No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

OceanStor BCManager 6.5.0 eReplication User Guide 02

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Certificate Management

Certificate Management

To enhance system security, the eReplication Server verifies the validity of device certificates (whether required certificates are imported and whether imported certificates are valid) before communicating with systems or devices (such as vCenter servers, FusionSphere components, storage devices, hosts, email servers, and remote eReplication Servers). The eReplication Server provides CA certificates of the remote eReplication Server and host. You are advised to import CA certificates of devices and replace the default CA certificates of the eReplication Server.

Importing CA Certificates of Devices

To enhance system security, you are advised to import all the CA certificates of devices before adding devices or system components (such as vCenter servers, FusionSphere components, storage devices, hosts, email servers, and remote eReplication) to eReplication. If CA certificates of devices are not imported, the communication between eReplication and devices and system communication are not affected. However, the system may encounter spoofing risks. After CA certificates are imported, you need to restart eReplication to make the certificates take effect. You are advised to restart eReplication in off-peak hours.

Prerequisites

  • A cross-platform remote access tool, such as PuTTY, has been obtained.
  • If the eReplication management server runs Linux, the password of user root or DRManager has been obtained.
  • If the eReplication management server runs Windows, the password of the administrator has been obtained.
  • Devices' CA certificates to be added have been obtained and the certificates are in the X.509v3 format.

Context

  • The eReplication Server provides key store bcm.keystore. You need to import CA certificates to the key store. The fixed save path of the key store is /opt/BCManager/Runtime/LegoRuntime/certs in Linux and \installation path\Runtime\LegoRuntime\certs in Windows. The default password of the key store is BCM@DataProtect123.
  • The eReplication Server has preset CA certificates of the remote eReplication Server and Agent. Therefore, you do not need to import the CA certificates of the remote eReplication Server (bcmrootca) and Agent (bcmagentca).
  • Note the following when importing CA certificates to the eReplication Server:
    • If there are CA certificates of multiple levels, import all the CA certificates.
    • If multiple devices use a same CA certificate, import the CA certificate once only.
  • If the system reports a certificate alarm, restart the eReplication Server after CA certificates are imported.
  • Stop the eReplication Server only when no protection tasks or recovery plans are being executed in eReplication.

If no CA certificate is imported or the device certificate expires, eReplication generates a certificate alarm by default. You can disable certificate alarming if you do not want eReplication to generate certificate alarms. For details about how to disable certificate alarming, see Disabling Certificate Alarming.

Procedure

  • Linux
    1. Use PuTTY to log in to the eReplication Server.

      • In template-based installation mode: Log in as user DRManager, and run the su root command to switch to user root.
      • In software package-based installation mode: Log in as user root.
      NOTE:

      The default password of user DRManager is Huawei@CLOUD8. In template-based installation mode, the default password of user root is Huawei@CLOUD8!.

    2. Run the TMOUT=0 command to prevent PuTTY from exiting due to session timeout.

      NOTE:

      After you run this command, the system continues to run when no operation is performed, resulting a risk. For security purposes, you are advised to run exit to exit the system after completing your operations.

    3. Run cd /opt/BCManager/Runtime/bin to enter the script save path.

      NOTE:

      In Linux, the installation path of the eReplication Server is /opt/BCManager. The path is fixed.

    4. Run the sh shutdownSystem.sh command and enter y to stop the eReplication Server.
    5. Run cd /opt/BCManager/Runtime/bin to enter the script save path.
    6. Run ./jre6.0.18/bin/keytool -import -alias Certificate alias -keystore ./LegoRuntime/certs/bcm.keystore -file Certificate file to import the CA certificate.

      Certificate alias of each certificate must be unique.

      NOTE:
      -file is the full path to the file, for example, /opt/BCManager/Runtime/LegoRuntime/certs/cacert/ cacert.pem.

    7. Type the CA certificate key store password of BCManager and press Enter. Ensure that the certificate information is correct.

      The following command output is displayed:

      Trust this certificate? [no]:

    8. Type yes.

      The CA certificate has been added to the key store if the following command output is displayed:

      Certificate was added to keystore

    9. Run ./jre6.0.18/bin/keytool -list -v -keystore ./LegoRuntime/certs/bcm.keystore to view information about the imported CA certificate.
    10. Type the CA certificate key store password of BCManager and press Enter. Confirm that the CA certificate has been imported successfully.
    11. Repeat 6 to 10 to import all the CA certificates of devices.
    12. Run cd /opt/BCManager/Runtime/bin to enter the script save path.
    13. Run the sh startSystem.sh command to start the eReplication Server.
  • Windows
    1. Log in to the eReplication Server as an administrator.
    2. Open the CLI and run cd \installation path\bin to navigate to the bin directory.

      NOTE:

      In Windows, the default installation path of the eReplication Server is C:\BCManager\Runtime. The installation path is user-definable. You are advised not to install the eReplication Server on a system disk.

