Updated on 2024-04-11 GMT+08:00

Replacing the HA Certificate

Scenario

HA certificates are used to encrypt the communication between active/standby processes and HA processes to ensure the communication security. This section describes how to replace the HA certificates on the active and standby management nodes on MRS Manager to ensure the product security.

The certificate file and key file can be generated by the user.

Impact on the System

MRS Manager needs to be restarted during the replacement and cannot be accessed or provide services at that time.

Prerequisites

  • You have obtained the root-ca.crt HA root certificate file and the root-ca.pem key file to be replaced.
  • You have prepared a password, such as Userpwd@123, for accessing the key file.

    To avoid potential security risks, the password must meet the following complexity requirements:

    • The password must contain at least eight characters.
    • The password must contain at least four types of the following characters: uppercase letters, lowercase letters, digits, and special characters (~`!?,.:;-_'(){}[]/<>@#$%^&*+|\=).

Procedure

  1. Log in to the active management node.
  2. Run the following commands to switch the user:

    sudo su - root

    su - omm

  3. Run the following commands to generate root-ca.crt and root-ca.pem in the ${OMS_RUN_PATH}/workspace0/ha/local/cert directory on the active management node:

    sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=country --state=state --city=city --company=company --organize=organize --common-name=commonname --email=Administrator email address --password=password

    There can be security risks if a command contains the authentication password. You are advised to disable the command recording function (history) before running the command.

    For example, run the following command: sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=CN --state=gd --city=sz --company=hw --organize=IT --common-name=HADOOP.COM --email=abc@hw.com --password=xxx

    The command has been executed successfully if the following information is displayed:

    Generate root-ca pair success.

  4. On the active management node, run the following command as user omm to copy root-ca.crt and root-ca.pem to the ${BIGDATA_HOME}/om-0.0.1/security/certHA directory:

    cp -arp ${OMS_RUN_PATH}/workspace0/ha/local/cert/root-ca.* ${BIGDATA_HOME}/om-0.0.1/security/certHA

  5. Copy root-ca.crt and root-ca.pem generated on the active management node to the ${BIGDATA_HOME}/om-0.0.1/security/certHA directory on the standby management node as user omm.
  6. Run the following command to generate an HA certificate and perform the automatic replacement:

    sh ${BIGDATA_HOME}/om-0.0.1/sbin/replacehaSSLCert.sh

    Enter the password as prompted, and press Enter.

    Please input ha ssl cert password:

    The HA certificate is replaced successfully if the following information is displayed:

    [INFO] Succeed to replace ha ssl cert.

  7. Run the following command to restart OMS:

    sh ${BIGDATA_HOME}/om-0.0.1/sbin/restart-oms.sh

    The following information is displayed:

    start HA successfully.

  8. Log in to the standby management node and switch to user omm. Repeat step 6 to step 7.

    Run the sh ${BIGDATA_HOME}/om-0.0.1/sbin/status-oms.sh command to check whether HAAllResOK of the management node is Normal. Access MRS Manager again. If MRS Manager can be accessed, the operation is successful.