No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00 Maintenance Guide 08

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing the Business Certificate

Replacing the Business Certificate

After eSight installation is complete, update the certificate as required.

Updating the Preset PKI Certificate of eSight

This topic describes how to update the preset PKI certificate of eSight.

Prerequisites

You have applied to the Certificate Authority (CA) organization for a new digital certificate. The certificate includes the following files:

  • Digital certificate: esight.cer
  • Private key of the digital certificate: esight.key
  • Root CA certificate: rootca.cer
  • (Optional) Intermediate CA certificate: internalca.cer
    NOTE:

    You may have multiple intermediate CA certificates.

The certificate-related information is as follows:

  • The name of the certificate applied from the CA organization may be different from the previous one. Change the certificate name to the previous one.
  • This document assumes that the eSight installation directory is "/opt/eSight" in the Linux operating system and "D:\eSight" in the Microsoft Windows operating system.
  • If your certificate is encoded using DER, you need to convert it to the BASE64 coding to facilitate operations. The following uses demo.cer as an example:
    1. In the Linux operating system, run the following command:

      > openssl x509 -inform DER -in demo.cer -outform PEM -out demo.cer

    1. In the Microsoft Windows operating system, run the following command:

      > D:\eSight\AppBase\tools\jks2pfx\openssl.exe -inform DER -in demo.cer -outform PEM -out demo.cer

Procedure

In the Linux operating system:

NOTE:

In an HA system, you need to update the certificates on the active and standby servers.

  1. Log in to the eSight server as the ossuser user in SSH mode.
  2. Stop the eSight service.
    NOTE:
  3. Upload the certificate files to the work directory.
    1. Run the following command (the user directory "/ossuser" is used as an example) to create a directory for storing the certificate files:

      > mkdir /ossuser/certificate

    2. Upload the applied certificate files to the created certificate directory.
    3. Back up the original certificate files.

      Run the following commands to back up the original certificate files:

      > mkdir /opt/eSight/backup

      > cd /opt/eSight/backup

      > cp /opt/eSight/AppBase/etc/certificate/application/ca/caTrustStore.jks .

      > cp /opt/eSight/AppBase/etc/certificate/application/node/nodeKeyStore.jks .

  4. Make a certificate file in the .p12 format.

    If your digital certificate esight.cer has an intermediate CA certificate, you need to import the intermediate CA certificate and root CA certificate to esight.cer. Assume that the root CA certificate is rootca.cer and intermediate CA certificate is internalca.cer. Run the following commands in sequence:

    > cd ~/certificate

    > mv esight.cer esight.crt

    > awk '{print}' internalca.cer rootca.cer > ca.cer

    > awk '{print}' esight.crt ca.cer > esight.cer

    Run the following commands to make the PKCS12-format certificate esight.p12 using esight.cer and esight.key:

    > cd ~/certificate

    > openssl pkcs12 -export -clcerts -in esight.cer -inkey esight.key -out esight.p12

    Enter pass phrase for esight.key: password of esight.key
    Enter Export Password: Set the password of eSight.p12.
    Verifying - Enter Export Password: Confirm the password of esight.p12.
    NOTE:

    The password contains 8 to 30 characters, including digits from 0 to 9, uppercase and lowercase letters, and special characters @%-=_.]{}.

  5. Make the key library file, and check the correctness and integrity of the file.
    1. Make the key library file nodeKeyStore.jks.

      Run the following command to import the esight.p12 certificate to the nodeKeyStore.jks file using keytool:

      > cd ~/certificate

      > /opt/eSight/AppBase/jre/bin/keytool -importkeystore -destalias server -destkeystore nodeKeyStore.jks -deststoretype PKCS12 -srckeystore esight.p12 -srcstoretype PKCS12 -alias 1

      Importing keystore esight.p12 to nodeKeyStore.jks..
      Enter destination keystore password: Set the password of the key library nodeKeyStore.jks.
      Re-enter new password: Confirm the password of the key library nodeKeyStore.jks.
      Enter source keystore password: Enter the password of esight.p12.
    2. Make the trust library file caTrustStore.jks.

      > cd ~/certificate

      > /opt/eSight/AppBase/jre/bin/keytool -import -alias nodeca -keystore caTrustStore.jks -file rootca.cer

      Enter keystore password: Set the password of caTrustStore.jks.
      Re-enter new password: Confirm the password of the key library caTrustStore.jks
      Trust this certificate? [no]:  yes
    3. Import the original CA certificate to the caTrustStore.jks file.

      The following uses the self-signed CA certificate ca.crt of eSight in the /opt/eSight/AppBase/etc/certificate/application/ca directory as an example:

      > cd ~/certificate

      > /opt/eSight/AppBase/jre/bin/keytool -import -alias rootca -keystore caTrustStore.jks -file /opt/eSight/AppBase/etc/certificate/application/ca/ca.crt

      Enter keystore password: Enter the password of caTrustStore.jks.
      Trust this certificate? [no]:  yes

      If the following information is displayed, the CA certificate file is imported successfully:

      The certificate has been added to the keystore.

      If you have imported other CA certificates, you need to import the certificates again.

  6. Encrypt the passwords of the key library file and trust library file, and record the encrypted passwords.

    Encrypt the passwords of the key library file and trust library file of eSight, and record the encrypted passwords.

    1. Generate the encrypted BME character string of the key.

      > /opt/eSight/AppBase/tools/bmetool/encrypt/encrypt.sh 0

      Please input the password: Enter the password of the key library file or trust library file.
      Please input the password again: Enter the password of the key library file or trust library file again.

      The encrypted BME character string is displayed.

      @0102000000000673dfaad951eb019ecbe9284ea64df360306f7f3c915f165dfec43b8714ed08
    2. Generate the encrypted AES character string of the key.

      > /opt/eSight/AppBase/tools/aestool e

      Enter password: Enter the password of the key library file or trust library file.
      Enter password again: Enter the password of the key library file or trust library file again.

      The encrypted AES character string is displayed.

      74e2b500af0456bbe4e185cec2aa3ba60d25d66be80a802b3451f41257272e08
  7. Place the key library file to the specific directory.
    1. Copy the generated certificate to a specified directory.

      > cd ~/certificate

      > cp esight.crt /opt/eSight/AppBase/etc/certificate/application/node/node.crt

      > openssl rsa -in esight.key -passin pass: Password of esight.key -aes128 -passout pass:Changeme_123 -out node.pem

      > cp node.pem /opt/eSight/AppBase/etc/certificate/application/node/node.pem

    2. Copy the generated nodeKeyStore.jks file to the specific directory.

      > cd ~/certificate

      > cp nodeKeyStore.jks /opt/eSight/AppBase/etc/certificate/application/node/

      > cp nodeKeyStore.jks /opt/eSight/mttools/etc/certificate/application/node/

    3. Place the generated caTrustStore.jks file to the specific directory.

      > cd ~/certificate

      > cp caTrustStore.jks /opt/eSight/AppBase/etc/certificate/application/ca/

      > cp caTrustStore.jks /opt/eSight/mttools/etc/certificate/application/ca/

  8. Update the encrypted character string in the configuration file.
    NOTE:

    Change the following information in bold to the encrypted character string in the configuration file. The file path is relative to /opt/eSight.

    When modifying the XML file, you are advised to use the following method to comment out the original content for backup:

    <!-- <param name="Field name">Original key character string</param> -->
    <param name="Field name">Current key character string</param>

    Before modifying the properties file, you are advised to back up the file.

    1. AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml
      <!--the SSL keyStore file name -->
      <param name="keyStoreFile">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!--the SSL keystore password which is encrypted -->
      <param name="keyStorePassword">AES key character string of nodeKeyStore.jks</param>
      <!--the SSL trustStroe file name -->
      <param name="trustStoreFile">etc/certificate/application/ca/caTrustStore.jks</param>
      <!--the SSL trustStore password which is encrypted -->
      <param name="trustStorePassword">AES key character string of caTrustStore.jks</param>
    2. AppBase/sysagent/etc/sysconf/svcbase/Mediation_1_svc.xml
      <!--the SSL keyStore file name-->
      <param name="keyStoreFile">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!--the SSL keystore password which is encrypted-->
      <param name="keyStorePassword">AES key character string of nodeKeyStore.jks</param>
      <!--the SSL trustStroe file name-->
      <param name="trustStoreFile">etc/certificate/application/ca/caTrustStore.jks</param>
      <!--the SSL trustStore password which is encrypted-->
      <param name="trustStorePassword">AES key character string of caTrustStore.jks</param>
    3. AppBase/etc/oms.ros/ros.xml
      <connector name="openapiROAConnector" type="https">
      <property name="ip" value="127.0.0.1" />
      <property name="port" value="32102" />
      <property name="ssl.keystore.path" value="etc/certificate/application/node/nodeKeyStore.jks" />
      <property name="ssl.keystore.password" value="BME key character string of nodeKeyStore.jks" />
      </connector>
      <connector name="roaIntegrateROAConnector" type="https">
      <property name="ip" value="127.0.0.1" />
      <property name="port" value="32103" />
      <property name="ssl.keystore.path" value="etc/certificate/application/node/nodeKeyStore.jks" />
      <property name="ssl.keystore.password" value="BME key character string of nodeKeyStore.jks" />
      </connector>
    4. AppBase/etc/oms.sm/sm.xml
      <config name="openAPiConfigInfo">
      <param name="openAPiTerminal">IP address of the local host</param>
      <param name="openAPiPort">32102</param>
      <param name="keystore">etc/certificate/application/node/nodeKeyStore.jks</param>
      <param name="keystoreValue">BME key character string of nodeKeyStore.jks</param>
      </config>
      
      <config name="IEMPCerts">
      <!-- relative to iEMP/iEMP -->
      <param name="truststore">etc/certificate/application/ca/caTrustStore.jks</param>
      <param name="truststorepwd">BME key character string of caTrustStore.jks</param>
      </config>
    5. AppBase/etc/oms.sso/sso.properties
      sso.truststore.path=etc/certificate/application/ca/caTrustStore.jks
      sso.password=BME key character string of caTrustStore.jks
    6. AppBase/etc/cert.conf/certificateGlobalConf.xml
      <!-- system trust certificates -->
      <config name="trust">
      <!-- store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/ca/caTrustStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of caTrustStore.jks</param>
      </config>
      <!-- internode certificates -->
      <config name="internodeClient">
      <!-- trust store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of nodeKeyStore.jks</param>
      </config>
      <config name="internodeServer">
      <!-- trust store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of nodeKeyStore.jks</param>
      </config>
    7. mttools/etc/cert.conf/certificateGlobalConf.xml
      <!-- system trust certificates -->
      <config name="trust">
      <!-- store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/ca/caTrustStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of caTrustStore.jks</param>
      </config>
      <!-- internode certificates -->
      <config name="internodeClient">
      <!-- trust store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of nodeKeyStore.jks</param>
      </config>
      <config name="internodeServer">
      <!-- trust store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of nodeKeyStore.jks</param>
      </config>
  9. Update the key character string in the component configuration file.

    If the following files exist, you need to modify the key character string in these files:

    AppBase/UniBI_Server/unibi-solutions/system/conf/system.properties

    #keystore file name
    keystoreFile=UniBI.jks
    #Keystore Password
    keystorePass=BME key character string of nodeKeyStore.jks

    AppBase/etc/ent.pnpmgr/soucechannelserver.roa.inst.xml

    <property name="ssl.keystore.path"
    value="etc/certificate/application/node/nodeKeyStore.jks" />
    <property name="ssl.keystore.password"
    value="BME key character string of nodeKeyStore.jks" />
  10. In an HA system, the standby server continues to perform steps 3 to 9 to complete the subsequent operations.
    NOTE:

    In a Veritas HA system, you need to switch services from the active server to the standby server after the operations on the active server are complete. For details, see Manual Switchover Between Active and Standby Servers. After the switchover, the standby server automatically starts. Refer to Taking a Resource Offline to set the NMSServer resource offline. Then, perform this step.

  11. Start eSight.
    NOTE:

In the Microsoft Windows operating system:

  1. Log in to the eSight server as the ossuser user.
  2. Upload the certificate files to the work directory.
    1. Stop the eSight service.
    2. Create the certificate directory (for example, in the D:\ partition with sufficient available space) and upload the applied certificate files to the directory.
    3. Back up the original certificate files.