    3. Run shutdownSystem.bat, and enter y and Enter to stop the eReplication Server.
    4. Run cd \installation path\Runtime to go to the keytool directory.
    5. Run .\jre6.0.18\bin\keytool -import -alias Certificate alias -keystore .\LegoRuntime\certs\bcm.keystore -file Certificate file to import the CA certificate.

      Certificate alias of each certificate must be unique.

    6. Type the CA certificate key store password of eReplication and press Enter. Ensure that the certificate information is correct.

      The following command output is displayed:

      Trust this certificate? [no]:

    7. Type yes.

      The CA certificate has been added to the key store if the following command output is displayed:

      Certificate was added to keystore

    8. Run keytool -list -v -keystore .\LegoRuntime\certs\bcm.keystore to view information about the imported CA certificate.
    9. Type the key store password of BCManager and press Enter. Confirm that the CA certificate has been imported.
    10. Repeat 5 to 9 to import all the CA certificates of devices.
    11. Run cd \installation path\bin to navigate to the bin directory.
    12. Run startSystem.vbe to start the eReplication Server.

Follow-up Procedure

If CA certificates of devices are updated, you need to delete original CA certificates and import new CA certificates. Before performing 6 (in Linux) or 5 (in Windows), perform the following operations:

  • Linux
    1. Run ./jre6.0.18/bin/keytool -delete -alias Certificate alias -keystore ./LegoRuntime/certs/bcm.keystore to delete the original CA certificate.
    2. Type the CA certificate key store password of BCManager and press Enter. Ensure that the information about the CA certificate to be deleted is correct.
  • Windows
    1. Run .\jre6.0.18\bin\keytool -delete -alias Certificate alias -keystore .\LegoRuntime\certs\bcm.keystore to delete the original CA certificate.
    2. Type the key store password of eReplication and press Enter. Ensure that information about the certificate to be deleted is correct.

Changing the Key Store Password of the eReplication Server

To enhance system security, you are advised to periodically change the CA key store password of eReplication Server. After changing the key store password of eReplication, you need to restart the eReplication Server to make the configuration take effect. You are advised to change the key store password during off-peak hours.

Prerequisites

  • A cross-platform remote access tool, such as PuTTY, has been obtained.
  • If the eReplication management server runs Linux, the password of user root or DRManager has been obtained.
  • If the eReplication management server runs Windows, the password of the administrator has been obtained.

Context

  • The CA key store of the eReplication Server is bcm.keystore . The fixed save path of the key store is /opt/BCManager/Runtime/LegoRuntime/certs in Linux and \installation path\Runtime\LegoRuntime\certs in Windows. The default password of the key store is BCM@DataProtect123.
  • The password complexity requirements of the key store are as follows:
    • Contains 8 to 18 characters.
    • Must contain special characters, including ~!@#$%*-_=+[{}];:\,./?
    • Must contain at least two of the following types of characters:
      • Lowercase letters
      • Uppercase letters
      • Digits
  • Stop the eReplication Server only when no protection tasks or recovery plans are being executed in eReplication.

Procedure

  • Linux
    1. Use PuTTY to log in to the eReplication Server.

      • In template-based installation mode: Log in as user DRManager, and run the su root command to switch to user root.
      • In software package-based installation mode: Log in as user root.
      NOTE:

      The default password of user DRManager is Huawei@CLOUD8. In template-based installation mode, the default password of user root is Huawei@CLOUD8!.

    2. Run the TMOUT=0 command to prevent PuTTY from exiting due to session timeout.

      NOTE:

      After you run this command, the system continues to run when no operation is performed, resulting a risk. For security purposes, you are advised to run exit to exit the system after completing your operations.

    3. Run cd /opt/BCManager/Runtime/bin to enter the script save path.

      NOTE:

      In Linux, the installation path of the eReplication Server is /opt/BCManager. The path is fixed.

    4. Run the sh shutdownSystem.sh command and enter y to stop the eReplication Server.
    5. Run the sh updateBCMKeyStore.sh command to change the password of the key store.

      The following command output is displayed:

      Please enter the old password of the key store:
      

    6. Type the old password of the CA key store and press Enter.

      The following command output is displayed:

      Please enter the new password:
      

    7. Type the new password of the CA key store and press Enter.

      The following command output is displayed:

      Please enter the new password again:
      

    8. Type the new password of the CA key store again and press Enter.

      If the following command output is displayed, the password is changed successfully.

      Updating...please wait.
      Succeeded in updating the password of the key store.

    9. Run the sh startSystem.sh command to start the eReplication Server.
  • Windows
    1. Log in to the eReplication Server as an administrator.
    2. Go to the \installation path\Runtime\bin directory.

