No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionInsight HD 6.5.0 Administrator Guide 02

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing HA Certificates

Replacing HA Certificates

Scenario

HA certificates are used to encrypt the communication between active/standby processes and high availability processes to ensure security. Replace the HA certificates on active and standby management nodes on FusionInsight Manager to ensure product security. Replacing HA certificates includes the following scenarios:

  • When the cluster is installed for the first time, you need to replace the enterprise certificate.
  • If the enterprise certificate has expired or security hardening is required, you need to replace it with a new certificate.
NOTE:

Replacing HA certificates does not apply to scenarios where active and standby management nodes are not installed.

The certificate file and key file can be applied for from the enterprise certificate administrator or generated by the system administrator.

Impact on the System

The FusionInsight Manager system must be restarted during the replacement and cannot be accessed or provide services.

Prerequisites

  • You have obtained the root-ca.crt root file and the root-ca.pem key file of the certificate to be replaced.
  • You have prepared password, such as Userpwd@123, for accessing the key file.

    The password shall meet the following complexity requirements. Otherwise, security risks may be incurred.

    • The parssword contains at least 8 characters..
    • The password must contain at least four types of the following: uppercase letters, lowercase letters, digits, and special characters ~`!?,.:;-_'(){}[]/<>@#$%^&*+|\=.
  • When applying for a certificate from the certificate administrator, you have provided the password for accessing the key file and applied for the certificate files in .crt, .cer, .cert, and .pem formats and the key files in .key and .pem formats. The applied certificates must have the issuing function.
  • You have obtained the IP addresses of the active and standby management nodes. For details, see Logging In to the Management Node.

Procedure

  1. Use PuTTY to log in to the active management node as user omm with the IP address of the active management node.
  2. Select the certificate file and key file generation mode:

    • If the certificate is generated by the certificate administrator, save the certificate file and key file to the ${OMS_RUN_PATH}/workspace0/ha/local/cert directory on the active and standby management nodes.
      NOTE:

      If the obtained certificate file is not in .crt format and the key file is not in .pem format, run the following commands to change the file formats:

      mv certificate name.certificate format root-ca.crt

      mv key name.key format root-ca.pem

      For example, run the following commands to change the name of the certificate file to root-ca.crt and the name of the key file to root-ca.pem:

      mv server.cer root-ca.crt

      mv server_key.key root-ca.pem

    • If the certificate is generated by the system administrator, run the following command to generate root-ca.crt and root-ca.pem in the ${OMS_RUN_PATH}/workspace0/ha/local/cert directory:

      sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=CN --state=state --city=city --company=company --organize=organize --common-name=commonname --email=Administrator email address

      NOTE:

      The validity period of the generated certificate file is 10 years. An alarm is generated when the system certificate file is about to expire. For details about how to clear the alarm, see section "ALM-12055 in The Certificate File Is About to Expire "in the Alarm Processing.

      For example, run the following command to generate the files: sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/gen-cert.sh --root-ca --country=CN --state=guangdong --city=shenzhen --company=huawei --organize=IT --common-name=HADOOP.COM --email=abc@xxx.com

      Enter the password as prompted, and press Enter.

      Enter pass phrase for /opt/huawei/Bigdata/om-server/OMS/workspace/ha/local/cert/root-ca.pem:

      The command is run successfully if the following information is displayed:

      Generate root-ca pair success.

  3. On the active management node, run the following command as user omm to copy root-ca.crt and root-ca.pem to the ${BIGDATA_HOME}/om-server/om/security/certHA directory:

    cp -arp ${OMS_RUN_PATH}/workspace0/ha/local/cert/root-ca.* ${BIGDATA_HOME}/om-server/om/security/certHA

  4. Copy root-ca.crt and root-ca.pem generated on the active management node to ${BIGDATA_HOME}/om-server/om/security/certHA on the standby management node as user omm.

    scp ${OMS_RUN_PATH}/workspace0/ha/local/cert/root-ca.* omm@IP address of standby management node:${BIGDATA_HOME}/om-server/om/security/certHA

  5. Run the following command to generate an HA certificate and perform automatic replacement:

    sh ${BIGDATA_HOME}/om-server/om/sbin/replacehaSSLCert.sh

    Enter password as prompted and press Enter.

    Please input ha ssl cert password:

    The HA certificate is replaced successfully if the following information is displayed:

    [INFO] Succeed to replace ha ssl cert.
    NOTE:

    If the user wants to update the package for encrypting the HA password, add the -u parameter.

  6. Run the following command to restart the OMS.

    sh ${BIGDATA_HOME}/om-server/om/sbin/restart-oms.sh

    The following information is displayed:

    start HA successfully.

  7. Use PuTTY to log in to the standby management node as user omm with the IP address of the standby management node. Repeat Step 5 to Step 6.

    Run sh ${BIGDATA_HOME}/om-server/om/sbin/status-oms.sh to check whether HAAllResOK of the management node is Normal and whether FusionInsight Manager can be logged in to again. If yes, the operation is successful.

Download
Updated: 2019-05-17

Document ID: EDOC1100074522

Views: 6276

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next