      For example, if the eSight installation directory is D:\eSight, create the D:\eSight\backup directory and save the following files to the directory:

      D:\eSight\AppBase\etc\certificate\application\ca\caTrustStore.jks

      D:\eSight\AppBase\etc\certificate\application\node\nodeKeyStore.jks

  3. Make a certificate file in the .p12 format.

    If your digital certificate esight.cer has an intermediate CA certificate, you need to import the intermediate CA certificate and root CA certificate to esight.cer. Assume that the root CA certificate is rootca.cer and intermediate CA certificate is internalca.cer. Perform the following operations in sequence:

    1. Copy esight.cer and rename it esight.crt.
    2. Use the Notepad to open esight.cer and add a line at the end of the file.
    3. Use the Notepad to open internalca.cer, copy all content, paste the content to the end of esight.cer, and add a line at the end of the file.
    4. Use the Notepad to open rootca.cer, copy all content, and paste the content to the end of esight.cer.
    5. Save esight.cer.

    Click the blank area in the "D:\certificate" directory, press Shift and right-click the blank area, and choose Open Command Window Here from the shortcut menu.

    Run the following commands to make the PKCS12-format certificate dump file esight.p12 using esight.cer and esight.key:

    > D:\eSight\AppBase\tools\jks2pfx\openssl.exe pkcs12 -export -clcerts -in esight.cer -inkey esight.key -out esight.p12

    Enter pass phrase for esight.key: password of esight.key
    Enter Export Password: Set the password of eSight.p12.
    Verifying - Enter Export Password: Confirm the password of esight.p12.

    > D:\eSight\AppBase\tools\jks2pfx\openssl.exe rsa -in esight.key -passin pass: Password of esight.key -aes128 -passout pass:Changeme_123 -out node.pem

    NOTE:

    The password contains 8 to 30 characters, including digits from 0 to 9, uppercase and lowercase letters, and special characters @%-=_.]{}.

  4. Make the key library file, and check the correctness and integrity of the file.

    Click the blank area in the "D:\certificate" directory, press Shift and right-click the blank area, and choose Open Command Window Here from the shortcut menu.

    1. Make the key library file nodeKeyStore.jks.

      Run the following command to import the esight.p12 certificate to the nodeKeyStore.jks file using keytool:

      > D:\eSight\AppBase\jre\bin\keytool.exe -importkeystore -destalias server -destkeystore nodeKeyStore.jks -deststoretype PKCS12 -srckeystore esight.p12 -srcstoretype PKCS12 -alias 1

      Importing keystore esight.p12 to nodeKeyStore.jks..
      Enter destination keystore password: Set the password of the key library nodeKeyStore.jks.
      Re-enter new password: Confirm the password of the key library nodeKeyStore.jks.
      Enter source keystore password: Enter the password of esight.p12.
    2. Make the trust library file caTrustStore.jks.

      > D:\eSight\AppBase\jre\bin\keytool.exe -import -alias nodeca -keystore caTrustStore.jks -file rootca.cer

      Enter keystore password: Set the password of caTrustStore.jks.
      Re-enter new password: Confirm the password of the key library caTrustStore.jks
      Trust this certificate? [no]:  yes
    3. Import the CA certificate to the caTrustStore.jks file.

      The following uses the self-signed CA certificate ca.crt of eSight in the "D:\eSight\AppBase\etc\certificate\application\ca" directory as an example:

      > D:\eSight\AppBase\jre\bin\keytool.exe -import -alias rootca -keystore caTrustStore.jks -file D:\eSight\AppBase\etc\certificate\application\ca\ca.crt

      Enter keystore password: Enter the password of caTrustStore.jks.
      Trust this certificate? [no]:  yes

      If the following information is displayed, the CA certificate file is imported successfully:

      The certificate has been added to the keystore.

      If you have imported other CA certificates, you need to import the certificates again.

  5. Encrypt the passwords of the key library file and trust library file, and record the encrypted passwords.

    Encrypt the passwords of the key library file and trust library file of eSight, and record the encrypted passwords.

    1. Generate the encrypted BME character string of the key.

      > D:\eSight\AppBase\tools\bmetool\encrypt\encrypt.bat 0

      Please input the password: Enter the password of the key library file or trust library file.
      Please input the password again: Enter the password of the key library file or trust library file again.

      The encrypted password is displayed.

      @0102000000000673dfaad951eb019ecbe9284ea64df360306f7f3c915f165dfec43b8714ed08
    2. Generate the encrypted AES character string of the key.

      > D:\eSight\AppBase\tools\aestool.exe e

      Enter password: Enter the password of the key library file or trust library file.
      Enter password again: Enter the password of the key library file or trust library file again.

      The encrypted password is displayed.

      74e2b500af0456bbe4e185cec2aa3ba60d25d66be80a802b3451f41257272e08
  6. Place the key library file to the specific directory.
    1. Rename esight.crt as node.crt and copy node.crt and node.pem to "D:\eSight\AppBase\etc\certificate\application\node".
    2. Copy the generated nodeKeyStore.jks file to the following directory to overwrite the existing one:

      D:\eSight\AppBase\etc\certificate\application\node

      D:\eSight\mttools\etc\certificate\application\node

    3. Copy the generated caTrustStore.jks file to the following directory to overwrite the existing one:

      D:\eSight\AppBase\etc\certificate\application\ca

      D:\eSight\mttools\etc\certificate\application\ca

  7. Update the encrypted character string in the configuration file.

    Change the following information in bold to the encrypted character string in the configuration file. The file path is relative to D:\eSight.

    NOTE:

    When modifying the XML file, you are advised to use the following method to comment out the original content for backup:

    <!-- <param name="Field name">Original key character string</param> -->
    <param name="Field name">Current key character string</param>

    Before modifying the properties file, you are advised to back up the file.

    1. AppBase\sysagent\etc\sysconf\svcbase\med_node_1_svc.xml
      <!--the SSL keyStore file name -->
      <param name="keyStoreFile">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!--the SSL keystore password which is encrypted -->
      <param name="keyStorePassword">AES key character string of nodeKeyStore.jks</param>
      <!--the SSL trustStroe file name -->
      <param name="trustStoreFile">etc/certificate/application/ca/caTrustStore.jks</param>
      <!--the SSL trustStore password which is encrypted -->
      <param name="trustStorePassword">AES key character string of caTrustStore.jks</param>
    2. AppBase\sysagent\etc\sysconf\svcbase\Mediation_1_svc.xml
      <!--the SSL keyStore file name-->
      <param name="keyStoreFile">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!--the SSL keystore password which is encrypted-->
      <param name="keyStorePassword">AES key character string of nodeKeyStore.jks</param>
      <!--the SSL trustStroe file name-->
      <param name="trustStoreFile">etc/certificate/application/ca/caTrustStore.jks</param>
      <!--the SSL trustStore password which is encrypted-->
      <param name="trustStorePassword">AES key character string of caTrustStore.jks</param>
    3. AppBase\etc\oms.ros\ros.xml
      <connector name="openapiROAConnector" type="https">
      <property name="ip" value="127.0.0.1" />
      <property name="port" value="32102" />
      <property name="ssl.keystore.path" value="etc/certificate/application/node/nodeKeyStore.jks" />
      <property name="ssl.keystore.password" value="BME key character string of nodeKeyStore.jks" />
      </connector>
      
      <connector name="roaIntegrateROAConnector" type="https">
      <property name="ip" value="127.0.0.1" />
      <property name="port" value="32103" />
      <property name="ssl.keystore.path" value="etc/certificate/application/node/nodeKeyStore.jks" />
      <property name="ssl.keystore.password" value="BME key character string of nodeKeyStore.jks" />
      </connector>
    4. AppBase\etc\oms.sm\sm.xml
      <config name="openAPiConfigInfo">
      <param name="openAPiTerminal">IP address of the local host</param>
      <param name="openAPiPort">32102</param>
      <param name="keystore">etc/certificate/application/node/nodeKeyStore.jks</param>
      <param name="keystoreValue">BME key character string of nodeKeyStore.jks</param>
      </config>
      
      <config name="IEMPCerts">
      <!-- relative to iEMP/iEMP -->
      <param name="truststore">etc/certificate/application/ca/caTrustStore.jks</param>
      <param name="truststorepwd">BME key character string of caTrustStore.jks</param>
      </config>
    5. AppBase\etc\oms.sso\sso.properties
      sso.truststore.path=etc/certificate/application/ca/caTrustStore.jks
      sso.password=BME key character string of caTrustStore.jks
    6. AppBase\etc\cert.conf\certificateGlobalConf.xml
      <!-- system trust certificates -->
      <config name="trust">
      <!-- store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/ca/caTrustStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of caTrustStore.jks</param>
      </config>
      <!-- internode certificates -->
      <config name="internodeClient">
      <!-- trust store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of nodeKeyStore.jks</param>
      </config>
      <config name="internodeServer">
      <!-- trust store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of nodeKeyStore.jks</param>
      </config>
    7. mttools\etc\cert.conf\certificateGlobalConf.xml
      <!-- system trust certificates -->
      <config name="trust">
      <!-- store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/ca/caTrustStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of caTrustStore.jks</param>
      </config>
      <!-- internode certificates -->
      <config name="internodeClient">
      <!-- trust store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of nodeKeyStore.jks</param>
      </config>
      <config name="internodeServer">
      <!-- trust store type -->
      <param name="storetype">jks</param>
      <!-- store path -->
      <param name="storepath">etc/certificate/application/node/nodeKeyStore.jks</param>
      <!-- encrypted store pass -->
      <param name="storepass">BME key character string of nodeKeyStore.jks</param>
      </config>
  8. Update the key character string in the component configuration file.

    If the following files exist, you need to modify the key character string in these files:

    AppBase\UniBI_Server\unibi-solutions\system\conf\system.properties

    #keystore file name
    keystoreFile=UniBI.jks
    #Keystore Password
    keystorePass=BME key character string of nodeKeyStore.jks

    AppBase\etc\ent.pnpmgr\soucechannelserver.roa.inst.xml

    <property name="ssl.keystore.path"
    value="etc/certificate/application/node/nodeKeyStore.jks" />
    <property name="ssl.keystore.password"
    value="BME key character string of nodeKeyStore.jks" />
Follow-up Procedure

If an error occurs during certificate replacement or you are unsatisfied with the current certificate, perform the following steps to restore the certificate: Before restoring the certificate, stop eSight.

  1. Restore the certificate.

    • In the SUSE Linux operating system:

      Run the following commands to restore the default certificates:

      >cd /opt/eSight/backup

      >cp caTrustStore.jks /opt/eSight/AppBase/etc/certificate/application/ca

      >cp caTrustStore.jks /opt/eSight/mttools/etc/certificate/application/ca

      >cp nodeKeyStore.jks /opt/eSight/AppBase/etc/certificate/application/node

      >cp nodeKeyStore.jks /opt/eSight/mttools/etc/certificate/application/node

    • In the Microsoft Windows operating system:

      Copy the caTrustStore.jks file in D:\eSight\backup to the following directories:

      D:\eSight\AppBase\etc\certificate\application\ca

      D:\eSight\mttools\etc\certificate\application\ca

      Copy the nodeKeyStore.jks file in D:\eSight\backup to the following directories:

      D:\eSight\AppBase\etc\certificate\application\node

      D:\eSight\mttools\etc\certificate\application\node

  2. Roll back the modified configuration files.

    Restore the modified content in the following XML and .properties files:

    • In the SUSE Linux operating system:

      /opt/eSight/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml

      /opt/eSight/AppBase/sysagent/etc/sysconf/svcbase/Mediation_1_svc.xml

      /opt/eSight/AppBase/etc/oms.ros/ros.xml

      /opt/eSight/AppBase/etc/oms.sm/sm.xml

      /opt/eSight/AppBase/etc/oms.sso/sso.properties

      /opt/eSight/AppBase/etc/cert.conf/certificateGlobalConf.xml

      /opt/eSight/mttools/etc/cert.conf/certificateGlobalConf.xml

      /opt/eSight/AppBase/etc/ent.pnpmgr/soucechannelserver.roa.inst.xml

    • In the Microsoft Windows operating system:

      D:\eSight\AppBase\sysagent\etc\sysconf\svcbase\med_node_1_svc.xml

      D:\eSight\AppBase\sysagent\etc\sysconf\svcbase\Mediation_1_svc.xml

      D:\eSight\AppBase\etc\oms.ros\ros.xml

      D:\eSight\AppBase\etc\oms.sm\sm.xml

      D:\eSight\AppBase\etc\oms.sso\sso.properties

      D:\eSight\AppBase\etc\cert.conf\certificateGlobalConf.xml

      D:\eSight\mttools\etc\cert.conf\certificateGlobalConf.xml

      D:\eSight\AppBase\etc\ent.pnpmgr\soucechannelserver.roa.inst.xml

Updating Collaboration Certificates

This chapter describes how to update collaboration certificates.