      NOTE:

      In Windows, the default installation path of the eReplication Server is C:\BCManager\Runtime. The installation path is user-definable. You are advised not to install the eReplication Server on a system disk.

    3. Double-click the shutdownSystem.bat file to stop the eReplication Server.
    4. Double-click the updateBCMKeyStore.bat file to change the password of the key store.
    5. Type the old password of the CA key store as prompted and press Enter.
    6. Type the new password of the CA key store and press Enter.
    7. Type the new password of the CA key store again and press Enter.
    8. Double-click the startSystem.vbe file to start the eReplication Server.

Disabling Certificate Alarming

If no CA certificate is imported or the device certificate expires, eReplication generates a certificate alarm by default. You can disable certificate alarming if you do not want eReplication to generate certificate alarms. After disabling certificate alarming, you need to restart the eReplication Server to make the configuration take effect. You are advised to disable certificate alarming during off-peak hours.

Prerequisites

  • A cross-platform remote access tool, such as PuTTY, has been obtained.
  • If the eReplication management server runs Linux, the password of user root or DRManager has been obtained.
  • If the eReplication management server runs Windows, the password of the administrator has been obtained.

Context

Stop the eReplication Server only when no protection tasks or recovery plans are being executed in eReplication.

Procedure

  • In Linux
    1. Use PuTTY to log in to the eReplication Server.

      • In template-based installation mode: Log in as user DRManager, and run the su root command to switch to user root.
      • In software package-based installation mode: Log in as user root.
      NOTE:

      The default password of user DRManager is Huawei@CLOUD8. In template-based installation mode, the default password of user root is Huawei@CLOUD8!.

    2. Run the TMOUT=0 command to prevent PuTTY from exiting due to session timeout.

      NOTE:

      After you run this command, the system continues to run when no operation is performed, resulting a risk. For security purposes, you are advised to run exit to exit the system after completing your operations.

    3. Run cd /opt/BCManager/Runtime/bin to enter the script save path.

      NOTE:

      In Linux, the installation path of the eReplication Server is /opt/BCManager. The path is fixed.

    4. Run the sh shutdownSystem.sh command and enter y to stop the eReplication Server.
    5. Run cd /opt/BCManager/Runtime/LegoRuntime/conf to enter the script save path.

      NOTE:

      In Linux, the installation path of the eReplication Server is /opt/BCManager. The path is fixed.

    6. Run the vi lego.properties command to open the configuration file.
    7. Press i to go to the edit mode and edit the lego.properties file.
    8. Set the value of CertificateAlarmSwith to off to disable certificate alarming.

      By default, the value of CertificateAlarmSwith is on.

    9. Press Esc and run the :wq! command to save the settings and exit.
    10. Run cd /opt/BCManager/Runtime/bin to enter the script save path.
    11. Run the sh startSystem.sh command to start the eReplication Server.
  • In Windows
    1. Log in to the eReplication Server as an administrator.
    2. Go to the \installation path\Runtime\bin directory.

      NOTE:

      In Windows, the default installation path of the eReplication Server is C:\BCManager\Runtime. The installation path is user-definable. You are advised not to install the eReplication Server on a system disk.

    3. Double-click the shutdownSystem.bat file to stop the eReplication Server.
    4. Go to the installation path\LegoRuntime\conf directory.

      NOTE:

      In Windows, the default installation path of the eReplication Server is C:\BCManager\Runtime. The installation path is user-definable. You are advised not to install the eReplication Server on a system disk.

    5. Open the lego.properties file and set the value of CertificateAlarmSwith to off to disable certificate alarming.

      By default, the value of CertificateAlarmSwith is on.

    6. Save the modification and exit.
    7. Go to the \installation path\Runtime\bin directory.
    8. Double-click the startSystem.vbe file to start the eReplication Server.

Replacing Tomcat Certificates on the eReplication Server

For security concerns, users may choose to use certificates issued by third-party certification authorities. The eReplication Server allows users to replace user Tomcat certificates as long as users provide authentication certificates and private-public key pairs. Replaced authentication certificates take effect after the eReplication Server is reset. Therefore, replace certificates on the server only when a small volume of services are configured.

Prerequisites

  • A cross-platform remote access tool, such as PuTTY, has been obtained.
  • If the eReplication management server runs Linux, the password for the root or DRManager account has been obtained.
  • If the eReplication management server runs a Windows operating system, the password for the administrator account has been obtained.
  • New certificates in the X.509v3 format have been obtained.

Context

  • The eReplication Server provides the tomcat.keystore. The storage path of this key store is fixed to /opt/BCManager/Runtime/Tomcat6/certs (Linux), or \installation path\Runtime\Tomcat6\certs (Windows). The default password of the key store is BCM@DataProtect123.
  • The new certificate cannot be saved in the /opt/BCManager/Tomcat6/certs directory (Linux) or \Installation path\Runtime\Tomcat6\certs directory (Windows). The replace function will automatically copy the new certificate to this directory.
  • When deployed in distributed mode, the eReplication Servers are deployed on the local server and peer end's server, respectively. If the Tomcat on the local server is updated, you need to re-import the CA certificate on the eReplication Server at the peer end. For details about how to import a certificate, see Importing CA Certificates of Devices.
  • Stop the eReplication Server only when no protection tasks or recovery plans are being executed in eReplication.

