No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI CLOUD Stack 6.5.0 Alarm and Event Reference 04

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing the SCC-DB Node Certificate

Replacing the SCC-DB Node Certificate

Scenarios

The SSL certificate is required for security authentication during the internal communication between the active and standby SCC-DB nodes and in the process of accessing services using SCC-DB. To ensure system security, you need to replace the certificate before initial installation of services or before the certificate expires. Therefore, if you need to replace the certificate of the database, replace the certificate of the SCC-DB01 and SCC-DB02 nodes for once only.

Impact on the System

During the certificate replacement, you need to restart the database service. Therefore, the database service is unavailable during the replacement process. It takes about 5 minutes to replace a database certificate of a single service.

Prerequisites

  • You have obtained the IP addresses of the active and standby database nodes of the corresponding services.
  • You have obtained the certificates to be replaced. If you have not obtained the certificates, you can temporarily use the default certificates released with GaussdbHA.

    One set of certificates must contain the following certificate files:

    • cacert.pem: indicates the root certificate file for issuing server and client certificates.
    • server.crt: indicates the server certificate file.
    • server.key indicates the server private key file.
    • client.crt indicates the client certificate file.
    • client.key indicates the client private key file.
  • You have obtained other related information of the certificates. The related information is displayed in variables, as shown in Table 11-1. The variables will be quoted in subsequent steps and need to be replaced with the actual site information.
Table 11-1 Variable description

Variable

Description

Example Value

CERT_PATH

Temporary path to which the new certificate is uploaded. Ensure that files can be uploaded to the directory.

/home/sccadmin/certs

CERT_CN

Organization information obtained when the certificate is generated

www.huawei.com

CERT_CLIENT_KEY_PWD

Protected password of the client certificate private key. The value can be empty.

FusionSphere123

CERT_SERVER_KEY_PWD

Protected password of the server certificate private key. The value can be empty.

FusionSphere123

  • A tool for remote access on various platforms, such as PuTTY, is available.
  • You have obtained a file transfer tool, such as WinSCP.
  • You have obtained the password of the user for installing the database and the password of the root user.

Procedure

  1. Check the current database version.

    1. Use PuTTY to log in to the SCC-GuassDB-FusionGuard01 management VM using the IP address corresponding to SCC-DB01.

      Default username: sccadmin; default password: Scloud12#$

    2. Run the following command and enter the password Cloud12#$ of user root to switch to the root user:

      sudo su - root

    3. Run the following command to disable user logout upon system timeout:

      TMOUT=0

    4. Run the following command to query the database version and check whether the current version supports certificate replacement:

      cat /opt/gaussdb/version.json

      [root@APPDB01 ~]# cat /opt/gaussdb/version.json 
      {
          "package_name": "GaussdbHA", 
          "package_type": "3rd", 
          "release_version": "1.2.7", 
          "release_date": "2019-04-29 15:16:22", 
          "release_note": { 
              "playbook": {
                  "playbook_package_name": "gaussdb-ha-deploy-1.2.7.tar.gz"
              }, 
              "components": {
                  "Gaussdb": "GaussDBV100R003C10SPC107", 
                  "HA": "HA-1.1.8.8"
              }
          }
      }
      
      NOTE:

      Currently, only release_version 1.1.9 and later support certificate replacement.

  1. Upload the certificates and stop the database service.

    1. Run the following commands on the two nodes of the database in sequence to create a temporary directory for storing the new certificate:

      In the command, set the value of variable CERT_PATH with the value obtained in Prerequisites. Make sure that files can be uploaded to the planned directory.

      • CERT_PATH='/home/sccadmin/certs'
      • mkdir -p $CERT_PATH
      • chmod 777 $CERT_PATH
    2. Use a file transfer tool, such as WinSCP, to upload the certificate file to the /home/sccadmin/certs directory. The upload directory is the planned directory created in 2.1.
    1. Run the following command on the two nodes of the database to confirm the active and standby nodes of the database:

      service gaussdb query|grep LOCAL_ROLE

      The command output is as follows:

      [root@APPDB01 ~]# service gaussdb query | grep LOCAL_ROLE
      	LOCAL_ROLE                     : Primary
      	LOCAL_ROLE                     : Primary
    NOTE:

    If the command output contains Primary, the database is the active node. If it contains Standby, the database is the standby node.

    1. Run the following commands on the active and standby nodes of the database separately:
      • source /etc/profile
      • haStopAll -a

  2. Replace the certificates on the database nodes.

    1. Run the following commands on the two database nodes to replace the certificate file. Set CERT_PATH and CERT_CN to the actual values obtained in Prerequisites. Copy the following commands and execute them together:

      unset HISTFILE

      CERT_PATH='/home/sccadmin/certs'