Updating the Certificate for eSight to Communicate with a Terminal

It is recommended that the default certificate of eSight be used only for deployment commissioning. After eSight is formally used at a site, you are advised to replace the default certificate with a trusted commercial certificate, preventing possible security risks.

Prerequisites

The JDK has been installed and configured correctly. This is because keytool is a JRE command. By default, the JDK has been installed and configured correctly on the eSight server.

Procedure
  1. Choose Resource > Collaboration Resource from the main menu.
  2. In the navigation tree on the left, choose Terminal Device Management > System Configuration.
  3. In the eSight Upload Certificate area, specify the paths of the Root Certificate and Certification Sore, and set Keystore Password.
  4. Click OK.

    After a certificate is imported, you can view the certificate in the KeyStore and change the password of the KeyStore. Related passwords on eSight must be consistent with those on the device.

  5. Go to the directory where the ucKeyStore file is located.

    The ucKeyStore file is stored in the eSight installation directory/AppBase/etc/certificate directory.

    cd eSight installation directory/AppBase/etc/certificate

  6. View certificates in the KeyStore.

    eSight installation directory/AppBase/jre/bin/./keytool -list -v -keystore ucKeyStore

    The system prompts you to enter the KeyStore password.

  7. Enter the KeyStore password.

    The default password is Changeme_123. If the password has been replaced, contact the certificate provider to obtain the password.

    The following information is displayed:

    KeyStore type: JKS
    KeyStore provider: SUN
     
    Your KeyStore includes two inputs.
    ...

  8. Optional: Change the KeyStore password.

    eSight installation directory/AppBase/jre/bin/./keytool -storepasswd -keystore ucKeyStore

    The system prompts you to enter the KeyStore password.

  9. Optional: Enter the old KeyStore password, enter a new password twice as prompted, and press Enter.
  10. Optional: After changing the KeyStore password, you need to change the password of the certificate whose alias is 1 in the KeyStore.

    eSight installation directory/AppBase/jre/bin/./keytool -keypasswd -alias 1 -keystore ucKeyStore

    The system prompts you to enter the KeyStore password.

  11. Optional: Enter the new KeyStore password and press Enter.

    The system prompts you to enter the primary password of the certificate whose alias is 1.

    The default password is Changeme_123.

  12. Optional: Enter the old primary password, enter a new primary password twice as prompted, and press Enter.

    The new primary password must be the same as the new KeyStore password.

  13. After the passwords of the KeyStore and the certificate whose alias is 1 are changed, you need to modify related configuration files accordingly.

    Update the certificate used for eSight to communicate with a terminal: Change the values of ssl.keystore.password in the <webserver name="ipphone">, <webserver name="tr069">, and <webserver name="tr069DOUBLE"> sections in eSight installation directory/AppBase/etc/iemp.framework/webserver.roa.inst.xml. Ensure that the values are the same as the new passwords after change. To encrypt the password using an encryption tool, use the reversible Advanced Encryption Standard (AES) algorithm. For details, see Changing the Collaborations Passwords.

  14. Restart the eSight server.
  15. Check whether the terminal certificate is updated successfully.

    1. Log in to the eSight server as the root user.
    2. Check whether the corresponding port is enabled successfully.

      netstat -ano | grep 8444

      netstat -ano | grep 32241

      netstat -ano | grep 38444

      netstat -ano | grep 9444

      If the command output is displayed, the terminal certificate is updated successfully.

Replacing the Certificate for eSight to Communicate with uPortal

It is recommended that the default certificate of eSight be used only for deployment commissioning. After eSight is formally used at a site, you are advised to replace the default certificate with a trusted commercial certificate, preventing possible security risks.

Prerequisites

The JDK has been installed and configured on the eSight server. The keytool command is a JRE command, which must be executed in the JDK.

Procedure
  1. Upload the tlsKeyStore certificate store whose IP phone certificate needs to be updated onto the certificate directory.

    It is recommended that the tlsKeyStore certificate store of the certificate directory that you have replaced must be the same as the certificate of IP phones, or the authenticate fails.

    • Linux operating system:

      Upload the certificate store to eSight installation directory/AppBase/etc/certificate/

    • Windows operating system:

      Upload the certificate store to eSight installation directory\AppBase\etc\certificate\

  2. Change related configurations accordingly.

    Change the value of ssl.keystore.password of <webserver name="certificate"> field in eSight installation directory /AppBase/etc/iemp.framework/webserver.roa.inst.xml to the password of the tlsKeyStore certificate library. Contact the certificate provider to obtain the password. To encrypt the password using an encryption tool, use the reversible Advanced Encryption Standard (AES) algorithm. For details, see Changing the Collaborations Passwords.

    After importing certificates, you can view the certificates in the certificate library or change the passwords of the certificate library. The following passwords are the same as the corresponding device passwords. If you want to change any password, change the password both on the eSight and on the device.

  3. Go to the directory where the tlsKeyStore file is stored.

    The tlsKeyStore file is stored in eSight installation directory/AppBase/etc/certificate.

    cd eSight installation directory/AppBase/etc/certificate

  4. View certificates in the certificate library.

    eSight installation directory/AppBase/jre/bin/./keytool -list -v -keystore tlsKeyStore

    The system prompts you to enter the keystore password.

  5. Enter the keystore password.

    The default password is Changeme_123. If the certificate has been replaced, contact the certificate provider to obtain the password.

    The following information is displayed:

    Keystore type: JKS 
    Keystore provider: SUN 
     
    Your keystore contains 2 entries 
    ...     

  6. Optional: Change the certificate library password.

    eSight installation directory/AppBase/jre/bin/./keytool -storepasswd -keystore tlsKeyStore

    The system prompts you to enter the keystore password.

  7. Optional: Enter the original keystore password and enter the new keystore password twice as promoted. Then press Enter.
  8. Optional: After changing the keystore password, change the password of the certificate whose alias is 1 in the certificate library.

    eSight installation directory/AppBase/jre/bin/./keytool -keypasswd -alias 1 -keystore tlsKeyStore

    The system prompts you to enter the keystore password.

  9. Optional: Enter the new keystore password and press Enter.

    The system prompts you to enter the key password of the certificate whose alias is 1.

    The default password is Changeme_123. If the certificate has been replaced, contact the certificate provider to obtain the password.

  10. Optional: Enter the original key password and enter the new key password twice as promoted. Then press Enter.

    The new key password must be the same as the new keystore password.

  11. After changing the passwords of the certificate library and of the certificate whose alias is 1, change related configurations accordingly.

    Change the value of ssl.keystore.password of <webserver name="certificate"> field in eSight installation directory /AppBase/etc/iemp.framework/webserver.roa.inst.xml to the password of the tlsKeyStore certificate library. Contact the certificate provider to obtain the password. To encrypt the password using an encryption tool, use the reversible Advanced Encryption Standard (AES) algorithm. For details, see Changing the Collaborations Passwords.

  12. Restart the eSight server.
  13. Check whether the IP phone certificate file is updated successfully.

    1. Log in to the eSight server as the root user.
    2. Check whether the specified ports are started.

      netstat -ano | grep 32234

      If information is displayed when you run a command, the corresponding port is started and the IP phone certificate file is updated successfully.

Replacing the Certificate for the Redirection Server to Communicate with Terminals

It is recommended that the default certificate of eSight be used only for deployment commissioning. After eSight is formally used at a site, you are advised to replace the default certificate with a trusted commercial certificate, preventing possible security risks.

Prerequisites

The JDK has been installed and configured on the eSight server. The keytool command is a JRE command, which must be executed in the JDK.

Procedure
  1. Upload the ucKeyStore certificate store whose IP phone certificate needs to be updated onto the certificate directory.

    It is recommended that the ucKeyStore certificate store of the certificate directory that you have replaced must be the same as the certificate of IP phones, or the authenticate fails.

    • Linux operating system:

      Upload the certificate store to eSight installation directory/AppBase/etc/certificate/

    • Windows operating system:

      Upload the certificate store to eSight installation directory\AppBase\etc\certificate\

  2. Change related configurations accordingly.

    Change the value of ssl.keystore.password of <webserver name="dmserver"> field in eSight installation directory /AppBase/etc/iemp.framework/configserver.roa.inst.xml to the password of the ucKeyStore certificate library. Contact the certificate provider to obtain the password. To encrypt the password using an encryption tool, use the reversible Advanced Encryption Standard (AES) algorithm. For details, see Changing the Collaborations Passwords.

    After importing certificates, you can view the certificates in the certificate library or change the passwords of the certificate library. The following passwords are the same as the corresponding device passwords. If you want to change any password, change the password both on the eSight and on the device.

  3. Go to the directory where the ucKeyStore file is stored.

    The ucKeyStore file is stored in eSight installation directory/AppBase/etc/certificate.

    cd eSight installation directory/AppBase/etc/certificate

  4. View certificates in the certificate library.

    eSight installation directory/AppBase/jre/bin/./keytool -list -v -keystore ucKeyStore

    The system prompts you to enter the keystore password.

  5. Enter the keystore password.

    The default password is Changeme_123. If the certificate has been replaced, contact the certificate provider to obtain the password.

    The following information is displayed:

    Keystore type: JKS 
    Keystore provider: SUN 
     
    Your keystore contains 2 entries 
    ...     

  6. Optional: Change the certificate library password.

    eSight installation directory/AppBase/jre/bin/./keytool -storepasswd -keystore ucKeyStore

    The system prompts you to enter the keystore password.

  7. Optional: Enter the original keystore password and enter the new keystore password twice as promoted. Then press Enter.
  8. Optional: After changing the keystore password, change the password of the certificate whose alias is 1 in the certificate library.

    eSight installation directory/AppBase/jre/bin/./keytool -keypasswd -alias 1 -keystore ucKeyStore

    The system prompts you to enter the keystore password.

  9. Optional: Enter the new keystore password and press Enter.

    The system prompts you to enter the key password of the certificate whose alias is 1.

    The default password is Changeme_123. If the certificate has been replaced, contact the certificate provider to obtain the password.

  10. Optional: Enter the original key password and enter the new key password twice as promoted. Then press Enter.

    The new key password must be the same as the new keystore password.

  11. After changing the passwords of the certificate library and of the certificate whose alias is 1, change related configurations accordingly.

    Change the value of ssl.keystore.password of <webserver name="dmserver"> field in eSight installation directory /AppBase/etc/iemp.framework/configserver.roa.inst.xml to the password of the ucKeyStore certificate library. Contact the certificate provider to obtain the password. To encrypt the password using an encryption tool, use the reversible Advanced Encryption Standard (AES) algorithm. For details, see Changing the Collaborations Passwords.

  12. Restart the eSight server.
  13. Check whether the IP phone certificate file is updated successfully.

    1. Log in to the eSight server as the root user.
    2. Check whether the specified ports are started.

      netstat -ano | grep 32232

      If information is displayed when you run a command, the corresponding port is started and the IP phone certificate file is updated successfully.

Replacing the Certificate for eSight to Communicate with SBC(SX Series)

It is recommended that the default certificate of eSight be used only for deployment commissioning. After eSight is formally used at a site, you are advised to replace the default certificate with a trusted commercial certificate, preventing possible security risks.

Prerequisites

You have obtained the SBC(SX Series) certificates and renamed them as tr069SBC.KeyStore.

Background

The procedure for the Linux operating system is similar to that for the Windows operating system. Here, the Linux operating system is used as an example.

Procedure
  1. Log in to the eSight server as the root user.
  2. Replace the SBC(SX Series) certificates.

    The SBC(SX Series) certificates are stored in eSight installation directory/AppBase/etc/certificate. Replace the existing certificates with the obtained private key certificate and public key certificate.

  3. After certificate replacement is complete, access eSight installation directory/AppBase/etc/iemp.framework/webserver.roa.inst.xml and modify the value of ssl.keystore.password in the <webserver name="tr069SBC"> area. Here, set the value to the ciphertext certificate password. For detailed operations, see Changing the Collaborations Passwords.
  4. Restart the eSight server.
  5. Check whether the SBC(SX Series) certificates are updated successfully.

    1. Log in to the eSight server as the root user.
    2. Check whether the specified ports are started.

      netstat -ano | grep 32237

      If information is displayed when you run a command, the corresponding port is started and the SBC(SX Series) certificate file is updated successfully.

Updating the Trust Certificate for Bidirectional Authentication Between eSight and Terminals

It is recommended that the default certificate of eSight be used only for deployment commissioning. After eSight is formally used at a site, you are advised to replace the default certificate with a trusted commercial certificate, preventing possible security risks.

Prerequisites
  • The JDK has been installed and configured correctly. This is because keytool is a JRE command. By default, the JDK has been installed and configured correctly on the eSight server.
  • You have obtained the trustKeyStore.jks certificate file.
Context

The operations on the Linux operating system and Windows are similar. The Linux is taken as an example.

Procedure
  1. Upload the trustKeyStore.jks file to the certificate directory.

    • Linux operating system

      Upload the certificate file to eSight installation directory/AppBase/etc/certificate/.

    • Windows operating system

      Upload the certificate file to eSight installation directory\AppBase\etc\certificate\.

  2. Modify related configuration files.

    Change the value of ssl.truststore.password in the <webserver name="tr069DOUBLE"> area in eSight installation directory/AppBase/etc/iemp.framework/webserver.roa.inst.xml to be the same as the password of trustKeyStore.jks. To obtain the password, contact the certificate provider. For details about how to encrypt a password, see Changing the Collaborations Passwords. To encrypt the password using an encryption tool, use the reversible AES algorithm.

  3. Go to the directory where the trustKeyStore.jks file is located.

    The trustKeyStore.jks file is stored in the eSight installation directory/AppBase/etc/certificate directory.

    cd eSight installation directory/AppBase/etc/certificate

  4. View certificates in the KeyStore.

    eSight installation directory/AppBase/jre/bin/./keytool -list -v -keystore trustKeyStore.jks

    The system prompts you to enter the KeyStore password.

  5. Enter the KeyStore password.

    The default password is Changeme_123. If the password has been replaced, contact the certificate provider to obtain the password.

    The following information is displayed:

    KeyStore type: JKS
    KeyStore provider: SUN
     
    Your KeyStore includes x inputs.
    ...

  6. Restart the eSight server.
  7. Log in to the terminal, modify the ACS address, and check whether the terminal can be connected. If yes, the certificate is successfully updated.
Updating the Root Certificate for eSight to Authenticate Users on the uPortal SSO Server

It is recommended that the default certificate of eSight be used only for deployment commissioning. After eSight is formally used at a site, you are advised to replace the default certificate with a trusted commercial certificate, preventing possible security risks.

Prerequisites
  • The JDK has been installed and configured correctly. This is because keytool is a JRE command. By default, the JDK has been installed and configured correctly on the eSight server.
  • You have obtained the uportTustStore.jks certificate file.
Context

The operations on the Linux operating system and Windows are similar. The Linux is taken as an example.

Procedure
  1. Upload the uportTustStore.jks file to the certificate directory.

    • Linux operating system

      Upload the certificate file to eSight installation directory/AppBase/etc/certificate/.

    • Windows operating system

      Upload the certificate file to eSight installation directory\AppBase\etc\certificate\.

  2. Modify related configuration files.

    Change the value of uportal.keystore.pwd in eSight installation directory/AppBase/etc/uc/ems_config_readWriter.properties to be the same as the password of uportTustStore.jks. To obtain the password, contact the certificate provider. For details about how to encrypt a password, see Changing the Collaborations Passwords. To encrypt the password using an encryption tool, use the reversible AES algorithm.

  3. Go to the directory where the uportTustStore.jks file is located.

    The uportTustStore.jks file is stored in the eSight installation directory/AppBase/etc/certificate directory.

    cd eSight installation directory/AppBase/etc/certificate

  4. View certificates in the KeyStore.

    eSight installation directory/AppBase/jre/bin/./keytool -list -v -keystore uportTustStore.jks

    The system prompts you to enter the KeyStore password.

  5. Enter the KeyStore password.

    The default password is Changeme123. If the password has been replaced, contact the certificate provider to obtain the password.

    The following information is displayed:

    KeyStore type: JKS
    KeyStore provider: SUN
     
    Your KeyStore includes x inputs.
    ...     

  6. Restart the eSight server.
  7. Check whether the eSight page can be accessed through the uPortal. If yes, the certificate is successfully updated.
Replacing the FTPS Certificate for Upgrading the IAD

It is recommended that the default certificate of eSight be used only for deployment commissioning. After eSight is formally used at a site, you are advised to replace the default certificate with a trusted commercial certificate, preventing possible security risks.

Prerequisites

You have obtained the ftps certificate for upgrade of IAD.

Background

The procedure for the Linux operating system is similar to that for the Windows operating system. Here, the Linux operating system is used as an example.

Procedure
  1. Log in to the eSight server as the root user.
  2. Place the certificates to eSight installation directory/AppBase/etc/certificate.

    • Server private key: eSight installation directory/AppBase/etc/certificate/iad.KeyStore.ftps
    • Server trust certificate: eSight installation directory/AppBase/etc/certificate/iad.CATrustStore.ftps
    NOTE:

    If the file names of the server private key and trust certificate are not consistent with the preceding ones, rename them.

  3. Set the access rights of the certificates, make that only the ossuser and root user have the read and write rights.

    1. Log in to the eSight server as the root user.
    2. Set the owner of the certificates to the ossuser user.

      # chown ossuser:ossgroup eSight installation directory/AppBase/etc/certificate/iad.KeyStore.ftps

      # chown ossuser:ossgroup eSight installation directory/AppBase/etc/certificate/iad.CATrustStore.ftps

    3. Set the access rights of the certificates as 600.

      # chmod 600 eSight installation directory/AppBase/etc/certificate/iad.KeyStore.ftps

      # chmod 600 eSight installation directory/AppBase/etc/certificate/iad.CATrustStore.ftps

  4. Modifying the configuration files: eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/ent_uc_med_node_svc.xml.

    Modify the configuration as follows:

    <config name="ucftpServer">
    <config name="ftps">
    ......
    <param name="CAKeystoreFileName">etc/certificate/iad.KeyStore.ftps</param>
    <param name="CAPass">@010200000000f98fe2f6937545a06a9617e4927972c033611ad2111c21f4b0aeba68127a5c01</param>
    <param name="keystoreFileName">etc/certificate/iad.CATrustStore.ftps</param>
    <param name="sslPassword">@010200000000f98fe2f6937545a06a9617e4927972c033611ad2111c21f4b0aeba68127a5c01</param>
    ......
    </config>
    </config>
    NOTE:

  5. Restart the eSight server.
  6. Check whether the ftps certificates are updated successfully.

    1. Log in to the eSight server as the root user.
    2. Check whether the specified ports are started.

      netstat -ano | grep 14001

      If information is displayed when you run a command, the corresponding port is started and the ftps certificate file is updated successfully.

Replacing the Certificate for the Telepresence Conference

It is recommended that the default certificate of eSight be used only for deployment commissioning. After eSight is formally used at a site, you are advised to replace the default certificate with a trusted commercial certificate, preventing possible security risks.

Prerequisites

You have obtained the telepresence conference certificates and renamed them as uccServerKeyStore.

Background

The procedure for the Linux operating system is similar to that for the Windows operating system. Here, the Linux operating system is used as an example.

Procedure
  1. Log in to the eSight server as the root user.
  2. Replace the telepresence conference certificates.

    The telepresence conference certificates are stored in eSight installation directory/AppBase/etc/certificate. Replace the existing certificates with the obtained private key certificate and public key certificate.

  3. After certificate replacement is complete, access eSight installation directory/AppBase/etc/iemp.framework/tp.webserver.roa.inst.xml and modify the value of ssl.keystore.password in the <webserver name="tprest"> area. Here, set the value to the ciphertext certificate password. For detailed operations, see Changing the Collaborations Passwords.
  4. Restart the eSight server.
  5. Check whether the telepresence conference certificates are updated successfully.

    1. Log in to the eSight server as the root user.
    2. Check whether the specified ports are started.

      netstat -ano | grep 11942

      If information is displayed when you run a command, the corresponding port is started and the telepresence conference certificate file is updated successfully.

Replacing the eIMS Certificate

This function enables you to update and restore certificate files used for communication between the eSight and eIMS devices. To improve security, you are advised to use the certificates issued by the certification authority (CA).

Prerequisites
  • You have logged in to the eSight client.
  • You have been assigned the permission to manage the eIMS certificate file.
  • You have prepared the PEM root certificate, server certificate, server private key, and password of the server private key.
Context
  • It is recommended that you replace the default certificate to ensure service security.
  • Certificate update and certificate restoration will cause a short-lived device disconnection. Perform the operation with caution.
NOTE:

When an NE or eSight uses certificates to authenticate the peer end, identity certificates of both ends must be trusted. To meet the trust relationship, update the identity certificate on the NE or eSight. For details about how to update the identity certificate on the eSight, see the related operations described in this section.

Updating the Certificates
  1. Choose Resource > Collaboration Resource from the main menu.
  2. Choose Network Element Device Management > eIMS Management > Certificate Management from the navigation tree on the left.
  3. Click next to Root certificate, Server certificate, and Server private key respectively. In the window that is displayed, select the prepared certificate file and click Open.
  4. Enter the password of the server private key.
  5. Click Update Certificate.
  6. Click OK in the dialog box that is displayed.
(Optional) Changing the Password of Certificates

To enhance the system security, you are advised to change the password of SSL certificates used for the communication between eSight and eIMS eCGPOMU when updating the certificates and to change the password every one or three months.

NOTE:

The following uses Linux as an example. The operations in Windows are similar. The scripts are keytool.exe and encrypt.bat.

  1. Log in to the eSight server as user ossuser.
  2. Enter the certificate directory.

    cd eSight installation directory/AppBase/etc/eims/eimsne/neconnection/ssl

  3. Change the certificate password.

    NOTE:
    • The initial password of all certificates and private keys is ei*b+@b#6Nh(tS1j.
    • The new password of all certificates must be the same.
    • For details about the password changing rules, see Password Changing Scenarios and Policies.
    1. Run the following command to change the password of the serverKeyStore_original certificate:

      eSight installation directory/AppBase/jre/bin/./keytool -storepasswd -keystore serverKeyStore_original

      Enter keystore password: Old password of serverKeyStore_original
      New keystore password: New password of serverKeyStore_original
      Re-enter new keystore password: New password of serverKeyStore_original
    2. Run the following command to search for the certificate alias:

      eSight installation directory/AppBase/jre/bin/./keytool -v -list -keystore serverKeyStore_original

      If the following information is displayed, enter the new certificate password set in 3.a.
      Enter keystore password:New password of serverKeyStore_original
      Alias name: privatekeym2k 
      Creation date: Dec 14, 2015 
      Entry type: PrivateKeyEntry 
      Certificate chain length: 1 

      The Alias name of the Entry type field set to PrivateKeyEntry is the certificate alias you want to search for. In the preceding command outputexample, privatekeym2k is the certificate alias.

    3. Run the following command to change the password for the private key. The privatekeym2k certificate alias is used as an example.

      eSight installation directory/AppBase/jre/bin/keytool -keypasswd -keystore serverKeyStore_original -alias privatekeym2k

      If the following information is displayed, enter the new certificate password set in 3.a.

      Enter keystore password: New password of serverKeyStore_original

      If the following information is displayed, enter the old password for the private key:

      Enter key password for <privatekeym2k>: Old password for the private key

      If the following information is displayed, enter the new password for the private key:

      New key password for <privatekeym2k>: New password for the private key
      Re-enter new key password for <privatekeym2k>: New password for the private key
    4. By using the method in 3.a to 3.c of changing the password of the serverKeyStore_original certificate, change the password of the serverKeyStore certificate.
    5. By using the method in 3.a of changing the password of the serverKeyStore_original certificate, change the passwords of the serverTrustStore_original and serverTrustStore certificates.

  4. Run the following command to generate a ciphertext of the new certificate password:

    NOTE:
    • The password entered must be the same as the new password set in 3.
    • The reversible Advanced Encryption Standard (AES) is used in this command.

    cd eSight installation directory/AppBase/tools/bmetool/encrypt

    ./encrypt.sh 0

    Please input the password:
    
    Please input the password again: 

  5. Run the following command to modify the mml.properties configuration file:

    vi eSight installation directory/AppBase/etc/eims/eimsne/mml.properties

    Replace the values of the sslksps and ssltsps configuration items with the ciphertext generated in 4.

    After the modification is complete, run the :wq command to save the modification and exit.

  6. Restart the eSight services.
Restoring the Certificates
  1. Choose Resource > Collaboration Resource from the main menu.
  2. Choose Network Element Device Management > eIMS Management > Certificate Management from the navigation tree on the left.
  3. Click Restore Factory.

