Updated on 2024-04-11 GMT+08:00

Replacing HA Certificates

Scenario

HA certificates are used to encrypt the communication between active/standby processes and high availability processes to ensure security. Replace the HA certificates on active and standby management nodes on FusionInsight Manager to ensure product security. This operation is applicable to the following scenarios:

  • After the cluster is installed for the first time, import an enterprise certificate.
  • If the enterprise certificate has expired or security hardening is required, replace it with a new certificate.

but is not applicable to scenarios where active and standby management nodes are not installed.

The certificate file and key file can be applied for from the enterprise certificate center or generated by the cluster user.

Impact on the System

FusionInsight Manager must be restarted during the replacement and cannot be accessed or provide services.

Prerequisites

  • You have obtained the root-ca.crt root file and the root-ca.pem key file of the certificate to be replaced.
  • You have prepared a password, for example, Userpwd@123, for accessing the key file.

    To avoid potential security risks, the password must meet the following complexity requirements:

    • Contains at least 8 characters.
    • Contains at least four types of the following: uppercase letters, lowercase letters, numbers, and special characters (~`!?,.;-_'(){}[]/<>@#$%^&*+|\=).
  • When applying for a certificate from the certificate center, provide the password for accessing the key file and apply for the certificate files in CRT, CER, CERT, and PEM formats and the key files in KEY and PEM formats. The applied certificate must have the issuing function.

Procedure

  1. Log in to the active management node as user omm using the IP address of the active management node.
  2. Select a method for generating certificate files and key files.

    • If the certificate is generated by the certificate center, save the certificate file and key file to the ${OMS_RUN_PATH}/workspace0/ha/local/cert directory on the active and standby management nodes.

      If the obtained certificate file is not in the .crt format and the key file is not in the .pem format, run the following commands to change the file formats:

      mv Certificate name.Certificate formatroot-ca.crt

      mv Key name.Key format root-ca.pem

      For example, run the following commands to name the certificate file root-ca.crt and the key file root-ca.pem:

      mv server.cer root-ca.crt

      mv server_key.key root-ca.pem

    • If the certificate is generated by the cluster user, run the following command to generate root-ca.crt and root-ca.pem in the ${OMS_RUN_PATH}/workspace0/ha/local/cert directory:

      sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=CN --state=state --city=city --company=company --organize=organize --common-name=commonname --email=Cluster user email address

      The validity period of the generated certificate file is 10 years. When the system certificate file is about to expire, the system generates the "ALM-12055 Certificate File Is About to Expire" alarm.

      For example, run the following command:

      sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=CN --state=guangdong --city=shenzhen --company=huawei --organize=IT --common-name=HADOOP.COM --email=abc@xxx.com

      Enter the password as prompted and press Enter.

      Enter pass phrase for /opt/huawei/Bigdata/om-server/OMS/workspace/ha/local/cert/root-ca.pem:

      The command is executed if the following information is displayed:

      Generate root-ca pair success.

  3. On the active management node, run the following command as user omm to copy root-ca.crt and root-ca.pem to the ${BIGDATA_HOME}/om-server/om/security/certHA directory:

    cp -arp ${OMS_RUN_PATH}/workspace0/ha/local/cert/root-ca.* ${BIGDATA_HOME}/om-server/om/security/certHA

  4. Copy root-ca.crt and root-ca.pem generated on the active management node to the ${BIGDATA_HOME}/om-server/om/security/certHA directory on the standby management node as user omm.

    scp ${OMS_RUN_PATH}/workspace0/ha/local/cert/root-ca.* omm@IP address of the standby management node:${BIGDATA_HOME}/om-server/om/security/certHA

  5. Run the following command to generate an HA certificate and perform the automatic replacement:

    sh ${BIGDATA_HOME}/om-server/om/sbin/replacehaSSLCert.sh

    Enter the password as prompted and press Enter.

    Please input ha ssl cert password:

    The DBService HA certificate is replaced successfully if the following information is displayed:

    [INFO] Succeed to replace ha ssl cert.

    If the user wants to update the package for encrypting the HA password, add the -u parameter.

  6. Run the following command to restart the OMS:

    sh ${BIGDATA_HOME}/om-server/om/sbin/restart-oms.sh

    The following information is displayed:

    start HA successfully.

  7. Log in to the standby management node as user omm using the IP address of the standby management node, and repeat steps 5 and 6.

    Run sh ${BIGDATA_HOME}/om-server/om/sbin/status-oms.sh to check whether HAAllResOK of the management node is Normal and whether FusionInsight Manager can be logged in to again. If yes, the operation is successful.