Procedure

  • For Linux
    1. Use PuTTY to log in to the eReplication node.

      • In template-based installation mode: Log in as user DRManager, and run the su root command to switch to user root.
      • In software package-based installation mode: Log in as user root.
      NOTE:

      The default password of user DRManager is Huawei@CLOUD8. In template-based installation mode, the default password of user root is Huawei@CLOUD8!.

    2. Run the TMOUT=0 command to prevent PuTTY from exiting due to session timeout.

      NOTE:

      After you run this command, the system continues to run even when no operation is performed, posing a security risk. Therefore, you are advised to run exit after completing operations.

    3. Run the cd /opt/BCManager/Runtime/bin command to navigate to the directory where certificate replacement scripts are stored.

      NOTE:

      In Linux, the installation path of the eReplication Server is /opt/BCManager. The path is fixed.

    4. Run the sh shutdownSystem.sh command, enter y and then press Enter to stop the eReplication Server.
    5. Run the sh replace_cert.sh command to replace the Tomcat certificate.

      The following command output is displayed:

      Please input cert file:

    6. Enter the path of the key store and certificate file name. For example, enter /opt/jks.keystore and press Enter.

      The following command output is displayed:

      Please input the keystore type [JKS]:

    7. Enter the file type of the key store (the JKS, JCEKS, and PKCS12 file type are supported) and press Enter.

      The following command output is displayed:

      Please input secret key:

    8. Enter the correct password for the certificate and press Enter.

      The following command output is displayed:

      You are going to change the certfile of web,Are you sure you really want to perform the operation? (y/n):
      NOTE:

      If the entered password is incorrect, the following information is displayed: Certificate password error. You need to enter the correct password.

    9. Enter y and press Enter.

      If the following information is displayed, the certificate is successfully replaced.

      Change certfile successfully!

    10. Run the cd /opt/BCManager/Runtime/bin command to navigate to the directory where the scripts are stored.
    11. Run the sh startSystem.sh command to start the eReplication Server.
  • For Windows
    1. Use the administrator account to log in to the eReplication node.
    2. Open the \installation path\bin directory.

      NOTE:

      In Windows, the default installation path of the eReplication Server is C:\BCManager\Runtime. The installation path is user-definable. You are advised not to install the eReplication Server on a system disk.

    3. Double-click the shutdownSystem.bat file, enter y and then press Enter to stop the eReplication Server.
    4. Double-click the replace_cert.bat file to replace the Tomcat certificate.
    5. Enter the path of the key store and certificate file name. For example, enter C:\jks.keystore and press Enter.
    6. Enter the file type of the key store (the JKS, JCEKS, and PKCS12 file type are supported) and press Enter.
    7. Enter the correct password for the certificate and press Enter.
    8. Enter y and press Enter. The certificate is replaced.
    9. Double-click the startSystem.vbe file to start the eReplication Server.

Replacing the GaussDB or the HA Certificate of the eReplication Server

For security purposes, you may want to use a certificate issued by a third-party authority. The eReplication Server allows you to replace GaussDB and HA certificates of the Linux management server as long as you provide the authentication certificate and private key. You are advised to replace a certificate when the service load is light because this operation will restart GaussDB or the HA service of the eReplication Server.

Prerequisites

  • A cross-platform remote access tool, such as PuTTY, has been obtained.
  • You have obtained the password of user root used to log in to the operating system of the eReplication Server on which the certificate on this server is to be replaced.
  • You have obtained the CA, GaussDB, and HA certificates, and private keys of the certificates.

Context

  • GaussDB and the HA function share one certificate.
  • In HA mode, certificates on both eReplication Servers need to be replaced. Otherwise, communication between the two servers may fail.
  • Replacing the GaussDB certificate
    • Replacing the GaussDB certificate will restart the GaussDB service. Therefore, replace certificates when the service load is light.
    • The GaussDB certificate can only be replaced in the HA double mode. During the replacement of the GaussDB, only the validity of the local certificate is verified, and the consistency of certificates on the local and peer end is not verified.
    • The new certificate cannot be saved to opt/gs/app/data. After the certificate is replaced, new certificate will be automatically copied to this directory.
  • Replacing the HA certificate
    • Replacing the HA certificate will restart the HA service and interrupt the connection between the local end and peer end for approximately 1 minute. Therefore, replace certificates when the service load is light.
    • The HA certificate can only be replaced in the HA double mode. During the replacement of HA certificate, consistency of certificates on the local and peer end will be verified. If certificates at both ends are inconsistent, the communications between servers on both ends may fail.
    • The new certificate cannot be saved to opt/BCManager/Runtime/ha/local/cert. After the certificate is replaced, new certificate will be automatically copied to this directory.

