Prerequisites

1. DPOD installed in version 1.0.14.0 or above.

2. Certificate and Key files provided in “.pem“ format.

Update Certificate

...

Cell Environment users should follow all the steps on the cell manager and all the cell members.

...

Set the config path prefix parameter:

STORE_CONFIG_PREFIX="/app/opensearch_nodes/config/MonTier-es-raw-trans-"

1. For 1.0.14.0 use:

   Code Block
   STORE_CONFIG_PREFIX="/app/elasticsearch_nodes/config/MonTier-es-raw-trans-"

...

The system encrypts the communication between the Store nodes with self-signed certificates generated during the installation.

Use the following procedure to replace these certificates.

1. Make sure you have the following files in .pem format - use exactly the file names listed below:

   1. CA certificate - custom-es-ca-cert.pem - if there are several CA certificates (root CA and intermediate CAs) - the pem file should contain all certificates concatenated (one after the other).

   2. New Store certificate - dpod-es-server-cert.pem

   3. New Store certificate key - dpod-es-server-key.pem

2. Stop all the application services using app-util.sh (In a Cell Environment, stop the cell manager as well as all the cell members).

3. Configure DPOD (In a Cell Environment, configure the cell manager as well as all the cell members):

   1. Log in to DPOD's server using SSH.

   2. Create a new custom keys directory:

      Code Block
      mkdir -p /app/keys/store/custom

   3. Copy the

   key and certificate

   1. pem files to this directory. i.e.:

      Code Block
      ls /app/keys/store/custom

   my

   1. custom-es-ca-cert.pem

   my

   1. dpod-es-server-cert.pem dpod-es-server-key.pem

   Deploy key and certificate pem files to all Store nodes

   1. Create the CA certificate bundle:

      Code Block

   ls -d1 ${STORE_CONFIG_PREFIX}*/certs | xargs -I ff cp -f

   1. cat /app/keys/store/dpod-es-ca-cert.pem /app/keys/store/custom/custom-es-ca-cert.pem > /app/keys/store/custom/

   <certificate file name> ff

   1. dpod-es-ca-cert.pem

   2. Deploy the files to the Store server nodes:

      Code Block
      ls -d1

   ${STORE_CONFIG_PREFIX}

   1. /app/opensearch_nodes/config/MonTier-es-raw-trans-*/certs | xargs -I

   ff

   1. ddd cp -f /app/keys/store/custom/

   <key file name> ffUpdate file names in Store nodes configuration files.

   1. dpod-es-*.pem ddd

   2. Configure the Store server nodes with the new DN:

      Code Block
      ls -1

   ${STORE_CONFIG_PREFIX}*/opensearch.yml | xargs -I ff sed -i "s|plugins.security.ssl.http.pemcert_filepath.*|plugins.security.ssl.http.pemcert_filepath: certs/<certificate file name>|" ff ls -1 ${STORE_CONFIG_PREFIX}

   1. /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I

   ff

   1. fff sed -i "

   s|plugins

   1. s#plugins.security.

   ssl.http.pemkey_filepath

   1. nodes_dn:.*

   |plugins

   1. #plugins.security.

   ssl.http.pemkey_filepath: certs/<key file name>|" ff

   1. For 1.0.14.0 use:

      Code Block
      ls -1 ${STORE_CONFIG_PREFIX}*/elasticsearch.yml | xargs -I ff sed -i "s|opendistro_security.ssl.http.pemcert_filepath.*|opendistro_security.ssl.http.pemcert_filepath: certs/<certificate file name>|" ff ls -1 ${STORE_CONFIG_PREFIX}*/elasticsearch.yml | xargs -I ff sed -i "s|opendistro_security.ssl.http.pemkey_filepath.*|opendistro_security.ssl.http.pemkey_filepath: certs/<key file name>|" ff

   Stop and start

   1. nodes_dn: ['$(openssl x509 -subject -nameopt RFC2253 -noout -in /app/keys/store/custom/dpod-es-server-cert.pem | sed 's/subject= //')']#" fff

4. Start all the application services using app-util.sh (In a Cell Environment users should stop and start Syslog and WS-M agents in all cell members from app-util.sh:

5. app-utils.sh → Stop Service → syslog → stop only this service

6. app-utils.sh → Stop Service → wsm → stop only this service

7. app-utils.sh → Start Service → syslog → start only this service

app-utils.sh → Start Service → wsm → start only this service

, start the cell manager and all the cell members).