Updating the Video Surveillance Certificate

This section describes how to update the video surveillance certificate.

Replacing the Certificate for eSight to Communicate with Third-party Video Surveillance System

It is recommended that the default certificate of eSight be used only for deployment commissioning. After eSight is formally used at a site, you are advised to replace the default certificate with a trusted commercial certificate, preventing possible security risks.

Prerequisites

You have obtained the third-party video surveillance system certificates and renamed them as uccivsServerKeyStore.

Background

The procedure for the Linux operating system is similar to that for the Windows operating system. Here, the Linux operating system is used as an example.

Procedure
  1. Log in to the eSight server as the root user.
  2. Replace the third-party video surveillance system certificates.

    The third-party video surveillance system certificates are stored in eSight installation directory/AppBase/etc/certificate. Replace the existing certificates with the obtained private key certificate and public key certificate.

  3. After certificate replacement is complete, access eSight installation directory/AppBase/etc/iemp.framework/ivs.webserver.roa.inst.xml and modify the value of ssl.keystore.password in the <webserver name="ivsrest"> area. Here, set the value to the ciphertext certificate password. For detailed operations, see Changing Video Surveillance User Passwords.
  4. Restart the eSight server.
  5. Check whether the third-party video surveillance system certificates are updated successfully.

    1. Log in to the eSight server as the root user.
    2. Check whether the specified ports are started.

      netstat -ano | grep 32240

      If information is displayed when you run a command, the corresponding port is started and the third-party video surveillance system certificate file is updated successfully.

Replacing the eLTE Certificate

You are advised to replace the default certificate to ensure security. In addition, replacing the certificate may cause device disconnection. Exercise caution when performing this operation.

Table 5-13 describes eLTE management component certificates.

Table 5-13 eLTE management component certificates

Certificate

Path

Used by Default

Southbound certificate for connecting eSight to terminals

  • Server private key: eSight installation directory/AppBase/etc/ewl/cpe/ssl/serverKeyStore
  • Server trust certificate: eSight installation directory/AppBase/etc/ewl/cpe/ssl/serverTrustStore

Yes

Southbound certificate for connecting eSight to base stations and core networks

  • Server private key: eSight installation directory/AppBase/etc/ewl/primaryne/neconnection/ssl/serverKeyStore
  • Server trust certificate: eSight installation directory/AppBase/etc/ewl/primaryne/neconnection/ssl/serverTrustStore

Yes

FTPS certificates

  • Server private key: eSight installation directory/AppBase/etc/certificate/application/med/ftps/keys/ftpsKeyStore.jks
  • Server trust certificate: eSight installation directory/AppBase/etc/certificate/application/med/ftps/ca/ftpsCATrustStore.jks

Yes

PKI-CMS digital signature certificate of the software package

  • Path of the trust certificate on the server: eSight installation directory/AppBase/etc/ewl/primaryne/truststore

Yes

Updating the Southbound Certificate for Connecting eSight to Terminals

You are advised to replace the southbound certificate for connecting terminals to ensure service security.

Prerequisites
  • You have logged in to the client.
  • You have been assigned the operation rights.
  • A certificate file whose extension is der is available.
Precautions
  • It is recommended that you replace the default certificate to ensure service security.
  • Certificate update and certificate restoration will cause a short-lived device disconnection. Perform the operation with caution.
Procedure
  1. Choose Resource > eLTE > eLTE System Settings > Certificate Management from the main menu.
  2. Update a certificate file.

    1. Set Device type to Industry terminal based on the site requirements.
    2. Click next to Root certificate, Server certificate, and Server private key respectively. In the window that is displayed, select the prepared certificate file and click Open.
    3. Click Update Certificate.
    4. In the displayed dialog box, click Yes.

  3. (Optional) Restore the certificate.

    1. Set Device type to which you want to restore the certificate file.
    2. Click Restore Last or Restore Factory.

Updating the Southbound Certificate for Connecting eSight to Base Stations and Core Networks

You are advised to replace the southbound certificate for connecting base stations and core networks to ensure service security.

Prerequisites
  • You have logged in to the client.
  • You have been assigned the operation rights.
  • A certificate file whose extension is der is available.
Precautions
  • It is recommended that you replace the default certificate to ensure service security.
  • Certificate update and certificate restoration will cause a short-lived device disconnection. Perform the operation with caution.
Procedure
  1. Choose Resource > eLTE > eLTE System Settings > Certificate Management from the main menu.
  2. Update a certificate file.

    1. Set Device type to eNodeB/coreNetwork based on the site requirements.
    2. Click the icon next to Root certificate, Server certificate, and Server private key respectively. In the window that is displayed, select the prepared certificate file and click Open.
    3. Click Update Certificate.
    4. In the displayed dialog box, click Yes.

  3. (Optional) Restore the certificate.

    1. Set Device type to which you want to restore the certificate file.
    2. Click Restore Last or Restore Factory.

Replacing FTPS Certificates

Describes how to manually replace the FTPS services certificate. Operate in off-peak hours.

Prerequisites
  • You have obtained Java keyStore (JKS) certificates required by FTPS services.
  • If personal information exchange (PFX) certificates have been obtained, they are converted to JKS certificates. PFX certificates are specified by Public Key Cryptography Standards #12 (PKCS#12) and the file suffixes can be .pfx or .p12. For details, see section Converting the PFX Format to JKS Format.
  • The following uses the Linux operating system (OS) as an example to describe how to update FTPS Certificates.
Procedure
  1. (Optional) Back up existing certificates

    1. Log in to the server as the ossuser user.
    2. Run the following command to back up the certificate directory:

      > cp -R eSight installation directory/AppBase/etc/certificate/application/med/ftps/ eSight installation directory/AppBase/etc/certificate/application/med/ftps_backup/

      The backup directory is ftps_backup is generated.

  2. Place the certificates to eSight installation directory/AppBase/etc/certificate/application/med/ftps. The information after placement is as follows:

    • Server private key: eSight installation directory/AppBase/etc/certificate/application/med/ftps/keys/ftpsKeyStore.jks
    • Server trust certificate: eSight installation directory/AppBase/etc/certificate/application/med/ftps/ca/ftpsCATrustStore.jks
    NOTE:

    If the file names of the server private key and trust certificate are not consistent with the preceding ones, rename them.

  3. Set access control for the certificate files so that only the ossuser and root users have permission to view and modify the files.

    1. Log in to the eSight server as the root user.
    2. Set the owner of eSight installation directory/AppBase/etc/certificate/application/med/ftps/ to the ossuser user.

      # chown -R ossuser:ossgroup eSight installation directory/AppBase/etc/certificate/application/med/ftps/

    3. Set the access rights of eSight installation directory/AppBase/etc/certificate/application/med/ftps as 600.

      # chmod –R 600 eSight installation directory/AppBase/etc/certificate/application/med/ftps

  4. Modifying the configuration files for southbound FTPS services certificate.

    1. Create an encryption password for the new password.
      1. Log in to the server as the ossuser user.
      2. Run the following command to switch the directory:

        > cd eSight installation directory/AppBase/tools/bmetool/encrypt

      3. Run the following command to encrypt:

        > ./encrypt.sh 0

      4. Enter the new password as prompted (Changeme_456).
        Please input the password: 
        Please input the password again:     

        The execution is successful if the following information is displayed:

        @0102000000004bb897ace0f1743e71edd990653732544334c23ff73542176650964b8f0d50f7
      NOTE:

      Encrypt the same string, the result is not the same every time.

    2. Modify all of the eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/med_node_*_svc.xml.

      Modify the configuration as follows:

      </config>

      <config name="ftps">

      <param name="enable">true</param>

      <param name="listenerPort">31923</param>

      <param name="passivePorts">31932,32145-32154</param>

      <param name="implicitSsl">false</param>

      <param name="checkSslExpiryDate">true</param>

      <param name="supportRenegotiate">true</param>

      <param name="includeCipherSuites">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA</param>

      <param name="CAKeystoreFileName">etc/certificate/application/med/ftps/ca/ftpsCATrustStore.jks</param>

      <param name="CAPass">@0102000000004bb897ace0f1743e71edd990653732544334c23ff73542176650964b8f0d50f7</param>

      <param name="keystoreFileName">etc/certificate/application/med/ftps/keys/ftpsKeyStore.jks</param>

      <param name="sslPassword">@0102000000004bb897ace0f1743e71edd990653732544334c23ff73542176650964b8f0d50f7</param>

      ......

      </config>

      NOTE:
      • @0102000000004bb897ace0f1743e71edd990653732544334c23ff73542176650964b8f0d50f7 is the encryption password of Changeme_456.
      • CAPass is the password of CAKeystoreFileName corresponding certificate.
      • sslPassword is the password of keystoreFileName corresponding certificate.
    3. Restart the eSight service.

Updating the PKI-CMS Digital Signature Certificate of the Software Package

This section describes how to update the PKI-CMS digital signature certificate of the server software package.

Prerequisites
  • The PKI-CMS digital signature certificate of the server software package has been obtained.
  • Currently, software packages of some NEs in the wireless domain, such as the eAN3710 base station, support the certificate.
  • This section uses the Linux operating system as an example to describe how to update the PKI-CMS digital signature certificate of the software package.
Procedure
  1. (Optional) Back up existing certificates

    1. Log in to the server as the ossuser user.
    1. Run the following command to switch the directory:

      > cd /opt/eSight/AppBase/etc/ewl/primaryne/

    2. Run the following command to copy file:

      > cp /opt/eSight/AppBase/etc/ewl/primaryne/truststore truststore_backup

      The backup certificate truststore_backup is generated.

  2. Place the certificate in the eSight installation directory/AppBase/etc/ewl/primaryne directory. The information after placement is as follows:

    Path of the trust certificate on the server: eSight installation directory/AppBase/etc/ewl/primaryne/truststore

  3. Perform the following operations to set the certificate access permission:

    1. Log in to the eSight server as the root user.
    2. Run the following command to switch the directory:

      # cd eSight installation directory/AppBase/etc/ewl/primaryne

    3. Run the following command to set the access permission of eSight installation directory/AppBase/etc/ewl/primaryne/truststore to 600:

      # chmod 600 ./truststore

      NOTE:

      The default access permission of the file is 600. If the permission is not 600, go to 3.

  4. Modify the configuration file of the PKI-CMS digital signature certificate of the software package.

    1. Create an encryption password for the new password.
      1. Log in to the server as the ossuser user.
      2. Run the following command to switch the directory:

        > cd eSight installation directory/AppBase/tools/bmetool/encrypt

      3. Run the following command to encrypt:

        > ./encrypt.sh 0

      4. Enter the new password as prompted (Changeme_456).
        Please input the password: 
         
        Please input the password again:     

        The execution is successful if the following information is displayed:

        @0102000000004bb897ace0f1743e71edd990653732544334c23ff73542176650964b8f0d50f7
        NOTE:

        Encrypt the same string, the result is not the same every time.

    2. Change the truststore certificate store password.

      elteSoftwarePsd=fc318692132f59459a8b80010622ce92738e79c5ad19f68ed4dae5d856591278c555a4ac86bd8442afb134cb6c5f64b

      NOTE:
      • @0102000000004bb897ace0f1743e71edd990653732544334c23ff73542176650964b8f0d50f7 is the encryption password of Changeme_456.
      • The default password of the PKI-CMS digital signature certificate of the software package is ei*b+@b#6Nh(tS1j.
    3. Restart the eSight service.

Follow-up Procedure
Table 5-14 Certificate store and configuration file path

Certificate Store

Certificate Store Path

Configuration File

PKI-CMS digital signature certificate store of the software package

eSight installation directory /AppBase/etc/ewl/primaryne

primaryNE.properties

Updating the Certificate Store Password

The certificates for connecting terminals, eNodeBs, and core networks to eSight are stored in the certificate store. This topic describes how to change the certificate store password.

Context
NOTE:

The method of changing the password is the same. The following provides an example, guiding users to change the password of the certificate store where the certificates for connecting eNodeBs and core networks to eSight are stored on the Linux operating system.

Procedure
  1. Log in to the server as the ossuser user.
  2. Access the directory where certificate files are stored.

    > cd eSight installation directory/AppBase/etc/ewl/primaryne/neconnection/ssl

  3. Run the following command to change the certificate store password:

    > ./eSight installation directory/AppBase/jre/bin/keytool -storepasswd –keystore serverKeyStore

    Enter the initial keystore password and enter the new password twice as prompted.

