Replacing an HA Certificate
HA certificates are used to encrypt the communication between active/standby processes and HA processes to ensure the communication security. This section describes how to replace the HA certificates on the active and standby management nodes on Manager to ensure product security. This feature applies to the following scenarios:
- After a cluster is installed for the first time, import an enterprise certificate.
- If an enterprise certificate has expired or requires security hardening, replace it with a new one.
You cannot replace the HA certificate for a cluster that does not have active and standby management nodes installed.
You can either apply for the certificate and key files from your enterprise certificate center or generate them yourself as a cluster user.
Impact on the System
During the replacement process, Manager needs to be restarted, which will result in the system being inaccessible and unable to provide services.
Prerequisites
- You have obtained the root-ca.crt HA root certificate file and the root-ca.pem key file to be replaced.
- You have prepared a password, such as Userpwd@123, for accessing the key file.
To avoid potential security risks, the password must meet the following complexity requirements:
- The password must contain at least eight characters.
- The password contains at least four types of the following: uppercase letters, lowercase letters, numbers, and special characters (~`!?,.;-_'(){}[]/<>@#$%^&*+|\=).
- When applying for a certificate from the certificate center, please provide the password to access the key file and request certificate files in formats such as CRT, CER, CERT, and PEM, as well as KEY and PEM format key files. The certificate you apply for needs to be able to issue certificates.
Replacing an HA Certificate (MRS 3.x or Later)
- Log in to the active management node as user omm.
- Select a way to generate certificate and key files.
- If you choose to apply for the certificate and key files from your enterprise certificate center, save the certificate and key files to the ${OMS_RUN_PATH}/workspace0/ha/local/cert directory on the active and standby management nodes.
If the obtained certificate file is not in the .crt format or the key file is not in the .pem format, run either of the following commands accordingly to correct the format:
mv Certificate file name.Certificate file format root-ca.crt
mv Key file name.Key file format root-ca.pem
For example, run the following commands to name the certificate file root-ca.crt and the key file root-ca.pem:
mv server.cer root-ca.crt
mv server_key.key root-ca.pem
- If you choose to generate them yourself as a cluster user, run the following command to generate the root-ca.crt and root-ca.pem files in the ${OMS_RUN_PATH}/workspace0/ha/local/cert directory on the active management node:
sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=CN --state=state --city=city --company=company --organize=organize --common-name=commonname --email=Cluster user email address
The generated certificate files are valid for 10 years. When the system certificate files are about to expire, an alarm with the message "ALM-12055 Certificate File Is About to Expire" will be generated.
For example, run the following command:
sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=CN --state=guangdong --city=shenzhen --company=huawei --organize=IT --common-name=HADOOP.COM --email=abc@example.com
Enter the password as prompted and press Enter.
Enter pass phrase for /opt/huawei/Bigdata/om-server/OMS/workspace/ha/local/cert/root-ca.pem:
The command is successfully executed if the following information is displayed:
Generate root-ca pair success.
- If you choose to apply for the certificate and key files from your enterprise certificate center, save the certificate and key files to the ${OMS_RUN_PATH}/workspace0/ha/local/cert directory on the active and standby management nodes.
- On the active management node, run the following command as user omm to copy root-ca.crt and root-ca.pem to the ${BIGDATA_HOME}/om-server/om/security/certHA directory:
cp -arp ${OMS_RUN_PATH}/workspace0/ha/local/cert/root-ca.* ${BIGDATA_HOME}/om-server/om/security/certHA
- Copy root-ca.crt and root-ca.pem generated on the active management node to the ${BIGDATA_HOME}/om-server/om/security/certHA directory on the standby management node as user omm.
scp ${OMS_RUN_PATH}/workspace0/ha/local/cert/root-ca.* omm@IP address of the standby management node:${BIGDATA_HOME}/om-server/om/security/certHA
- Run the following command to generate an HA certificate and perform the automatic replacement:
sh ${BIGDATA_HOME}/om-server/om/sbin/replacehaSSLCert.sh
Enter the password as prompted and press Enter.
Please input ha ssl cert password:
The HA certificate is replaced successfully if the following information is displayed:
[INFO] Succeed to replace ha ssl cert.
If you need to update the HA password encryption suite, use the -u parameter.
- Run the following command to restart OMS:
sh ${BIGDATA_HOME}/om-server/om/sbin/restart-oms.sh
The following information is displayed:
start HA successfully.
- Log in to the standby management node as user omm using the IP address of the standby management node, and repeat steps 5 and 6.
Run sh ${BIGDATA_HOME}/om-server/om/sbin/status-oms.sh to check whether HAAllResOK of the management node is Normal and whether FusionInsight Manager can be relogged in to. If they are, the operation is successful.
Replacing an HA Certificate (MRS 2.x or Earlier)
- Log in to the active management node.
- Run the following commands to switch the user:
sudo su - root
su - omm
- Run the following commands to generate root-ca.crt and root-ca.pem in the ${OMS_RUN_PATH}/workspace0/ha/local/cert directory on the active management node:
sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=country --state=state --city=city --company=company --organize=organize --common-name=commonname --email=Administrator email address --password=password
There can be security risks if a command contains the authentication password. You are advised to disable the command recording function (history) before running the command.
For example, run the following command: sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=CN --state=gd --city=sz --company=hw --organize=IT --common-name=HADOOP.COM --email=abc@example.com --password=xxx
The command has been executed successfully if the following information is displayed:
Generate root-ca pair success.
- On the active management node, run the following command as user omm to copy root-ca.crt and root-ca.pem to the ${BIGDATA_HOME}/om-0.0.1/security/certHA directory:
cp -arp ${OMS_RUN_PATH}/workspace0/ha/local/cert/root-ca.* ${BIGDATA_HOME}/om-0.0.1/security/certHA
- Copy root-ca.crt and root-ca.pem generated on the active management node to the ${BIGDATA_HOME}/om-0.0.1/security/certHA directory on the standby management node as user omm.
- Run the following command to generate an HA certificate and perform the automatic replacement:
sh ${BIGDATA_HOME}/om-0.0.1/sbin/replacehaSSLCert.sh
Enter the password as prompted, and press Enter.
Please input ha ssl cert password:
The HA certificate is replaced successfully if the following information is displayed:
[INFO] Succeed to replace ha ssl cert.
- Run the following command to restart OMS:
sh ${BIGDATA_HOME}/om-0.0.1/sbin/restart-oms.sh
The following information is displayed:
start HA successfully.
- Log in to the standby management node and switch to user omm. Repeat step 6 to step 7.
Run the sh ${BIGDATA_HOME}/om-0.0.1/sbin/status-oms.sh command to check whether HAAllResOK of the management node is Normal. Access MRS Manager again. If MRS Manager can be accessed, the operation is successful.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot