Siga estos pasos en ambos servidores de Ecosystem Manager para importar el certificado de cliente con el objetivo de crear el almacén de confianza (TrustStore) del agente. Repita estos pasos para todos los certificados de cliente.
- Cree una carpeta llamada /home/em para colocar los archivos client_cert y keystore.
- Copie el archivo de certificado de cliente desde el cliente y ejecute el comando:keytool -import -alias <nombre-de-host-del-cliente-de-EM> -keystore broker.ts -file client_certEl sistema responde como se muestra a continuación:
Enter keystore password: Re-enter new password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: ed415cb Valid from: Tue Jun 23 18:21:18 UTC 2015 until: Mon Sep 21 18:21:18 UTC 2015 Certificate fingerprints: MD5: 9F:47:D4:AE:98:69:FA:D9:F6:C7:DB:F4:BA:2A:C2:59 SHA1: 62:3A:AB:F0:72:F5:3E:91:FD:E9:3E:C5:85:DC:37:52:B3:34:FD:D0 SHA256: 27:D2:02:A7:B1:0C:19:BA:D0:2A:E1:CA:86:B0:63:19:97:3F:08:61:DC:51:B1:B8:AB:0D:BE:E1:E6:19:BD:62 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: BB C4 91 8C 24 04 54 1F DF DB 3D 98 43 CE AE ED ....$.T...=.C... ] ] Trust this certificate? [no]: yes Certificate was added to keystore
De este modo se crea un almacén de confianza (TrustStore) para el agente, lo que permite al agente confiar en el cliente. Asegúrese de que se crea broker.ts.
- Cree un certificado/almacén de claves para los servidores de Ecosystem Manager activos y en espera:keytool -genkey -alias <nombre-de-host-del-cliente-de-EM> -keyalg RSA -keystore server.ksEl sistema solicitará la siguiente información:Asegúrese de que el archivo del almacén de claves se crea en todos los sistemas del cliente de EM que participan.
Enter your keystore password: What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit: [Unknown]: Is CN-Unknown, OU=Unknown, O=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <hostname-of-EM-client> (RETURN if same as keystore password):
- Cree un almacén de confianza (TrustStore) para el servidor e importe el certificado del agente en ambos servidores de Ecosystem Manager con los siguientes comandos:
- En el servidor de EM activo, ejecute lo siguiente:keytool -import -alias <hostname-of-Active- Server> -keystore server.ts -file /opt/teradata/jvm64/jdk7/bin/broker_cert1El sistema responderá con lo siguiente:
Enter keystore password: Re-enter new password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 559b65aa Valid from: Tue Jun 23 18:15:54 UTC 2015 until: Mon Sep 21 18:15:54 UTC 2015 Certificate fingerprints: MD5: 97:3A:70:71:B5:5E:12:0A:7D:AD:A7:94:A5:BF:1A:0C SHA1: 8B:A9:37:A0:15:61:ED:25:1F:AA:47:6D:1F:F1:73:D5:D9:C4:69:54 SHA256: 46:B9:B2:9D:E4:AE:E3:26:CC:D5:4C:B7:56:ED:98:8D:4F:82:76:87:73:0E:49:E3:CF:70:AC:2F:66:D4:88:1F Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 0F CA D5 A2 22 6B 74 40 45 ED 2D 63 7F 7B 03 17 ...."kt@E.-c.... 0010: CA BE 18 0B .... ] ] Trust this certificate? [no]: yes Certificate was added to keystore
- En el servidor de EM en espera, ejecute lo siguiente:keytool -import -alias <hostname-of-Standby- Server> -keystore server.ts -file /opt/teradata/jvm64/jdk7/bin/broker_cert2El sistema responderá con lo siguiente:
Enter keystore password: Re-enter new password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 559b65aa Valid from: Tue Jun 23 18:15:54 UTC 2015 until: Mon Sep 21 18:15:54 UTC 2015 Certificate fingerprints: MD5: 97:3A:70:71:B5:5E:12:0A:7D:AD:A7:94:A5:BF:1A:0C SHA1: 8B:A9:37:A0:15:61:ED:25:1F:AA:47:6D:1F:F1:73:D5:D9:C4:69:54 SHA256: 46:B9:B2:9D:E4:AE:E3:26:CC:D5:4C:B7:56:ED:98:8D:4F:82:76:87:73:0E:49:E3:CF:70:AC:2F:66:D4:88:1F Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 0F CA D5 A2 22 6B 74 40 45 ED 2D 63 7F 7B 03 17 ...."kt@E.-c.... 0010: CA BE 18 0B .... ] ] Trust this certificate? [no]: yes Certificate was added to keystore
Esto establece que los servicios de Ecosystem Manager que se ejecutan en un servidor de Ecosystem Manager "confían" en el agente y crean un almacén de confianza (TrustStore) para el servidor.