Procedure

  • Replace the GaussDB certificate.
    1. Use PuTTY to log in to the eReplication Server management server.

      • In template-based installation mode: Log in as user DRManager, and run the su root command to switch to user root.
      • In software package-based installation mode: Log in as user root.

      NOTE:
      The default password of user DRManager is Huawei@CLOUD8. In template-based installation mode, the default password of user root is Huawei@CLOUD8!.

    2. Run the TMOUT=0 command to prevent PuTTY from exiting due to session timeout.

      NOTE:

      After you run this command, the system continues to run when no operation is performed, resulting a risk. For security purposes, you are advised to run exit to exit the system after completing your operations.

    3. Run the following command to go to the save directory of the script:

      cd /opt/BCManager/Runtime/bin

      NOTE:

      In Linux, the installation path of the eReplication Server is /opt/BCManager. The path is fixed.

    4. Run the following command to replace the GaussDB certificate.

      sh replaceHACert.sh db

      The following command output is displayed:

      This operation will replace the certificate. Notice that the certificates on both ends must be replaced.
      Warning: This operation will restart the GaussDB service.
      Are you sure you want to continue? (y/n):

    5. Enter y and press Enter.

      The following command output is displayed:

      Please enter the full path to the CA certificate file:

    6. Enter the full path to the CA certificate of the device (example: /opt/BCManager/Runtime/tmp/cacert.pem) and press Enter.

      The following command output is displayed:

      Please enter the full path to the GaussDB certificate file:

    7. Enter the full path to the GaussDB certificate file (example: /opt/BCManager/Runtime/tmp/server.cert) and press Enter.

      The following command output is displayed:

      Please enter the full path to the private key file:

    8. Enter the full path to the private key file of the GaussDB certificate (example: /opt/BCManager/Runtime/tmp/server.cert) and press Enter.

      The following command output is displayed:

      Please enter the password of the private key file:

    9. Enter the private key password of the GaussDB certificate and press Enter.

      The certificate is successfully replaced if the following command output is displayed:

      Restarting the GaussDB service... This will take several minutes.
      Replacing certificate db succeeded!

  • Replace the HA certificate.
    1. Use PuTTY to log in to the eReplication Server management server.

      • In template-based installation mode: Log in as user DRManager, and run the su root command to switch to user root.
      • In software package-based installation mode: Log in as user root.

      NOTE:
      The default password of user DRManager is Huawei@CLOUD8. In template-based installation mode, the default password of user root is Huawei@CLOUD8!.

    2. Run the TMOUT=0 command to prevent PuTTY from exiting due to session timeout.

      NOTE:

      After you run this command, the system continues to run when no operation is performed, resulting a risk. For security purposes, you are advised to run exit to exit the system after completing your operations.

    3. Run the following command to go to the save directory of the script:

      cd /opt/BCManager/Runtime/bin

      NOTE:

      In Linux, the installation path of the eReplication Server is /opt/BCManager. The path is fixed.

    4. Run the following command to replace the HA certificate.

      sh replaceHACert.sh ommha

      The following command output is displayed:

      This operation will replace the certificate. Notice that the certificates on both ends must be replaced.
      Warning: This operation will restart the OMMHA service and interrupt the connection between the local end and peer end for approximately 1 minute.
      Are you sure you want to continue? (y/n):

    5. Enter y and press Enter.

      The following command output is displayed:

      Please enter the full path to the CA certificate file:

    6. Enter the full path to the CA certificate of the device (example: /opt/BCManager/Runtime/tmp/cacert.pem) and press Enter.

      The following command output is displayed:

      Please enter the full path to the OMMHA certificate file:

    7. Enter the full path to the HA certificate file (example: /opt/BCManager/Runtime/ha/server.cert) and press Enter.

      The following command output is displayed:

      Please enter the full path to the private key file:

    8. Enter the full path to the private key file of the HA certificate (example: /opt/BCManager/Runtime/ha/server.key) and press Enter.

      The following command output is displayed:

      Please enter the password of the private key file:

    9. Enter the password of the certificate private key and press Enter.

      The certificate is successfully replaced if the following command output is displayed:

      Restarting the OMMHA service... This will take several minutes.
      Replacing certificate ha succeeded!

Replacing Certificates on the eReplication Agent

For security concerns, users may choose to use certificates issued by third-party certification authorities. The eReplication Agent allows users to replace authentication certificates and private key files as long as users provide the authentication certificates and private-public key pairs. Replaced authentication certificates take effect after the eReplication Agent is reset. Therefore, replace certificates on the Agent only when a small volume of services are configured.

