Versions Compared

Version Old Version 4 New Version 5
Changes made by

Avi Falah

Avi Falah

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Use the following procedure to replace these certificates.

  1. Make sure you have the new certificate and key following files provided in .pem format - use exactly the file names listed below:

    1. CA certificate - custom-es-ca-cert.pem

    2. Server certificate - dpod-es-server-cert.pem

    3. Server certificate key - dpod-es-server-key.pem

  2. In a Cell Environment, perform all the steps on the cell manager as well as all the cell members.

  3. Log in to DPOD's server using SSH.

  4. Create new custom keys directory

    Code Block
    mkdir -p /app/keys/store/custom

  5. Copy the key and certificate pem files to this directory. i.e.:

    Code Block
    ls /app/keys/store/custom
custom-es-ca-cert.pem dpod-es-server-cert.pem dpod-es-server-key.pem

  6. Create CA certificate chainbundle:

    Code Block
    cat /app/keys/store/dpod-es-ca-cert.pem /app/keys/store/custom/custom-es-ca-cert.pem > /app/keys/store/custom/dpod-es-ca-cert.pem

  7. Deploy the files to the Store server nodes:

    Code Block
    # version 1.0.15.0 and above
ls -d1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/certs | xargs -I ddd cp -f /app/keys/store/dpod-es-*.pem ddd

# version 1.0.14.0
ls -d1 /app/elasticsearch_nodes/config/MonTier-es-raw-trans-*/certs | xargs -I ddd cp -f /app/keys/store/custom/dpod-es-*.pem ddd

  8. Configure the Store server to accept the domain certifiednodes with the new DN:

    Code Block
    # version 1.0.15.0 and above
ls -1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I fff sed -i "/pluginss#plugins.security.nodes_dn:.*/d" fff
ls -1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I fff sed -i "/ - 'CN=.*/d" fff
ls -1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I fff sh -c "echo \"plugins.#plugins.security.nodes_dn:\" >> fff"
ls -1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I fff sh -c "echo \"  -  ['$(openssl x509 -subject -nameopt RFC2253 -noout -in /app/keys/store/custom/dpod-es-server-cert.pem | sed 's/subject= //')'\]#" >> fff"

# version 1.0.14.0
ls -1 /app/elasticsearch_nodes/config/MonTier-es-raw-trans-*/elasticsearch.yml | xargs -I fff sed -i "/opendistros#opendistro_security.nodes_dn:.*/d" fff
ls -1 /app/elasticsearch_nodes/config/MonTier-es-raw-trans-*/elasticsearch.yml | xargs -I fff sed -i "/ - 'CN=.*/d" fff
ls -1 /app/elasticsearch_nodes/config/MonTier-es-raw-trans-*/elasticsearch.yml | xargs -I fff sh -c "echo \"opendistro#opendistro_security.nodes_dn:\" >> fff"
ls -1 /app/elasticsearch_nodes/config/MonTier-es-raw-trans-*/elasticsearch.yml | xargs -I fff sh -c "echo \"  -  ['$(openssl x509 -subject -nameopt RFC2253 -noout -in /app/keys/store/custom/dpod-es-server-cert.pem | sed 's/subject= //')'\]#" >> fff"

  9. Stop and start all the application services using app-util.sh

  10. Cell Environment users should stop Stop and start Syslog and WS-M agents in all cell members from app-util.sh:

    1. app-utils.sh → Stop Service → syslog → stop up to this service

    2. app-utils.sh → Start Service → wsm → start up to this service

...