when you install and
create profile, default certificates are created and you can use them. These
certificates can be found under security SSL certificate and key management
> Key stores and certificates. These certificates are used for communication
between nodes and between dmgr and browser when use https.
If you want to
change these certificates or replace them, you can follow the below steps. The
steps shown below are using self-signed certificates. If you like to use
certificates from a Certificate Authority [CA], then you need to create the
Certificate Signing Request [CSR], get it signed a CA and then you can install
them.
1.Replacing DMGR Certificates
a. Run backupConfig on the Deployment Manager.
b. Stop all of the
nodeagents and application servers in the cell. Stop the Web server(s). Start
the Deployment Manager
c. In the
Administrative Console, go to Security > SSL certificate and key management
> Key stores and certificates > CellDefaultKeyStore > Personal
certificates > Create a self-signed certificate
Enter the required attributes.
Alias : cell_default Common name : <hostname> Validity period : <number of days> <-- this can be set greater than 365 Organization : <company> Click OK and Save the changes.
Alias : cell_default Common name : <hostname> Validity period : <number of days> <-- this can be set greater than 365 Organization : <company> Click OK and Save the changes.
Select the old certificate and click Replace.
Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers. Accept your new certificate and any browser prompts.
Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers. Accept your new certificate and any browser prompts.
select the old certificate and click Delete.
Click OK and Save the changes.
At this point the Deployment Manager has its certificate replaced.
The certs need to be exchanged for establishing secure communication. So add the DMGR cert to DefaultCellTrustStore
Go to SSL certificate and key management > Key stores and certificates.
Select CellDefaultKeyStore and CellDefaultTrustStore and click Exchange signers.
Replace Node Certificates
Go to Security > SSL certificate and key management > Manage endpoint security configurations.
Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null).
At this point the Deployment Manager has its certificate replaced.
The certs need to be exchanged for establishing secure communication. So add the DMGR cert to DefaultCellTrustStore
Go to SSL certificate and key management > Key stores and certificates.
Select CellDefaultKeyStore and CellDefaultTrustStore and click Exchange signers.
Select the certificate in CellDefaultKeyStore personal certificates created in previous step and click Add. Click OK and Save the changes.
Replace Node Certificates
Go to Security > SSL certificate and key management > Manage endpoint security configurations.
Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null).
Click the Manage certificates button.
Now Exchange the Node Signer cert with DefaultCellTrustStore
Go to Security > SSL certificate and key management > Manage endpoint security configurations.
Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null) and select Key stores and certificates.
Security > SSL certificate and key management > Manage endpoint security configurations, click node_name(NodeDefaultSSLSettings,null), click Manage certificates.
Select the old certificate and click Replace.
you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers
select the old certificate and click Delete.
Now Exchange the Node Signer cert with DefaultCellTrustStore
Go to Security > SSL certificate and key management > Manage endpoint security configurations.
Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null) and select Key stores and certificates.
Select NodeDefaultKeyStore and CellDefaultTrustStore and then Click Exchange signers.
Select the certificate in NodeDefaultKeyStore personal certificates created in previous step and click Add.
Click OK and Save the changes.
Delete the old signer certificates and extract the new ones.
Go to SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
Select all of the old signer certificates and click Delete. If you are not sure, you can compare the Fingerprint and/or the Expiration dates with the personal certificate in the keystores.
Click OK and Save the changes.
Delete the old signer certificates and extract the new ones.
Go to SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
Select all of the old signer certificates and click Delete. If you are not sure, you can compare the Fingerprint and/or the Expiration dates with the personal certificate in the keystores.
Select one of the new certificates. Click Extract.
Enter a File Name that corresponds to the certificate.
For each of the new certificates making sure you have done this for the cell signer and all of the node signers. These files are saved to the profile_root/Dmgr/etc directory
Manually copy the trust store to each of the /etc directories.
Backup the trust.p12 in profile_root\Dmgr\etc
Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Dmgr\etc
Backup the trust.p12 on each of the nodes profile_root\Appsrv\etc directories.
Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Appsrv\etc
Repeat the previous step for each node in the cell.
Manually copy the trust store to each of the /etc directories.
Backup the trust.p12 in profile_root\Dmgr\etc
Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Dmgr\etc
Backup the trust.p12 on each of the nodes profile_root\Appsrv\etc directories.
Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Appsrv\etc
Repeat the previous step for each node in the cell.
Sync and Start the node(s).
ü
Restart the
Deployment Manager.
ü
Run a command
line syncNode from each of the nodes.
ü
Start the
nodeagents and application servers. They should now be fully synchronized with
the new certificates in place.
Verification for new certification are updates or not
open admin console and check certifications views
No comments:
Post a Comment