Prerequisites

  • A cross-platform remote access tool, such as PuTTY, has been obtained.
  • If the eReplication management server runs a non-Windows operating system, passwords for the root and rdadmin accounts have been obtained.
  • If the eReplication management server runs a Windows operating system, the password for the administrator account has been obtained.
  • New certificates in the X.509v3 format have been obtained.

Context

  • eReplication is pre-configured with CA certificate (bcmagentca), private key file (server.key whose default protection password is BCM@DataProtect123), and authentication certificate (server.crt). These files are stored in /home/rdadmin/Agent/bin/nginx/conf (in non-Windows systems) or installation path\bin\nginx\conf (in Windows systems).
  • A replaced certificate takes effect after the eReplication Agent is reset. During the reset, eReplication services are suspended.

    If the eReplication Agent is stopped, the eReplication Agent can no longer manage service hosts (such as database servers). Therefore, unless for maintenance or fault-locating purposes, do not stop the eReplication Agent.

Procedure

  • Linux/AIX/HP-UX is used as an example:
    1. Use PuTTY and the root account to log in to the host where the eReplication Agent resides.
    2. Run the TMOUT=0 command to prevent PuTTY from exiting due to session timeout.

      NOTE:

      After you run this command, the system continues to run even when no operation is performed, posing a security risk. Therefore, you are advised to run exit after completing operations.

    3. Run the su - rdadmin command to switch to the rdadmin account.
    4. Run the cd /home/rdadmin/Agent/bin command to navigate to the directory where scripts are stored.

      NOTE:

      eReplication Agent's installation path is fixed to /home/rdadmin/Agent.

    5. Run the sh agent_stop.sh command to stop the eReplication Agent.
    6. Put the new certificates and private key files in the specified directory.

      NOTE:

      Put new certificates in the /home/rdadmin/Agent/bin/nginx/conf directory.

    7. Run the /home/rdadmin/Agent/bin/agentcli chgkey command.

      The following information is displayed:

      Enter password of admin:
      
      NOTE:

      admin is the username configured during the Agent installation.

    8. Enter the login password for the Agent and press Enter.

      The following information is displayed:

      Change certificate file name:
      

    9. Enter a new name for the certificate and press Enter.

      NOTE:

      If the private key and the certificate are the same file, names of the private key and the certificate are identical.

      The following information is displayed:

      Change certificate key file name:
      

    10. Enter a name for the new private key file and press Enter.

      The following information is displayed:

      Enter new password: 
      Enter the new password again:
      

    11. Enter the protection password of the private key file for two times. The certificate is then successfully replaced.
    12. Run the sh agent_start.sh command to start the eReplication Agent.
  • For the Windows operating system:
    1. Use the administrator account to log in to the eReplication Agent.
    2. Open the CLI and go to the installation path\bin directory.
    3. Run the agent_stop.bat command to stop the eReplication Agent.
    4. Put the new certificates and private key files in the specified directory.

      NOTE:
      Put new certificates in the installation path\bin\nginx\conf directory.

    5. Run the agentcli.exe chgkey command.

      The following information is displayed:

      Enter password of admin:
      
      NOTE:

      admin is the username configured during the Agent installation.

    6. Enter the login password for the Agent and press Enter.

      The following information is displayed:

      Change certificate file name:
      

    7. Enter a name for the new certificate and press Enter.

      NOTE:

      If the private key and the certificate are the same file, names of the private key and the certificate are identical.

      The following information is displayed:

      Change certificate key file name:
      

    8. Enter a name for the new private key file and press Enter.

      The following information is displayed:

      Enter new password:
      Enter the new password again:
      

    9. Enter the protection password of the private key file for two times. The certificate is then successfully replaced.
    10. Run the agent_start.bat command to start the eReplication Agent.

Changing the Private Key Password of the eReplication Server Certificate

Out of security concern, users may want to use the private key password of the certificate set by themselves. On the eReplication Server, you can change the private key password of the certificate. After changing the password, you need to restart the eReplication Server for the new password to take effect. Perform this operation during off-peak hours.

Prerequisites

  • A cross-platform remote access tool, such as PuTTY, has been installed.
  • If the eReplication management server runs a non-Windows operating system, passwords of the root and rdadmin accounts have been obtained.
  • If the eReplication management server runs a Windows operating system, the password of the administrator has been obtained.
  • The old private key password of Server has been obtained.

Context

  • The default private key password of the eReplication Server is BCM@DataProtect123.
  • A password must meet the following complexity requirements:
    • Contains 8 to 16 characters.
    • Must contain the following special characters: ~!@#$%*-_=+[{}];:\,./?
    • Must contain at least two of the following types:
      • At least one lowercase letter
      • At least one uppercase letter
      • At least one digit
    • Cannot be the same as the user name or the reverse of the user name.
    • Cannot be the same as any old password.
    • Cannot contain spaces.
  • The eReplication Server must be restarted for the new password to take effect. The eReplication service will be suspended during the restart.

