.pem”]` Where trustedCertificates specifies a comma-separated list of paths to certificate files. The above example includes the paths to the ldap.pem and openid.pem authentication server TLS certificates.
3	Open a terminal session to the NSP deployer VM and log in as the root or NSP admin user.
4	Enter the following to apply the certificate: `#` `/opt/nsp/NSP-CN-DEP-release-ID/bin/nspdeployerctl install --config --deploy ↵`
5	Restart the Keycloak pod. Log in as the root user on the NSP cluster host. Enter the following: `#` `kubectl get pods -A \| grep nspos-keycloak ↵` The following Keycloak pod information is displayed: `namespace nspos-keycloak-pod_ID n/n Running 1 (timespan ago) timespan` Record the pod_ID value. Enter the following: `#` `kubectl delete pod nspos-keycloak-pod_ID -n $(kubectl get pods -A \| awk '/nspos-keycloak-pod_ID/ {print $1;exit}') ↵` where pod_ID is the Keycloak pod ID recorded in substep 3 The Keycloak pod restarts, and the updated certificate is put into effect.
6	Close the console window. End of steps