      CERT_CN='www.huawei.com'

      alias cp='cp'

      mkdir -p /opt/backup/cert_old

      cp -fr /opt/gaussdb/data/certs/* /opt/backup/cert_old/

      rm -rf /opt/gaussdb/data/certs/*

      cp -fr $CERT_PATH/* /opt/gaussdb/data/certs/

      cp /opt/gaussdb/data/certs/server* /opt/gaussdb/data/db/

      cp /opt/gaussdb/data/certs/cacert.pem /opt/gaussdb/data/db/

      su - dbadmin -c "gs_guc set -c repl_force_cert_check=\"'repl_All_peer_cn=$CERT_CN'\""

      chown dbadmin: /opt/gaussdb/data/certs/ -R

      chmod 700 /opt/gaussdb/data/certs

      chmod 600 /opt/gaussdb/data/certs/*

    2. If the CERT_SERVER_KEY_PWD obtained in Prerequisites is not empty, run the following commands together to generate the server certificate password file. During the command execution, enter the CERT_SERVER_KEY_PWD information as prompted.

      unset HISTFILE

      rm -rf /opt/gaussdb/data/db/server.key.rand

      rm -rf /opt/gaussdb/data/db/server.key.cipher

      su - dbadmin -c "gs_guc encrypt -M server -k"

    3. If the CERT_SERVER_KEY_PWD obtained in Prerequisites is not empty, run the following commands together to replace the server certificate password file:

      cp /opt/gaussdb/data/db/server.key.cipher /opt/gaussdb/data/certs/

      cp /opt/gaussdb/data/db/server.key.rand /opt/gaussdb/data/certs/

      chown dbadmin: /opt/gaussdb/data/certs/ -R

      chmod 700 /opt/gaussdb/data/certs

      chmod 600 /opt/gaussdb/data/certs/*

    4. If CERT_CLIENT_KEY_PWD obtained in Prerequisites is not empty, run the following commands together to generate the client certificate password file. During the command execution, enter the CERT_CLIENT_KEY_PWD information as prompted.

      unset HISTFILE

      rm -rf /opt/gaussdb/data/db/client.key.rand

      rm -rf /opt/gaussdb/data/db/client.key.cipher

      su - dbadmin -c "gs_guc encrypt -M client -k"

    5. If CERT_CLIENT_KEY_PWD obtained in Prerequisites is not empty, run the following commands together to replace the client certificate password file:

      cp /opt/gaussdb/data/db/client.key.rand /opt/gaussdb/data/certs/

      cp /opt/gaussdb/data/db/client.key.cipher /opt/gaussdb/data/certs/

      rm -rf /opt/gaussdb/data/db/client.key.rand

      rm -rf /opt/gaussdb/data/db/client.key.cipher

      chown dbadmin: /opt/gaussdb/data/certs/ -R

      chmod 700 /opt/gaussdb/data/certs

      chmod 600 /opt/gaussdb/data/certs/*

  3. Restart the database service.

    1. Run the following commands in sequence on the active and standby nodes of the database separately:
      • source /etc/profile
      • haStartAll -a
    2. Run the following commands in sequence on the active database node to check whether the database status is normal after the certificate replacement:
      • source /etc/profile
      • service had query

      The command output is as follows:

      [root@APPDB01 ~]# service had query
      NODE                   ROLE           PHASE           RESS            VER             START          
      APPDB01(APPDB01)       active         Actived         normal          V100R001C01     2019-05-07 12:08:10
      APPDB02(APPDB02)       standby        Deactived       normal          V100R001C01     2019-05-07 12:09:17
      
      --------------------------------------------------------------------------------------------------------
                             ID    RES                      STAT            RET             TYPE           
      APPDB01(APPDB01):      1     exfloatip                Normal          Normal          Single_active  
                             2     gaussDB                  Normal          Active_normal   Active_standby 
      
      APPDB02(APPDB02):      1     exfloatip                Normal          Abnormal        Single_active  
                             2     gaussDB                  Normal          Standby_normal  Active_standby
      • service gaussdb query

      The command output is as follows:

      [root@APPDB01 ~]# service gaussdb query
       Ha state:           
      	LOCAL_ROLE                     : Primary
      	STATIC_CONNECTIONS             : 1
      	DB_STATE                       : Normal
      	DETAIL_INFORMATION             : Normal
      
       Senders info:       
      	SENDER_PID                     : 32344
      	LOCAL_ROLE                     : Primary
      	PEER_ROLE                      : Standby
      	PEER_STATE                     : Normal
      	STATE                          : streaming
      	SENDER_SENT_LOCATION           : 1/1BCD6C38
      	SENDER_WRITE_LOCATION          : 1/1BCD6C38
      	SENDER_FLUSH_LOCATION          : 1/1BCD6C38
      	SENDER_REPLAY_LOCATION         : 1/1BCD6C38
      	RECEIVER_RECEIVED_LOCATION     : 1/1BCD6C38
      	RECEIVER_WRITE_LOCATION        : 1/1BCD6C38
      	RECEIVER_FLUSH_LOCATION        : 1/1BCD6C38
      	RECEIVER_REPLAY_LOCATION       : 1/1BCD6B10
      	SYNC_PERCENT                   : 99%
      	SYNC_STATE                     : async
      	SYNC_PRIORITY                  : 0
      	CHANNEL                        : 24.63.185.101:15210 -->24.63.185.102:46550
      
       Receiver info:      
      	No information 

      If the command output similar to the preceding is displayed, the database service is normal after the certificate is replaced.

  4. Run the following command on the active and standby database nodes separately to delete the uploaded certificate files:

    rm -rf /home/sccadmin/certs

Translation
Download
Updated: 2019-08-30

Document ID: EDOC1100062365

Views: 45533

Downloads: 33

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next