    You can no longer manage service hosts (such as database servers) through the eReplication Server after the eReplication Server is stopped. Stop the eReplication Server only for maintenance and fault locating.

Procedure

  • Linux/AIX/HP-UX
    1. Use PuTTY to log in to the host where the eReplication Server resides as user root.
    2. Run the TMOUT=0 command to prevent PuTTY from exiting due to timeout.

      NOTE:

      After the preceding command is executed, the system remains running even when no operation is performed, which results in security risks. For security purposes, run the exit command to exit after you finish performing operations.

    3. Run the cd /opt/BCManager/Runtime/bin command to enter the save path of the script.

      NOTE:

      In Linux, the installation path of the eReplication Server is fixed at /opt/BCManager.

    4. Run the sh updatePrivateKeyPwd.sh command.

      NOTE:

      You can modify the private key password of the eReplication Server in active/standby mode, HA mode, and single-node mode. The following uses HA mode as an example.

      The following command output is displayed:

      1. Change the password of the back-end private key.
      2. Change the password of the Tomcat private key.
      3. Change the password of the GaussDB private key.
      4. Change the password of the HA certificate private key.
      
      Enter the number of the private key password to be changed. To exit, enter exit:
      

    5. Select a type of the private key password that you want to change.

      Table 7-14  Private key type

      Private Key Type

      Procedure

      back-end

      1. Input 1 and press Enter.The following command output is displayed:
        Please input Keystore password:
      2. Input the keystore password and press Enter.The following command output is displayed:
        Enter the old password of the private key:

      Tomcat

      1. Input 2 and press Enter.The following command output is displayed:
        Please input Keystore password:
      2. Input the keystore password and press Enter.The following command output is displayed:
        Enter the old password of the private key:

      GaussDB

      1. Input 3 and press Enter.The following command output is displayed:
        Enter the old password of the private key:

      HA certificate

      1. Input 4 and press Enter.The following command output is displayed:
        Enter the old password of the private key:

    6. Input the old private key password, and press Enter.

      The following command output is displayed:

      Enter the new password of the private key:
      Re-enter the new password of the private key:
      

    7. Input the new private key password twice, and press Enter.

      The following command output is displayed:

      Changing the password of the private key succeeded.
      

    8. The password is changed successfully. Restart the eReplication Server for the new password to take effect. During the restart, the eReplication service is suspended.
  • Windows (Only the private key password in single-node mode can be modified.)
    1. Log in to the eReplication Server as an administrator.
    2. Go to the installation path\bin directory of the eReplication Server.

      NOTE:

      In Windows, the default installation path of the eReplication Server is C:\BCManager\Runtime. The installation path is user-definable. You are advised to install the Server on a non-system disk.

    3. Double-click the updatePrivateKeyPwd.bat script.

      The following command output is displayed:

      1. Change the password of the back-end private key.
      2. Change the password of the Tomcat private key.
      
      Enter the number of the private key password to be changed. To exit, enter exit:
      

    4. Select a type of the private key password that you want to change.

      • Change the password of the back-end private key.

        Input 1 and press Enter.

      • Change the password of the Tomcat private key.

        Input 2 and press Enter.

      The following command output is displayed:
      Please input Keystore password:

    5. Input the keystore password and press Enter.

      The following command output is displayed:
      Enter the old password of the private key:

    6. Input the old private key password, and press Enter.

      The following command output is displayed:

      Enter the new password of the private key:
      Re-enter the new password of the private key:
      

    7. Input the new private key password twice, and press Enter.

      The following command output is displayed:

      Changing the password of the private key succeeded.
      

    8. The password is changed successfully. Restart the eReplication Server for the new password to take effect. During the restart, the eReplication service is suspended.

Changing the Private Key Password of the eReplication Agent Certificate

Out of security concern, users may want to use the private key password of the certificate set by themselves. On the eReplication Agent, you can change the private key password of the certificate. After changing the password, you need to restart the eReplication Agent for the new password to take effect. Perform this operation during off-peak hours.

Prerequisites

  • A cross-platform remote access tool, such as PuTTY, has been installed.
  • If the eReplication management server runs a non-Windows operating system, passwords of the root and rdadmin accounts have been obtained.
  • If the eReplication management server runs a Windows operating system, the password of the administrator has been obtained.
  • The old private key password of Agent has been obtained.

Context

  • The default private key password of the eReplication Agent is BCM@DataProtect123.
  • To change the certificate password, you need to restart the eReplication Agent for the change to take effect. During the restart, services related to the eReplication Agent will be suspended.

    You can no longer manage service hosts (such as database servers) through the eReplication agent after the eReplication Agent is stopped. Stop the eReplication Agent only for maintenance and fault locating.