    Enter keystore password: 
    New keystore password:  
    Re-enter new keystore password:     
    NOTE:

    The initial keystore password is ei*b+@b#6Nh(tS1j. Change the initial password to ensure certificate store security. To prevent the system password from being stolen and ensure system and user security, change the password regularly.

    It is recommended that the new password meet the following requirements:

    • The password contains 8 to 32 characters.
    • The same character can be used at most twice.
    • The password must contain at least one upper case letter (A to Z), one lower case letter (a to z), and one digit (0 to 9).

  4. After changing the certificate store password, encrypt the password and update the configuration file. For details, see Maintenance Reference > Command Reference > Basic Management > Encryption Command Tool.
  5. Restart eSight to make the configuration take effect.
Follow-up Procedure
Table 5-15 Certificate store and configuration file path

Certificate Store

Certificate Store Path

Configuration File

Certificate store where the certificates for connecting eNodeBs and core networks to eSight are stored

eSight installation directory/AppBase/etc/ewl/primaryne/neconnection/ssl/serverKeyStore

mml.properties

eSight installation directory/AppBase/etc/ewl/primaryne/neconnection/ssl/serverTrustStore

Certificate store where the certificate for connecting terminals to eSight is stored

eSight installation directory/AppBase/etc/ewl/cpe/ssl/serverKeyStore

AcsServer.xml

fileserver.xml

eSight installation directory/AppBase/etc/ewl/cpe/ssl/serverTrustStore

Converting the PFX Format to JKS Format

Except Nginx, other eSight services use JKS certificates. If PFX certificates (for example, server.pfx or server.p12 file) are obtained, you need to convert them to JKS certificates.

The following uses the server certificate server.pfx as an example to describe how to convert PFX certificates to JKS certificates.

  • Server private key: serverKeyStore
  • Server trust certificate: serverTrustStore

At the same time, will generate other required certificates.

  • Server private key: server.pem
  • Server public key: server.crt

The methods for converting client certificates are similar.

Procedure
  1. Log in to the server as the ossuser user.
  2. Copy the server certificate server.pfx or server.p12 to eSight installation directory/AppBase/jre/bin. The following uses the password Changeme_456 as an example.

    NOTE:

    If you copy the file as other users (not the ossuser user), you need to set the owner of the target directory to ossuser as the root user. Otherwise, the ossuser user cannot user the file. The descriptions apply to all the following file copying operations.

    Set the owner of a directory to the ossuser user as follows:

    Log in to the eSight server as the root user and run the following command:

    # chown -R ossuser Directory name

  3. Run the following command to switch to eSight installation directory/AppBase/jre/bin:

    > cd eSight installation directory/AppBase/jre/bin

  4. Run the following command to convert the certificate to a JKS certificate:

    > . / keytool -importkeystore -v -srckeystore server.pfx -srcstoretype pkcs12 -srcstorepass Changeme_456 -destkeystore serverKeyStore -deststoretype jks -deststorepass Changeme_456

    The following information is displayed:

    Entry for alias 1 successfully imported. 
     
    Import command completed:  1 entries successfully imported, 0 entries failed or cancelled 
     
    [Storing serverKeyStore]

    The serverKeyStore file is generated.

  5. Run the following command to view the certificate information to get the Alias name:

    > . / keytool -v -list -keystore serverKeyStore -storepass Changeme_456

    Keystore type: JKS 
    Keystore provider: SUN 
     
    Your keystore contains 1 entry 
     
    Alias name: 1 
    Creation date: Jul 23, 2014 
    Entry type: PrivateKeyEntry 
    Certificate chain length: 1 
    Certificate[1]: 
    Owner: CN=10.66.49.232, OU=Developer, O=Techstar, L=ShenZhen, ST=ShenZhen, C=CH 
    Issuer: CN=10.66.49.232, OU=Developer, O=Techstar, L=ShenZhen, ST=ShenZhen, C=CH 
    Serial number: 40765ec9 
    Valid from: Fri Jul 12 09:45:11 GMT+08:00 2013 until: Mon Jul 10 09:45:11 GMT+08:00 2023 
    Certificate fingerprints: 
             MD5:  F7:12:1A:3F:F3:62:9F:5B:07:4E:F1:2C:EC:60:57:1E 
             SHA1: BC:89:8D:CA:6D:EE:73:55:05:6C:08:0D:D9:6B:1D:80:B8:40:83:CA 
             SHA256: 89:82:4C:8E:61:3F:0E:13:D5:98:A8:F1:0F:02:52:BA:76:B7:88:7F:39:35:73:BE:ED:4A:CF:46:D2:3D:45:E7 
             Signature algorithm name: SHA256withRSA 
             Version: 3 
     
    Extensions: 
     
    #1: ObjectId: 2.5.29.14 Criticality=false 
    SubjectKeyIdentifier [ 
    KeyIdentifier [ 
    0000: 33 40 05 15 39 09 CE 4D   60 C3 92 B5 88 FA F3 18  3@..9..M`....... 
    0010: 1B 0C B6 90                                        .... 
    ] 
    ] 
     
     
     
    ******************************************* 
    *******************************************

    Where, The value of Alias name: 1 indicates the certificate alias name.

  6. Create the trust certificate serverTrustStore.

    1. Run the following command to generate the public key certificate server.cer, which is coded using distinguished encoding rules (DER):

      > . / keytool -export -alias 1 -keystore serverKeyStore -fileserver.cer -storepass Changeme_456

      The following information is displayed:

      Certificate stored in files <server.cer>

      The server.cer file is generated.

    2. Run the following command to import server.cer to the trust certificate serverTrustStore (the passwords of –keypass and –storepass are specified by users):

      > . / keytool -export -alias server -keystore serverTrustStore -file server.cer -keypass Changeme_456 -storepass Changeme_456

      Trust this certificate? [no]:

      Enter Y and press Enter.

      Certificate was added to keystore

      The serverTrustStore file is generated.

  7. Run the following command to copy the serverKeyStore file to eSight installation directory/AppBase/tools/jks2pfx.

    > cp serverKeyStore eSight installation directory/AppBase/tools/jks2pfx/

  8. Run the following command to switch to eSight installation directory/AppBase/tools/jks2pfx:

    > cd eSight installation directory/AppBase/tools/jks2pfx

  9. Run the following command to convert the certificate format:

    > ./JKS2PFX.sh serverKeyStore Changeme_456 1 server

    The certificate must contain a private key, otherwise the format conversion will fail.

    Where, the 1 indicates the certificate alias name. Enter the actual value.

    Three files are generated: server.pem, server.crt, and server.pfx.

Viewing JKS Certificate Information

You can use the keytool provided by Java to check information about a certificate in Java Key Store (JKS) format.

Prerequisites

You have obtained the JKS certificates.

Procedure
  1. Log in to the server as the ossuser user.
  2. Copy the certificate, for example, serverKeyStore, to eSight installation directory/AppBase/jre/bin. The following uses the password Changeme_456 as an example.

    NOTE:

    If you copy the file as other users (not the ossuser user), you need to set the owner of the target directory to ossuser as the root user. Otherwise, the ossuser user cannot user the file. The descriptions apply to all the following file copying operations.

    Set the owner of a directory to the ossuser user as follows:

    Log in to the eSight server as the root user and run the following command:

    # chown -R ossuser Directory name

  3. Run the following command to view the certificate information:

    > ./keytool -v -list -keystore serverKeyStore -storepass Changeme_456 -storetype jks

    Information similar to the following is displayed:

    Keystore type: JKS 
    Keystore provider: SUN 
     
    Your keystore contains 2 entries 
     
    Alias name: server 
    Creation date: Feb 25, 2014 
    Entry type: trustedCertEntry 
     
    Owner: CN=10.66.49.232, OU=Developer, O=Techstar, L=ShenZhen, ST=ShenZhen, C=CH 
    Issuer: CN=10.66.49.232, OU=Developer, O=Techstar, L=ShenZhen, ST=ShenZhen, C=CH 
    Serial number: 40765ec9 
    Valid from: Fri Jul 12 09:45:11 CST 2013 until: Mon Jul 10 09:45:11 CST 2023 
    Certificate fingerprints: 
             MD5:  F7:12:1A:3F:F3:62:9F:5B:07:4E:F1:2C:EC:60:57:1E 
             SHA1: BC:89:8D:CA:6D:EE:73:55:05:6C:08:0D:D9:6B:1D:80:B8:40:83:CA 
             SHA256: 89:82:4C:8E:61:3F:0E:13:D5:98:A8:F1:0F:02:52:BA:76:B7:88:7F:39:35:73:BE:ED:4A:CF:46:D2:3D:45:E7 
             Signature algorithm name: SHA256withRSA 
             Version: 3

    Where,

    • The value of Alias name indicates the certificate alias name.
    • The value of Issuer indicates the certificate authority.
    • The value of Valid from indicates the start time when the certificate takes effect.
    • The value of until indicates the time after which the certificate does not take effect.

Replacing the HTTPS Certificate on the HostAgent and eSight

To improve system O&M security, users may want to use a Hypertext Transfer Protocol Secure (HTTPS) certificate issued by a certification authority. Users can replace the HTTPS certificate on the HostAgent and eSight. After the certificate is replaced, the device can use the new certificate.

Prerequisites

The OpenSSL environment has been configured before certificate update. To configure the OpenSSL environment, perform the following operations:

  1. Log in to http://www.openssl.org/source/, download the openssl-1.0.2q.tar.gz file, and decompress the file to the current directory.
  2. Start the Microsoft Visual Studio, go to the openssl-1.0.2q directory, and run the following commands in sequence to compile and install the OpenSSL: perl Configure VC-WIN32 no-asm, ms\do_ms, nmake -f ms\ntdll.mak, nmake -f ms\ntdll.mak test, and nmake -f ms\ntdll.mak install.

    NOTE:
    • If the perl command fails to be executed, install ActivePerl-5.16.3.1603-MSWin32-x86-296746.msi.
    • The compiling result is in the out32dll directory.

Context

The initial password is Huawei@123 for the CA certificate file, HostAgent certificate file, and eSight certificate file. When using the HostAgent the first time, you are advised to replace the HostAgent certificate and reset the certificate password.

Generating the Certificate Files on the HostAgent
  1. Start the Microsoft Visual Studio, go to the out32dll directory, and run the openssl genrsa -aes128 -out ca.key 2048 command to generate the ca key file.

    NOTE:

    During file generation, you need to enter a certificate password and keep the password properly. The password must:

    • Contain at least six characters.
    • Contain two types of the following characters: lowercase letters, uppercase letters, digits, and special characters (`~!@#$%^&*()-_=+\|[{}];:"',<.>/? and spaces).

  2. Run the openssl req -new -days 3650 -x509 -key ca.key -sha256 -out ca.crt command to generate the ca certificate. During file generation, you must enter the password of the ca key file in Step 1. Set Country Name, State Or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, and Email Address as prompted, and press Enter.

    NOTE:

    Set related parameters based on tips on the page. The parameters cannot be empty.

  3. Run the openssl genrsa -aes128 -out server.key 2048 command to generate the server key file. During file generation, you must enter a file password and keep it properly.
  4. Run the openssl req -new -key server.key -out server.csr command to generate the csr certificate. During file generation, you must enter the password of the server key file in Step 3. Set related parameters based on Step 2, and press Enter.
  5. Run the openssl ca -md sha256 -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -days 3650 command to generate the server certificate. During file generation, you must enter the password of the ca key file in Step 1.

    NOTE:

    If the certificate fails to be generated, perform the following operations:

    • Create the demoCA directory in the current directory.
    • In the demoCA directory, create the newcerts and private directories.
    • In the demoCA directory, create the index.txt file.
    • In the demoCA directory, create the serial file, use a text editor to open the file, enter 01, press Enter, and save and exit the file.

Generating the Certificate Files on eSight
  1. On the CLI, run the openssl genrsa -aes128 -out client.key 2048 command to generate the client key file. During file generation, you must enter a password and keep it properly.
  2. Run the openssl req -new -key client.key -out client.csr command to generate the csr file. During file generation, you must enter the password of the client key file in Step 1. Set related parameters based on Step 2 in "Generating the Certificate Files on the HostAgent", and press Enter.
  3. Run the openssl ca -md sha256 -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -days 3650 command to generate the client certificate. During file generation, you must enter the password of the ca key file in Step 1 in "Generating the Certificate Files on the HostAgent."

    NOTE:

    If the certificate fails to be generated, you need to clear the index.txt file in the demoCA directory.

