Versions Compared

Version Old Version 3 New Version Current
Changes made by

Avi Falah

Amit Munwes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Use the following procedure to replace these certificates.

  1. Make sure you have the new certificate and key following files provided in .pem format - use exactly the file names listed below:

    1. CA certificate - custom-es-ca-cert.pem - if there are several CA certificates (root CA and intermediate CAs) - the pem file should contain all certificates concatenated (one after the other).

    2. New Store certificate - dpod-es-server-cert.pem

    3. New Store certificate key - dpod-es-server-key.pem

  2. Stop all the application services using app-util.sh (In a Cell Environment, perform all the steps on stop the cell manager as well as all the cell members).

  3. Configure DPOD (In a Cell Environment, configure the cell manager as well as all the cell members.):

    1. Log in to DPOD's server using SSH.

    2. Create a new custom keys directory:

      Code Block
      mkdir -p /app/keys/store/custom

    3. Copy the

    key and certificate

    1. pem files to this directory. i.e.:

      Code Block
      ls /app/keys/store/custom
custom-es-ca-cert.pem dpod-es-server-cert.pem dpod-es-server-key.pem

    2. Create the CA certificate

    chain

    1. bundle:

      Code Block
      cat /app/keys/store/dpod-es-ca-cert.pem /app/keys/store/custom/custom-es-ca-cert.pem > /app/keys/store/custom/dpod-es-ca-cert.pem

    2. Deploy the files to the Store server nodes:

      Code Block
    # version 1.0.15.0 and above 
    1. ls -d1 /app/opensearch
    _nodes/config/MonTier-es-raw-trans-*/certs | xargs -I ddd cp -f /app/keys/store/dpod-es-*.pem ddd # version 1.0.14.0 ls -d1 /app/elasticsearch
    1. _nodes/config/MonTier-es-raw-trans-*/certs | xargs -I ddd cp -f /app/keys/store/custom/dpod-es-*.pem ddd

    2. Configure the Store server

    to accept the domain certified

    1. nodes with the new DN:

      Code Block
    # version 1.0.15.0 and above 
    1. ls -1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I fff sed -i "
    /plugins
    1. s#plugins.security.nodes_dn:.*
    /d" fff ls -1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I fff sed -i "/ - 'CN=.*/d" fff ls -1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I fff sh -c "echo \"plugins.
    1. #plugins.security.nodes_dn:
    \" >> fff" ls -1 /app/opensearch_nodes/config/MonTier-es-raw-trans-*/opensearch.yml | xargs -I fff sh -c "echo \" - 
    1.  ['$(openssl x509 -subject -nameopt RFC2253 -noout -in /app/keys/store/custom/dpod-es-server-cert.pem | sed 's/subject= //')'
    \" >> fff" # version 1.0.14.0 ls -1 /app/elasticsearch_nodes/config/MonTier-es-raw-trans-*/elasticsearch.yml | xargs -I fff sed -i "/opendistro_security.nodes_dn:.*/d" fff ls -1 /app/elasticsearch_nodes/config/MonTier-es-raw-trans-*/elasticsearch.yml | xargs -I fff sed -i "/ - 'CN=.*/d" fff ls -1 /app/elasticsearch_nodes/config/MonTier-es-raw-trans-*/elasticsearch.yml | xargs -I fff sh -c "echo \"opendistro_security.nodes_dn:\" >> fff" ls -1 /app/elasticsearch_nodes/config/MonTier-es-raw-trans-*/elasticsearch.yml | xargs -I fff sh -c "echo \" - '$(openssl x509 -subject -nameopt RFC2253 -noout -in /app/keys/store/custom/dpod-es-server-cert.pem | sed 's/subject= //')'\" >> fff"Stop and start 
    1. ]#" fff

  4. Start all the application services using app-util.sh (In a Cell Environment users should stop and start Syslog and WS-M agents in all cell members from app-util.sh:

  5. app-utils.sh → Stop Service → syslog → stop only this service

  6. app-utils.sh → Stop Service → wsm → stop only this service

  7. app-utils.sh → Start Service → syslog → start only this service

    8. app-utils.sh → Start Service → wsm → start only this service

    , start the cell manager and all the cell members).