No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00 Maintenance Guide 07

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Deploying OMMHA Security Certificates

Deploying OMMHA Security Certificates

Updating the OMMHA Certificate

This topic describes how to replace or change the password of the OMMHA certificate.

Context
  • Certificate introduction

    Certificate

    Function

    Name

    Path

    Root certificate

    Used to issue server certificates.

    root-ca.crt

    /opt/ommha/ha/local/cert/root-ca.crt

    Private key of the root certificate

    Used to issue server certificates.

    root-ca.pem

    /opt/ommha/ha/local/cert/root-ca.pem

    Server certificate

    Used for SSL communications between the active and standby servers

    server.crt

    /opt/ommha/ha/local/cert/server.crt

    Private key of the server certificate

    Used for SSL communications between the active and standby servers

    server.pem

    /opt/ommha/ha/local/cert/server.pem

  • Certificate restrictions
    • During the certificate authentication, parameters will be validated. Therefore, the common-name and IP-DNS fields of the server certificate cannot be set randomly. Set them to the heartbeat IP address of the current server.
    • Certificates on the active and standby eSight servers must be issued by the same root certificate.
    • The OMMHA initial password is a random password generated during installation.
Replacing the Certificate

In the OMMHA scenario, customers can configure the SSL certificate by themselves.

  1. Log in to the standby server as the root user.
    NOTE:

    Remotely log in to the server as the ossuser and switch to the root user if the SUSE Linux is hardened.

  2. Copy the root certificate, private key of the root certificate, server certificate, and private key of the server certificate to the /opt/ommha/ha/local/cert/ directory on the server.
  3. Run the following commands to set the file attributes:

    # chown ossuser:ossgroup /opt/ommha/ha/local/cert/*

    # chmod 640 /opt/ommha/ha/local/cert/*

  4. Run the following commands to set the environment variables:

    # su - ossuser

    > cd /opt/ommha/ha/module/hacom/tools

    > export LD_LIBRARY_PATH=/opt/ommha/ha/tools/lib

  5. Run the following command to obtain the encrypted password of the server certificate. The server certificate password Changeme_123 is used as an example:

    > ./key-tool -e Changeme_123

    Information similar to the following is displayed:

    Updated key component success. 
    Encrypted password : GQiANGZ7/3RweeZ4XTi6Mll7fH/24IfXnh5cogHRlxw=
  6. Run the following commands to configure the certificate:

    > cd /opt/ommha/ha/module/hacom/script

    > ./config_ha.sh -S ssl=true,twoway=true,keypass=GQiANGZ7/3RweeZ4XTi6Mll7fH/24IfXnh5cogHRlxw=

    GQiANGZ7/3RweeZ4XTi6Mll7fH/24IfXnh5cogHRlxw= is the Encrypted password obtained in 5.

  7. Run the following commands to stop the standby server:

    > cd /opt/ommha/ha/bin

    > ./stop.sh

  8. Repeat 1 to 6 on the active server.
  9. Run the following commands to restart the active server.

    > cd /opt/ommha/ha/bin

    > ./stop.sh

    After the active server is stopped, run the following command to start it:

    > ./start.sh

  10. Log in to the standby server as the ossuser user.
  11. Run the following commands to start the standby server.

    > ./start.sh

Changing the Certificate Password
  1. Log in to the active eSight server as the root user.
    NOTE:

    Remotely log in to the server as the ossuser and switch to the root user if the SUSE Linux is hardened.

    Run the following command to open remote login using SSH for the root user.

    # cd /opt/ommha/config

    # ./sshdPermitRootLogin.sh-y

  2. Run the following commands to change the OMMHA certificate password:

    # cd /opt/ommha/config

    # chmod u+x create_ommha_cert.sh

    # ./create_ommha_cert.sh

  3. Enter the root user password for the standby server.
    Please input remote root password:
  4. Enter the new password and confirm password of the OMMHA certificate as prompted.
    Please input ommha certificate password:  
    Please input ommha certificate password again:
  5. (Optional) Run the following command to disable remote login using SSH for the root user.
    NOTE:

    To improve system security, you need to disable remote login using SSH for the root user.

    # cd /opt/ommha/config

    # ./sshdPermitRootLogin.sh -n

Updating the Key for Mutual Trust Between the Active and Standby Servers

To copy files between the active and standby servers in the OMMHA scenario, the mutual trust mechanism is required. For the mutual trust key pair, the password of the private key can be changed.

Context

Mutual trust between the active and standby servers: After the ssh-keygen command of the SUSE operating system is executed on the active and standby servers, a key pair will be generated. After you copy the public key to the .ssh directory of the remote server, you just need to enter the key password when you access the remote server using the SSH. No change occurs on mutual trust if the user password of the active or standby server is changed. The mutual trust initial password is the random password generated during installation.

Procedure
  1. Log in to the active eSight server as ossuser.
  2. Run the following commands to change the private key password of the mutual trust key pair:

    > cd /opt/eSight/mttools/ha/filecopy

    > sh credit.sh

  3. Enter the heartbeat IP address and ossuser password as prompted.

    Please input the IP address for the standby node:  
    Please input the standby node password for ossuser:

  4. Enter the private key password of the new key pair as prompted. The password must contain uppercase letters, lowercase letters, digits, and special characters.

    Please input the password for certificate private key:  
    Please input the password again:  
    build credit...  
    build credit finish.

    If build credit finish is displayed, the password is changed successfully.

  5. Check whether new trust has taken effect.

    1. Access the standby server using the SSH on the active server.

      > ssh Heartbeat IP address of the standby server

    2. Enter the private key password of the key pair.
      You are trying to access a restricted zone. Only Authorized Users allowed. 
      Enter passphrase for key '/ossuser/.ssh/id_rsa': 

      If the following information is displayed, you have logged in to the standby server successfully, and mutual trust has taken effect:

      Last login: Fri Jun ; 2 17:01:47 2017 from 10.137.97.52 
      ossuser@eSightServer1:/ossuser>

Translation
Download
Updated: 2019-06-30

Document ID: EDOC1100044373

Views: 24830

Downloads: 74

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next