Versions Compared

Old Version 2

changes.mady.by.user Amit Munwes

Saved on

compared with

New Version Current

changes.mady.by.user Amit Munwes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Use the following procedure to replace these certificates.

  1. Make sure you have the new certificate and key following files provided in .pem format - use exactly the file names listed below:

    1. CA certificate - custom-es-ca-cert.pem - if there are several CA certificates (root CA and intermediate CAs) - the pem file should contain all certificates concatenated (one after the other).

    2. New Store certificate - dpod-es-server-cert.pem

    3. New Store certificate key - dpod-es-server-key.pem

  2. Stop all the application services using app-util.sh (In a Cell Environment, perform all the steps on stop the cell manager as well as all the cell members).

  3. Configure DPOD (In a Cell Environment, configure the cell manager as well as all the cell members.):

    1. Log in to DPOD's server using SSH.

    2. Create a new custom keys directory:

      Code Block
      mkdir -p /app/keys/store/custom

    3. Copy the

    key and certificate

    1. pem files to this directory. i.e.:

      Code Block
      ls /app/keys/store/custom
    my
    1. custom-es-ca-cert.pem
    my
    1. dpod-es-server-cert.pem dpod-es-server-key.pem
    Deploy key and certificate pem files to all Store nodes

    1. Create the CA certificate bundle:

      Code Block
    ls -d1
    1. cat /app/keys/store/dpod-es-ca-cert.pem /app/keys/
    opensearch_nodes
    1. store/
    config
    1. custom/
    MonTier
    1. custom-es-
    raw-trans-*/certs | xargs -I ddd cp -f 
    1. ca-cert.pem > /app/keys/store/custom/
    * ddd In version 1.0.14.0: 
    1. dpod-es-ca-cert.pem

    2. Deploy the files to the Store server nodes:

      Code Block
      ls -d1 /app/
    elasticsearch
    1. opensearch_nodes/config/MonTier-es-raw-trans-*/certs | xargs -I ddd cp -f /app/keys/store/custom/dpod-es-*.pem ddd
    Update file names in Store nodes configuration files (replace <certificate file name> and <key file name> in the command below)

    1. Configure the Store server nodes with the new DN:

      Code Block
      ls -1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I fff sed -i "
    s|plugins
    1. s#plugins.security.
    ssl.http.pemcert_filepath
    1. nodes_dn:.*
    |plugins
    1. #plugins.security.
    ssl.http.pemcert_filepath: certs/<certificate file name>|" fff ls -1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I fff sed -i "s|plugins.security.ssl.http.pemkey_filepath:.*|plugins.security.ssl.http.pemkey_filepath: certs/<key file name>|" fff In version 1.0.14.0: ls -1 /app/elasticsearch_nodes/config/MonTier-es-raw-trans-*/elasticsearch.yml | xargs -I fff sed -i "s|opendistro_security.ssl.http.pemcert_filepath.*|opendistro_security.ssl.http.pemcert_filepath: certs/<certificate file name>|" fff ls -1 /app/elasticsearch_nodes/config/MonTier-es-raw-trans-*/elasticsearch.yml | xargs -I fff sed -i "s|opendistro_security.ssl.http.pemkey_filepath.*|opendistro_security.ssl.http.pemkey_filepath: certs/<key file name>|" fffStop and start 
    1. nodes_dn: ['$(openssl x509 -subject -nameopt RFC2253 -noout -in /app/keys/store/custom/dpod-es-server-cert.pem | sed 's/subject= //')']#" fff

  4. Start all the application services using app-util.sh (In a Cell Environment users should stop and start Syslog and WS-M agents in all cell members from app-util.sh:

  5. app-utils.sh → Stop Service → syslog → stop only this service

  6. app-utils.sh → Stop Service → wsm → stop only this service

  7. app-utils.sh → Start Service → syslog → start only this service

    8. app-utils.sh → Start Service → wsm → start only this service

    , start the cell manager and all the cell members).