  4. Create the clientTruststore.pem file, copy the content of the ca.key file to this file, press Enter, copy the content of the ca.crt file to this file, and save this file.
  5. Log in to http://sourceforge.jp/projects/sfnet_portecle/releases/, download the Portecle tool, and start the Portecle tool. In the Portecle dialog box that is displayed, choose File > New Keystone. In the New Keystone Type dialog box that is displayed, select JKS and click OK.
  6. Choose Tools > Import Trusted Certificate from the menu bar. In the dialog box that is displayed, select the clientTruststore.pem file and click Import.
  7. Click OK.
  8. In the dialog box that is displayed, click OK.
  9. In the dialog box that is displayed, click Yes. In the dialog box that is displayed, click OK.
  10. Choose File > Save Keystore As from the menu bar. In the dialog box that is displayed, enter the ca key file password in Step 1 in "Generating the Certificate Files on the HostAgent" and click OK.
  11. In the Save Keystore As dialog box that is displayed, enter clientTruststore.jks in File Name and click Save.
  12. Create the clientKeystore.pem file, copy the content of the client.key file to this file, press Enter, copy the content of the client.crt file to this file, and save this file.
  13. Start the Portecle tool, choose File > New Keystone from the menu bar, select JKS, and click OK.
  14. Choose Tools > Import Key Pair from the menu bar. In the Choose Key Pair File for Import dialog box that is displayed, select the clientKeystore.pem file and click Choose.
  15. In the dialog box that is displayed, enter the password of the client key file in Step 1 and click OK.
  16. In the Import Key Pair dialog box that is displayed, click OK. The Trusted Certificate Entry Alias dialog box is displayed.
  17. Click OK. The Key Pair Entry Password dialog box is displayed. Enter the password of the client key file in Step 1 and click OK.
  18. Choose File > Save Keystore As from the menu bar. In the dialog box that is displayed, enter the password of the client key file in Step 1 and click OK.
  19. In the Save Keystore As dialog box that is displayed, enter clientKeystore.jks in File Name and click Save.
Replacing the Certificate on the HostAgent
  1. Go to the HostAgent installation directory and exit the HostAgent.
  2. Use the certificate files ca.crt, server.key, and server.crt generated for the HostAgent to replace the files with the same names in the HostAgent installation directory.
  3. In the Linux operating system, execute CertificateEncrypt.sh, enter the old password and new password as prompted, and select Y.
  4. Restart the HostAgent for the new certificate to take effect.
Replacing the Certificate on eSight
  1. Go to the eSight installation directory eSight/AppBase/bin and stop eSight.
  2. Go to eSight/AppBase/lib/com.huawei.esight.it.framework and use WinRAR to open the com.huawei.esight.it.common.protocol.https-1.0-SNAPSHOT.jar file. Replace the files in the certificate directory with the clientTruststore.jks and clientKeystore.jks files generated for eSight.
  3. Go to the eSight/AppBase/tools/bmetool/encrypt directory, and execute encrypt.bat 0 in the Windows operating system or execute ./encrypt.sh 0 as the ossuser user in the Linux operating system. Enter the password of the client key file generated in Step 1 in "Generating the Certificate Files on eSight." Remember the encrypted password generated by the tool.
  4. Go to the eSight/AppBase/lib/com.huawei.esight.it.framework directory and use WinRAR to open the com.huawei.esight.it.common.protocol.https-1.0-SNAPSHOT.jar file. Go to the conf directory, copy the password generated in the previous step, paste the password to the ssl.keystore.value item in the security.properties file, and save and exit the file.
  5. Go to the eSight/AppBase/tools/bmetool/encrypt directory, and execute encrypt.bat 0 in the Windows operating system or execute ./encrypt.sh 0 as the ossuser user in the Linux operating system. Enter the password of the ca key file generated in Step 1 in "Generating the Certificate Files on the HostAgent." Remember the encrypted password generated by the tool.
  6. Go to the eSight/AppBase/lib/com.huawei.esight.it.framework directory and use WinRAR to open the com.huawei.esight.it.common.protocol.https-1.0-SNAPSHOT.jar file. Go to the conf directory, copy the password generated in the previous step, paste the password to the ssl.trusetkeystore.value item in the security.properties file, and save and exit the file.
  7. Go to the eSight installation directory eSight/AppBase/bin and restart eSight.

Updating the Tomcat Certificate for the Agile Reporter

To improve system O&M security, users may want to use certificates issued by third-party certification authorities. The network management system (NMS) supports the Tomcat certificate replacement of the agile reporter. After the certificate is changed, the device can use the new certificate.

Prerequisites
  • Tomcat certificate replacement depends on the keystorePass ciphertext storage solution to the Tomcat certificate. The Tomcat public and private keys have been obtained.
  • The eSight service has been stopped.
Context

The initial password of the Tomcat certificate of the agile reporter is Changeme_123.

eSight must be restarted for the new certificate to take effect. Services are interrupted during the restart. Therefore, update the certificate during off-peak hours.

In Windows, log in to the server as an administrator. In Linux, log in to the server as user root.

NOTE:
  • If security hardening is performed on the Windows operating system, you need to log in to the server as the SWMaster user.
  • If security hardening is performed on the Linux operating system, you need to remotely log in to the server as the ossuser and switch to the root user.
Procedure
  • Windows
    1. Go to agile reporter certificate file directory eSight installation directory\AppBase\UniBI_Server\tomcat\conf\SSLKey.
    2. Back up file UniBI.jks and rename the backup as UniBI_back.jks.
    3. Copy eSight's certificate key file eSight installation directory\AppBase\etc\certificate\serverKeyStore to the agile reporter's certificate file directory eSight installation directory\AppBase\UniBI_Server\tomcat\conf\SSLKey.
    4. Rename serverKeyStore as UniBI.jks.
    5. Choose Start > Run and enter cmd to open the command window.
    6. Run the following command to enter the directory where the encryption tool resides:

      cd /d eSight installation directory\AppBase\UniBI_Server\tools

    7. Run the following commands to encrypt the key file password:

      encryptreversible.bat -i

      Enter the password, confirm the password, and keyPath as prompted. Set keyPath to eSight installation directory\AppBase\UniBI_Server\unibi-solutions\security\conf. The encrypted character string is generated.

    8. Open eSight installation directory\AppBase\UniBI_Server\unibi-solutions\system\conf and set the keystorePass value in the system.properties file to the newly generated ciphertext.
    9. Restart the eSight server.
  • Linux
    1. Run the following commands to go to the certificate file directory of agile reporter and back up the UniBI.jks file:

      cd eSight installation directory/AppBase/UniBI_Server/tomcat/conf/SSLKey

      cp UniBI.jks ./UniBI_back.jks

      rm UniBI.jks

    2. Run the following command to copy the eSight certificate key file to the directory where the agile reporter certificate file resides:

      cp eSight installation directory/AppBase/etc/certificate/serverKeyStore ./

    3. Run the following command to rename serverKeyStore as UniBI.jks:

      mv serverKeyStore UniBI.jks

    4. Run the following command to enter the directory where the encryption tool resides:

      cd eSight installation directory/AppBase/UniBI_Server/tools

    5. Run the following commands to encrypt the key file password:

      sh encryptreversible.sh -i

      Enter the password, confirm the password, and keyPath as prompted. Set keyPath to eSight installation directory/AppBase/UniBI_Server/unibi-solutions/security/conf. The encrypted character string is generated.

    6. Open eSight installation directory/AppBase/UniBI_Server/unibi-solutions/system/conf and set the keystorePass value in the system.properties file to the newly generated ciphertext.
    7. Restart the eSight server.

Updating 3rd Party OpenStack Security Certificates

The security maintenance operations of eSight 3rd Party Openstack include certificate and key update and security auditing.

Various services provided by eSight 3rd Party OpenStack communicate with each other using Secure Sockets Layer (SSL). In SSL mode, service certificates must be deployed on RabbitMQ, Sensu Client and eSight Server. You are advised to periodically update the certificates to ensure communication security during service operations.

NOTE:

V300R010C00SPC500 does not support virtualization management (3rd Openstack).

RabbitMQ Certificate Introduction

Certificate to ensure eSight and Sensu Client is connected to RabbitMQ.

It is recommended that you replace the certificate with your own certificate if needed.

Certificate information

Certificate

Format

Initial Password

Validity Period

Path

Description

cert.pem

key.pem

PEM

Set by user during installation of RabbitMQ

10 Years [configurable in modification script]

  • RabbitMQ:

    /opt/rabbitmq/rabbitmq_server-3.7.9/ssl/client

  • SensuClient:

    /etc/sensu/ssl

Certificates used for Sensu client to communicate with RabbitMQ

keycert.p12

p12

Set by user during installation of RabbitMQ

10 Years [configurable in modification script]

Copy from Rabbit MQ to /opt/eSight/AppBase/etc/openstack/rabbitmqcert

Certificates used by eSight to communicate with RabbitMQ

Updating RabbitMQ Certificates

Section explain the procedure to update the RabbitMQ certificates and commissioning in eSight Server and Sensu Client nodes.

To ensure that RabbitMQ connection to eSight and Sensu Client certificates must be properly used, you must periodically apply for and update certificates from the CA.

Prerequisites
  • The RabbitMQ service has been stopped.
Context

To have proper communication of sensu client and eSight to RabbitMQ, below certificates must be properly installed in respective node according to the below procedure.

Precautions
  • Update certificates in off-peak hours.
  • During certificates update, alarm and resource monitoring service will be affected.
  • Back up the original certificate files before updating certificates.
  • If primary and secondary management nodes exist, restart them in the following sequence to prevent an active/standby switchover:
    1. Stop the secondary management node.
    2. Stop the primary management node.
    3. Start the primary management node.
    4. Start the secondary management node.
  • The password must meet the following requirements:
    • The password consists of 8 to 32 characters.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.

      The special characters include !"#$%&'()*+,-./:;<=>?@[\]^`{_|}~ and spaces.

    • The password does not use single quotation marks (') and double quotation marks (") at the same time.
Procedure
  1. Login to eSight server using rabbitmq user.
  2. Modify the certificate validity days in openssl.cnf file.

    > vi scripts/openssl.cnf

    Find 'default_days', set the value and save.

  3. Execute the shell script and provide the new certificate password.

    > cd scripts

    > bash modify_certs.sh
    [INFO] Started generating certificates.....
    [QUESTION] Please provide certificate password...:
    [QUESTION]
    Please provide certificate password again (confirmation)...: 
    [INFO]  Regenerated the SSL certificates.
    [INFO]  Restart the RabbitMQ..!
    [INFO]  To stop RabbitMQ service:   rabbitmqctl stop
    [INFO]  To start RabbitMQ service:   rabbitmq-server -detached

  4. Replace the SSL certificate file in the /opt/rabbitmq/rabbitmq_server-3.7.9/ssl directory on the standby eSight server with the SSL certificate file on the active eSight server.

    NOTE:

    This step is only applicable in case there are 2 nodes of Rabbitmq.

    • After the replacement, log in to the standby eSight server and run the following command to go to the RabbitMQ SSL certificate directory:

      # cd /opt/rabbitmq/rabbitmq_server-3.7.9/ssl

      Change the certificate owner to ossuser.

      # chown rabbitmq:rabbitmq *

    • After successful transfer, restart the rabbitmq service on both nodes with following commands. Execute them on each RabbitMQ node.

      > cd /opt/rabbitmq/rabbitmq_server-3.7.9/sbin

      Stop RabbitMQ using below commands.

      > ./rabbitmqctl stop

      Start RabbitMQ using below commands.

      > ./rabbitmq-server -detached

RabbitMQ Certificate installation in eSight

This topic explain the procedure to install RabbitMQ Certificate in eSight.

NOTE:

This certificate will be further used by eSight to communicate with RabbitMQ through SSL.

  1. Log in to the eSight server as the root user.
  2. Obtain the client certificate keycert.p12 (generated in the previous steps) from /opt/rabbitmq/rabbitmq_server-3.7.9/ssl/client on the RabbitMQ and copy it to the /opt/eSight/AppBase/etc/openstack/rabbitmqcert directory on eSight.

    # cp /opt/rabbitmq/rabbitmq_server-3.7.9/ssl/client/keycert.p12 /opt/eSight/AppBase/etc/openstack/rabbitmqcert

  3. Run the following command to go to the RABBITMQ directory:

    # cd /opt/eSight/AppBase/etc/openstack/rabbitmqcert

    Change the certificate owner to ossuser.