Procedure

  • The following uses Linux/AIX/HP-UX as an example.
    1. Use PuTTY to log in to the host where the eReplication Agent resides as user root.
    2. Run the TMOUT=0 command to prevent PuTTY from exiting due to timeout.

      NOTE:

      After the preceding command is executed, the system remains running even when no operation is performed, which results in security risks. For security purposes, run the exit command to exit after you finish performing operations.

    3. Run the su - rdadmin command to switch to user rdadmin.
    4. Run the /home/rdadmin/Agent/bin/agentcli chgcrtpwd command.

      The following command output is displayed:

      Enter password of admin:
      
      NOTE:

      admin is the username configured during the Agent installation.

    5. Input the user name of Agent, and press Enter.

      The following command output is displayed:

      Enter old password:
      

    6. Input the old private key password of Agent, and press Enter.

      The following command output is displayed:

      Enter new password:
      Enter the new password again:
      

    7. Input the new private key password twice, and press Enter.

      NOTE:
      A password must meet the following complexity requirements:
      • Contains 8 to 16 characters.
      • Must contain the following special characters: `~!@#$%^ &*()-_=+\|[{}];:'",<.>/?
      • Must contain at least two of the following types:
        • At least one lowercase letter
        • At least one uppercase letter
        • At least one digit
      • Cannot be the same as the user name or the reverse of the user name.
      • Cannot be the same as any old password.
      • Cannot contain spaces.

      The following command output is displayed:

      Operation Processed Successfully.
      Please restart agent to enable the new password.
      

    8. The password is changed successfully.Restart the eReplication Agent for the new password to take effect. During the restart, the eReplication service is suspended.
  • Windows
    1. Log in to the eReplication Agent as an administrator.
    2. Open the CLI and go to the installation path\bin directory.
    3. Run the agentcli.exe chgcrtpwd command.

      The following command output is displayed:

      Enter password of admin:
      
      NOTE:

      admin is the username configured during the Agent installation.

    4. Input the user name of Agent, and press Enter.

      The following command output is displayed:

      Enter old password:

    5. Input the old private key password of Agent, and press Enter.

      The following command output is displayed:

      Enter new password:
      Enter the new password again:
      

    6. Input the new private key password of Agent, and press Enter.

      NOTE:
      A password must meet the following complexity requirements:
      • Contains 8 to 16 characters.
      • Must contain the following special characters: `~!@#$%^ &*()-_=+\|[{}];:'",<.>/?
      • Must contain at least two of the following types:
        • At least one lowercase letter
        • At least one uppercase letter
        • At least one digit
      • Cannot be the same as the user name or the reverse of the user name.
      • Cannot be the same as any old password.
      • Cannot contain spaces.

      The following command output is displayed:

      writing RSA key
      Operation Processed Successfully.
      Please restart agent to enable the new password.
      

    7. The password is changed successfully. Restart the eReplication Agent for the new password to take effect. During the restart, the eReplication service is suspended.

Replacing a Quorum Server Certificate

If a quorum server certificate has expired, you need to replace it with the latest certificate or use a certificate issued by a third-party certification authority for security purposes. Perform replacement during off-peak hours.

Prerequisites

  • You have prepared for a cross-platform remote access tool, such as PuTTY.
  • You have obtained the password of user root used to log in to the Linux operating system of the management node on which the arbitration service of the cloud platform is to be configured.
  • You have obtained the quorum server certificate.
    NOTE:

    The path for obtaining the quorum server certificate is as follows: /opt/arbitration-etcd/keystore/ca.crt

Procedure

  1. Use PuTTY to log in to the eReplication Server management server.

    • In template-based installation mode: Log in as user DRManager, and run the su root command to switch to user root.
    • In software package-based installation mode: Log in as user root.
    NOTE:
    The default password of user DRManager is Huawei@CLOUD8. In template-based installation mode, the default password of user root is Huawei@CLOUD8!.

  2. Run the TMOUT=0 command to prevent PuTTY from exiting due to session timeout.

    NOTE:

    After you run this command, the system continues to run when no operation is performed, resulting a risk. For security purposes, you are advised to run exit to exit the system after completing your operations.

  3. Run cd /opt/BCManager/Runtime/bin command to enter the script save path.

    NOTE:

    In Linux, the installation path of the eReplication Server is /opt/BCManager. The path is fixed.

  4. Run the sh shutdownSystem.sh command.
  5. Type y and press Enter.
  6. Use the latest cloud platform certificate to replace the certificate in installation path /opt/BCManager/Runtime/LegoRuntime/certs/ca.crt.
  7. Configure the cloud platform arbitration service. For details, see Configuring the Cloud Platform Quorum Service.
Translation
Download
Updated: 2019-05-21

Document ID: EDOC1100075861

Views: 14067

Downloads: 68

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next