No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eLog V200R007C10 Installation Guide

Describes the installation process of product software. Includes plans, environmental requirements, and procedures for installation, as well as commissioning procedures.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Installing an SSL Certificate on the eLog

Installing an SSL Certificate on the eLog

When HTTPS is used to log in to the eLog, there is a security certificate issue. To resolve this issue, you need to ask a certificate authority to generate a security certificate file for the eLog and import the certificate to the eLog.

Procedure

  1. Use the omm account to log in to the operating system.
  2. Generate a certificate library file.

    1. On the CLI of the server, run the cd /opt/huawei/LogCenter/components/vap/jre/bin command to access the path where the certificate generation tool keytool resides. The Italic words in the command must be replaced with the actual software installation path.
    2. Run the ./keytool -genkey -alias elog -keyalg RSA -keystore elogkeystore command to create a certificate library file. The alias and keystore file name can be modified as required.
    3. Set the keystore password based on prompts.
    4. Enter the first and last names based on prompts.
    5. Enter the organization, city, and province names based on prompts. Enter the country code.
    6. The system generates confirmation information based on the input. If the information is correct, enter y and press Enter.
    7. Set a primary password for the certificate library file based on prompts.
      omm@eLogServer:/opt/huawei/LogCenter/components/vap/jre/bin> cd /opt/huawei/LogCenter/components/vap/jre/bin
      omm@eLogServer:/opt/huawei/LogCenter/components/vap/jre/bin> ./keytool -genkey -alias elog -keyalg RSA -keystore elogkeystore
      Enter keystore password:
      Re-enter new password:
      What is your first and last name?
        [Unknown]:  test
      What is the name of your organizational unit?
        [Unknown]:  test
      What is the name of your organization?
        [Unknown]:  test
      What is the name of your City or Locality?
        [Unknown]:  beijing
      What is the name of your State or Province?
        [Unknown]:  beijing
      What is the two-letter country code for this unit?
        [Unknown]:  CN
      Is CN=test, OU=test, O=test, L=beijing, ST=beijing, C=CN correct?
        [no]:  yes
      
      Enter key password for <elog>
              (RETURN if same as keystore password):
      Re-enter new password:
      
      Warning:
      The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore elogkeystore -destkeystore elogkeystore -deststoretype pkcs12".

  3. Export the CSR request file and use this file to obtain the root certificate and authorization reply certificate.

    1. Access the directory where keytool resides and run the ./keytool -certreq -keyalg RSA -alias elog -file dic5.csr -keystore elogkeystore command to generate the request file.
      omm@eLogServer:/opt/huawei/LogCenter/components/vap/jre/bin> ./keytool -certreq -keyalg RSA -alias elog -file dic5.csr -keystore elogkeystore
      Enter keystore password:
      Enter key password for <elog>
      
      Warning:
      The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore elogkeystore -destkeystore elogkeystore -deststoretype pkcs12".
    2. Obtain request file dic5.csr from /opt/huawei/LogCenter/components/vap/jre/bin and send the request file to a certificate authority to generate secure and reliable certificate files. The root certificate and authorization reply certificate should be sent in reply.

  4. Import the root certificate.

    1. Access the directory where keytool resides and run the ./keytool -import -alias root -keystore elogkeystore -trustcacerts -file rootcert.cer command. In the command, root is the root certificate alias and can be changed as required; elogkeystore is the name of the certificate library file generated in the previous step; rootcert.cer is the name of the root certificate file generated by the authority.
    2. Enter the keystore password as prompts and press Enter. The certificate information is displayed.
    3. If the certificate information is correct, enter y and press Enter. A message is displayed, saying that the certificate information has been added to the certificate library file.

  5. Import the authorization reply certificate.

    1. Access the directory where keytool resides and run the ./keytool -import -alias elog -keystore elogkeystore -file dic5.cer command. elog is the name of the request file; elogkeystore is the name of the certificate library file; dic5.cer is the name of the authorization reply certificate file.
    2. Enter the keystore password as prompts and press Enter. A message is displayed, saying that the certificate has been installed.

  6. Replace the original certificate.

    1. Choose System > Global Configuration > Certificate Management > Local Certificate on eLog page.
    2. On the Certificate Import page, click Browse, select the certificate path, and enter the certificate file password.

    3. Click OK.

  7. Update the certificate on each collector.

    NOTE:

    In centralized deployment, you also need to update the certificate on the server where the analyzer and collector reside.

    1. Log in to the collector operating system as user omm.
    2. Run the cd /opt/huawei/LogCenter/components/collector/setup/bin command to access the directory where the update tool resides.
    3. Run the ./exportsslcertsfromjks.sh yourpassword command to update the collector certificate. yourpassword indicates the password of the server certificate JKS file.
      omm@eLogServer:/root> cd /opt/huawei/LogCenter/components/collector/setup/bin
      omm@eLogServer:/opt/huawei/LogCenter/components/collector/setup/bin> ./exportsslcertsfromjks.sh test@123
      begin generate ssl key from jks
      
      Warning:
      The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/huawei/LogCenter/etc/cert/formal/serverStore.jks -destkeystore /opt/huawei/LogCenter/etc/cert/formal/serverStore.jks -deststoretype pkcs12".
      KEYSTORE_ALIAS=cis_default
      
      Warning:
      The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/huawei/LogCenter/etc/cert/formal/serverStore.jks -destkeystore /opt/huawei/LogCenter/etc/cert/formal/serverStore.jks -deststoretype pkcs12".
      Generating new PFX Key/Certificate pair
      spawn openssl pkcs12 -inkey /opt/huawei/LogCenter/etc/cert/temp/ssltemp.key -in /opt/huawei/LogCenter/etc/cert/temp/ssltemp.crt -out /opt/huawei/LogCenter/etc/cert/temp/ssltemp.pfx -export
      Enter Export Password:
      Verifying - Enter Export Password:
      spawn openssl pkcs12 -in /opt/huawei/LogCenter/etc/cert/temp/ssltemp.pfx -nocerts -nodes -out /opt/huawei/LogCenter/etc/cert/temp/ssl.key -aes256
      Enter Import Password:
      MAC verified OK
      Enter PEM pass phrase:
      Verifying - Enter PEM pass phrase:
      ssl key generate success.
      end generate ssl key from jks
      begin generate ssl certs from jks
      
      Warning:
      The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/huawei/LogCenter/etc/cert/formal/serverStore.jks -destkeystore /opt/huawei/LogCenter/etc/cert/formal/serverStore.jks -deststoretype pkcs12".
      end generate ssl certs from jks

  8. Restart the eLog analyzer and collectors.
  9. Copy the root certificate file to the client server used to access the eLog and double-click the file for installation. Alternatively, use a browser on the client server to access the eLog and install the certificate on the client server according to What Shall I Do to Prevent the Display of the "Certificate Error" Message When I Use HTTPS to Log In to the eLog?.

Result

After importing the certificate, use the browser to access the eLog. If no certificate error message is displayed, the configuration succeeds.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1100073937

Views: 11546

Downloads: 16

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next