    # chown ossuser:ossgroup keycert.p12

  4. Change the permission on the certificate file to 600.

    • Run the following command to confirm the certificate copy:
      # ls -al
      -rw------- 1 ossuser ossgroup 2349 Feb 14 14:08 keycert.p12
    • If the permission on the certificate file is not 600, run the following command to change the permission on the certificate file:

      # chmod 600 keycert.p12

Batch Configure RabbitMQ Certificate on Sensu Clients

This topic explain the procedure to batch configure RabbitMQ on Sensu Clients.

Prerequisite
  • Configure conf.txt file.
  • Collect the latest cert.pem and key.pem from RabbitMQ and store in /home/stack/eSight/sensu/Deploy/client/ssl
Procedure
  1. Login to eSight server using rabbitmq user.
  2. Get client certificate cert.pem,key.pem (which was generated in earlier steps) from RabbitMQ /opt/rabbitmq/rabbitmq_server-3.7.9/ssl/client directory using SFTP.
  3. Login to Redhat OpenStack undercloud node using stack user.
  4. Place cert.pem,key.pem certificate file in Redhat OpenStack undercloud node's /home/stack/eSight/sensu/Deploy/client/ssl directory.
  5. Run the below command to perform the operation.

    > cd /home/stack/eSight/sensu/

    > sh configureRabbitMQInfoForSensuClient.sh

    After running the command, enter the password for rabbitmq user when prompted. Enter twice to confirm.

    Password for RABBITMQ user sensu: 
    Enter password again :

    After viewing the RabbitMQ JSON generated, enter 'y' to continue.

    [QUESTION] Continue? (y/n): 

Updating the eSight Driver Certificate(Common Scenarios)

If the certificate or certificate password of the system interconnected with eSight is changed, update the certificate or certificate password on eSight in time.

Updating the Certificate and Password for Interconnecting RESTConnectors with eSight

The eSight certificate and password are used for authentication when RESTConnectorService accesses eSight using HTTPS. It is recommended that you update the eSight certificate and password periodically to ensure system security.

Prerequisites
Context
  • RESTConnectorService is a microservice that belongs to DriverFrm service.
  • Update the eSight certificate and password, you need to stop the eSight system, the eSight service will become unavailable. It is recommended that you stop the system during off-peak hours.
Procedure
  1. Import the CA certificate matching the new certificate to CloudOpera.

    1. Choose System > System Settings > System Access from the main menu.
    2. Choose Certificate Management > Trust Certificate from the navigation pane.
    3. Click Upload on the page displayed.
    4. On the Trust Certificates page, Service name select Driver, click the File Name text box, and select the certificate file to be imported.

    5. Click Submit.

      You are not required to import the eSight certificate if the system prompts that the eSight certificate already exists when importing the eSight certificate.

  2. Check the Connection Status of the interconnected system.

    1. Choose Access Management from the navigation pane..
    2. Click eSight. On the page displayed, click to test the connectivity.

      If eSight is connected successfully, the certificate was imported successfully. Otherwise repeat 1 to reimport the certificate.

Updating the external system ER Trust Certificate and Password for Interconnecting BackendERService with eSight

If the ER certificate is updated, update the ER trust certificate and password on eSight.

Prerequisites
  • The external system ER certificate has been changed.
  • You have obtained the external system ER trust certificate and password.
Context
  • BackendERService is a microservice that belongs to HRS service.
  • The ER trust certificate and password provided by external system ER is used for HTTPS one-way authentication when eSight accesses the external system.
Procedure

If eSight is two-node cluster system, run the following commands to update the external system ER trust certificate and password for interconnecting BackendERService with eSight.

  1. Upload the external system ER trust certificate to eSight active and standby nodes.

    1. Change the name of the obtained external system ER trust certificate to trust.jks.
    2. Upload the renamed external system ER trust certificate to the /opt/eSight/AppBase/etc/ies directory of eSight active and standby nodes as the ossuser user to replace the original file.

  1. Log in to the eSight active and standby nodes as the ossuser user.
  2. Perform the following operations to modify the config.properties file on both the eSight active and standby nodes.

    1. Run the following commands to modify the configuration parameters:

      cd /opt/eSight/AppBase/tools

      ./modifyConfig.sh

      The following information is displayed:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           
      Please input the number of key(q to quit):
    2. Enter the sequence number (that is, 17) of the TrustStorePwd parameter and press Enter. The following information is displayed:
      Please input the value of TrustStorePwd(q to cancel):
    3. Enter the value (that is, the password of trust.jks certificate) of the TrustStorePwd parameter and press Enter.

      The corresponding Value column of TrustStorePwd shows the entered value, indicating that the configuration is successful, as following:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      Please input the number of key(q to quit):
    4. Enter q to save the modification and exit.

  3. Restart eSight to make the configuration take effect.

If eSight is single-node system, run the following commands to update the external system ER trust certificate and password for interconnecting BackendERService with eSight.

  1. Upload the external system ER trust certificate to eSight node.

    1. Change the name of the obtained external system ER trust certificate to trust.jks.
    2. Upload the renamed external system ER trust certificate to the /opt/eSight/AppBase/etc/ies directory of eSight node as the ossuser user to replace the original file.

  2. Log in to the eSight node as the ossuser user.
  3. Perform the following operations to modify the config.properties file on the eSight node.

    1. Run the following commands to modify the configuration parameters:

      cd /opt/eSight/AppBase/tools

      ./modifyConfig.sh

      The following information is displayed:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           
      Please input the number of key(q to quit):
    2. Enter the sequence number (that is, 17) of the TrustStorePwd parameter and press Enter. The following information is displayed:
      Please input the value of TrustStorePwd(q to cancel):
    3. Enter the value (that is, the password of trust.jks certificate) of the TrustStorePwd parameter and press Enter.

      The corresponding Value column of TrustStorePwd shows the entered value, indicating that the configuration is successful, as following:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      Please input the number of key(q to quit):
    4. Enter q to save the modification and exit.

  4. Restart eSight to make the configuration take effect.
Updating the Certificate and Password for Interconnecting BackendERService with eSight

The eSight certificate and password are used for authentication when BackendERService accesses eSight using HTTPS. It is recommended that you update the eSight certificate and password periodically to ensure system security.

Prerequisites

You have applied for peer-end certificates from the Certificate Authority (CA).

Context

BackendERService is a microservice that belongs to HRS service.

Procedure

If eSight is two-node cluster system, run the following commands to update the certificate and password for interconnecting BackendERService with eSight.

  1. Upload the eSight certificate to eSight active and standby nodes.

    1. Change the name of the obtained eSight certificate to server.p12.
    2. Upload the renamed eSight certificate to the /opt/eSight/AppBase/etc/ies directory of eSight active and standby nodes as the ossuser user to replace the original eSight certificate.

  2. Log in to the eSight active and standby nodes as the ossuser user.
  3. Perform the following operations to modify the config.properties file on both the eSight active and standby nodes.

    1. Run the following commands to modify the configuration parameters:

      cd /opt/eSight/AppBase/tools

      ./modifyConfig.sh

      The following information is displayed:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      Please input the number of key(q to quit):
    2. Enter the sequence number (that is, 15) of the KeyStorePwd parameter and press Enter. The following information is displayed:
      Please input the value of KeyStorePwd(q to cancel):
    3. Enter the value (that is, the password of server.p12 certificate) of the KeyStorePwd parameter and press Enter.

      The corresponding Value column of KeyStorePwd shows the entered value, indicating that the configuration is successful, as following:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      Please input the number of key(q to quit):
    4. Enter q to save the modification and exit.

  4. Restart eSight to make the configuration take effect.

If eSight is single-node system, run the following commands to update the certificate and password for interconnecting BackendERService with eSight.

  1. Upload the eSight certificate to eSight node.

    1. Change the name of the obtained eSight certificate to server.p12.
    2. Upload the renamed eSight certificate to the /opt/eSight/AppBase/etc/ies directory of eSight node as the ossuser user to replace the original eSight certificate.

  2. Log in to the eSight node as the ossuser user.
  3. Perform the following operations to modify the config.properties file on the eSight node.

    1. Run the following commands to modify the configuration parameters:

      cd /opt/eSight/AppBase/tools

      ./modifyConfig.sh

      The following information is displayed:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      Please input the number of key(q to quit):
    2. Enter the sequence number (that is, 15) of the KeyStorePwd parameter and press Enter. The following information is displayed:
      Please input the value of KeyStorePwd(q to cancel):
    3. Enter the value (that is, the password of server.p12 certificate) of the KeyStorePwd parameter and press Enter.

      The corresponding Value column of KeyStorePwd shows the entered value, indicating that the configuration is successful, as following:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      Please input the number of key(q to quit):
    4. Enter q to save the modification and exit.

  4. Restart eSight to make the configuration take effect.
Follow-up Procedure

After changing the eSight certificate and password, you need to provide the BackendERService microservice with the CA certificate, upload the CA certificate to the node where BackendERService is deployed.

Updating the external system trust.jks Trust Certificate and Password for Interconnecting APIMLBService with eSight

If the trust.jks certificate of external system is updated, update the trust.jks trust certificate and password on eSight.

Prerequisites
  • The external system trust.jks certificate has been changed.
  • You have obtained the external system trust.jks trust certificate and password.
Context
  • APIMLBService provides interfaces for interconnecting external system and eSight.
  • The trust.jks trust certificate and password provided by external system is used for HTTPS one-way authentication when eSight accesses the external system.
Procedure

If eSight is two-node cluster system, run the following commands to update the external system trust.jks trust certificate and password for interconnecting APIMLBService with eSight.

  1. Use the FileZilla to upload the external system trust.jks trust certificate to the /opt/eSight/AppBase/etc/ies directory of eSight active and standby nodes as the ossuser user to replace the original file.
  1. Use the PuTTY to log in to the eSight active and standby nodes as the ossuser user.
  2. Perform the following operations to modify the config.properties file on both the eSight active and standby nodes.

    1. Run the following commands to modify the configuration parameters:

      cd /opt/eSight/AppBase/tools

      ./modifyConfig.sh

      The following information is displayed:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           
      Please input the number of key(q to quit):
    2. Enter the sequence number (that is, 17) of the TrustStorePwd parameter and press Enter. The following information is displayed:
      Please input the value of TrustStorePwd(q to cancel):
    3. Enter the value (that is, the password of trust.jks certificate) of the TrustStorePwd parameter and press Enter.

      The corresponding Value column of TrustStorePwd shows the entered value, indicating that the configuration is successful, as following:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      Please input the number of key(q to quit):
    4. Enter q to save the modification and exit.

  3. Restart eSight to make the configuration take effect.

If eSight is single-node system, run the following commands to update the external system trust.jks trust certificate and password for interconnecting APIMLBService with eSight.

  1. Use the FileZilla to upload the renamed external system trust.jks trust certificate to the /opt/eSight/AppBase/etc/ies directory of eSight node as the ossuser user to replace the original file.
  2. Use the PuTTY to log in to the eSight node as the ossuser user.
  3. Perform the following operations to modify the config.properties file on the eSight node.

    1. Run the following commands to modify the configuration parameters:

      cd /opt/eSight/AppBase/tools

      ./modifyConfig.sh

      The following information is displayed:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           
      Please input the number of key(q to quit):
    2. Enter the sequence number (that is, 17) of the TrustStorePwd parameter and press Enter. The following information is displayed:
      Please input the value of TrustStorePwd(q to cancel):
    3. Enter the value (that is, the password of trust.jks certificate) of the TrustStorePwd parameter and press Enter.

      The corresponding Value column of TrustStorePwd shows the entered value, indicating that the configuration is successful, as following:

      No    Key                     Value
      1     ER_IP                   192.168.10.12
      2     ER_port                 26330
      3     PmdataNotToDB           false
      4     Performance_Select      true
      5     Alarm_Select            true
      6     ApiGateway_Host_IP      
      7     ApiGateway_Host_Port    
      8     ApiGateway_StandBy_IP   
      9     ApiGateway_StandBy_Port 
      10    ApiGateway_Retry_Times  
      11    eSight_Token_Name       
      12    eSight_Token_Value      
      13    ApiGateway_Token_Time   
      14    KeyStorePath            /opt/eSight/AppBase/etc/ies/server.p12
      15    KeyStorePwd             9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      16    TrustStorePath          /opt/eSight/AppBase/etc/ies/trust.jks
      17    TrustStorePwd           9d7961bc8af54d05ce509e03b13ffce3abc7587373e7719b62555fd5aff9908d
      Please input the number of key(q to quit):
    4. Enter q to save the modification and exit.

  4. Restart eSight to make the configuration take effect.
Translation
Download
Updated: 2019-08-03

Document ID: EDOC1100044373

Views: 26794

Downloads: 84

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next