No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI CLOUD Stack 6.5.0 Alarm and Event Reference 04

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing the Tomcat Certificate (SCC-Service, SCC-Console, SCC-OM, and SSA-SSAM Nodes)

Replacing the Tomcat Certificate (SCC-Service, SCC-Console, SCC-OM, and SSA-SSAM Nodes)

Scenarios

When HTTPS is used to access SCC-Service, SCC-Console, SCC-OM, and SSA-SSAM nodes, SSL certificates are required for security authentication. To ensure system O&M security, replace the SSL certificate at least every three years. You can use the following procedure to manually replace the SSL certificate periodically.

Impact on the System

The new certificate takes effect only after the system is restarted. During the restart, services are interrupted.

Prerequisites

  • You have obtained the root certificate, the signed certificate, certificate private key file, and password of the private key file. For example, the root certificate is ca.crt, the signed certificate is server.crt, and the private key file is server.key.
  • You have obtained the management IP addresses of the SCC-Service, SCC-Console, SCC-OM, and SSA-SSAM nodes.
  • A tool for remote access on various platforms, such as PuTTY, is available.
  • You have obtained a file transfer tool, such as WinSCP.
  • You have obtained the passwords of the sccadmin and root users for the target node.
    NOTE:

    The default certificate store password is Onframework@szx333.

Procedure

  1. Use a file transfer tool, such as WinSCP, to upload the ca.crt, server.key, and server.crt files to the /home/sccadmin directory on the node where the certificate is to be replaced.
  2. Use PuTTY to log in to the node where the certificate is to be replaced as the sccadmin user.

    Default username: sccadmin; default password: Scloud12#$

  3. Run the following command and enter the password Cloud12#$ of user root to switch to the root user:

    sudo su - root

  4. Run the following command to disable user logout upon system timeout:

    TMOUT=0

  5. Run the following command to switch to the directory where the certificate is stored:

    cd /home/sccadmin

  6. Run the following command to import the keytool environment variables:

    source /etc/profile

  7. Run the following command to generate a new certificate store file server_new.keystore:

    openssl pkcs12 -export -in Certificate name -inkey Private key name -out server_new.keystore -name tomcat_server

    Example:

    openssl pkcs12 -export -in server.crt -inkey server.key -out server_new.keystore -name tomcat_server

    Enter the certificate store password twice as prompted. The password must be the same as that of the private key file.

  8. Run the following command to import the root certificate:

    keytool -import -v -trustcacerts -alias ca_root -file CA certificate name -keystore server_new.keystore

    For example, run the following command to import the ca.crt certificate:

    keytool -import -v -trustcacerts -alias ca_root -file ca.crt -keystore server_new.keystore

    The command output is as follows:

    Enter keystore password:

  9. Enter the certificate store password (private key file password) and press Enter.
  10. Enter yes and press Enter.

    If the following information is displayed, the CA certificate has been imported:

    Certificate was added to keystore     
      [Storing server.keystore]

  11. Run the following command and enter the password of the certificate store as prompted to check whether the certificate is generated:

    keytool -list -v -keystore server_new.keystore

    If the following information is displayed, the certificate is imported:

    Your keystore contains 2 entries

  12. Run the following command to copy the certificate store file server_new.keystore after the certificate is imported to the /opt/tomcat/conf/keystore folder:

    \cp -f server_new.keystore /opt/tomcat/conf/keystore/server.keystore

  13. Run the following commands in sequence to change the certificate store permissions:

    • chmod 600 /opt/tomcat/conf/keystore/server.keystore
    • chown tomcat:cloudgrp /opt/tomcat/conf/keystore/server.keystore

  14. Run the following commands in sequence to delete the certificate file:

    • cd /home/sccadmin
    • rm server_new.keystore ca.crt server.crt server.key

  15. Run the following command to switch to the tomcat user:

    su - tomcat

  16. Run the following commands in sequence to encrypt the certificate store password:

    • cd /opt/tomcat/bin
    • sh kspass.sh -encrypt

    The command output is as follows:

    Please input your password:

    Enter the certificate store password and press Enter to enable the system to randomly generate the password in ciphertext.

  17. Run the following command to open the server.xml file:

    vi /opt/tomcat/conf/server.xml

  18. Enter i to enter the editing mode.
  19. Modify keystorePass in the configuration file.

    Search for Connector whose protocol value is com.huawei.wcc.secas.Http11Protocol or com.huawei.wcc.secas.Http11NioProtocol. Change keystorePass value to the ciphertext of the certificate store password.

  20. Press Esc to exit the editing mode.
  21. Enter :wq and press Enter to save the configuration and exit the editor.
  22. Run the following command to switch to the root user:

    exit

  23. Run the following command to restart Tomcat:

    systemctl restart systemd-tomcat

    If Tomcat can restart properly, the certificate is successfully replaced.

  24. See 1 to 23 and replace all nodes in sequence.
Translation
Download
Updated: 2019-08-30

Document ID: EDOC1100062365

Views: 37539

Downloads: 31

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next