- En el servidor de EM activo, ejecute lo siguiente:keytool -import -alias <hostname-of-Active- Server> -keystore server.ts -file /opt/teradata/jvm64/jdk7/bin/broker_cert1
- Exporte el certificado del servidor de modo que pueda compartirse con el agente; para ello, ejecute los siguientes comandos en los servidores de EM:
- En el servidor de EM activo, ejecute:keytool -import -alias <hostname-of-Active-EM-server> -keystore server.ts -file server_certEl sistema responderá con lo siguiente:
Enter keystore password: Certificate stored in file server_cert
- En el servidor de EM en espera, ejecute:keytool -import -alias <hostname-of-Standby-EM-server> -keystore server.ts -file server_certEl sistema responderá con lo siguiente:
Enter keystore password: Certificate stored in file server_cert
- En el servidor de EM activo, ejecute:keytool -import -alias <hostname-of-Active-EM-server> -keystore server.ts -file server_cert
- Importe el certificado del servidor:
- En el servidor de EM activo, ejecute:keytool -import -alias <hostname-of-Active-EM-server> -keystore broker.ts -file server_certEl sistema responderá con lo siguiente:
Enter keystore password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 300263d1 Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015 Certificate fingerprints: MD5: C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2 SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 83 75 6D 0E A2 76 EE 16 84 09 13 40 AF F4 88 8A .um..v.....@.... 0010: 50 65 D2 03 Pe.. ] ] Trust this certificate? [no]: yes Certificate was added to keystore
- En el servidor de EM en espera, ejecute:keytool -import -alias <hostname-of-EM-Standby server> -keystore broker.ts -file server_certEl sistema responderá con:
Enter keystore password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 300263d1 Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015 Certificate fingerprints: MD5: C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2 SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 83 75 6D 0E A2 76 EE 16 84 09 13 40 AF F4 88 8A .um..v.....@.... 0010: 50 65 D2 03 Pe.. ] ] Trust this certificate? [no]: yes Certificate was added to keystore
- En el servidor de EM activo, ejecute:keytool -import -alias <hostname-of-Active-EM-server> -keystore broker.ts -file server_cert
- Copie los archivos broker.ks y broker.ts en /opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/.
- Para configurar la variable de entorno ACTIVEMQ_SSL_OPTS, abra el archivo /etc/profile y agregue la siguiente entrada al final del archivo:ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/broker.ks -Djavax.net.ssl.keyStorePassword=password'; export ACTIVEMQ_SSL_OPTS
Utilice la contraseña del almacén de claves en este comando.
- Guarde los cambios y source/etc/profile para que la variable de entorno ACTIVEMQ_SSL_OPTS esté disponible en la sesión actual:source /etc/profile
- Actualice /etc/init.d/tdactivemq en ambos servidores de EM.Busque la línea que comienza con export ACTIVEMQ_OPTS=...=1500 y cámbiela por export ACTIVQMQ_OPTS=...=1500 $ACTIVEMQ_SSL_OPTS.
- Abra el archivo de configuración del agente ubicado en /opt/teradata/tdactivemq/config/td-broker.xml y cambie keystorePassword y truststorePassword:
<sslContext> <sslContext keyStore="file:${activemq.base}/conf/broker.ks keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts trustStorePassword="password"/> </sslContext>
- Habilite (quitar marca de comentario si está comentado) SSL en /opt/teradata/tdactivemq/config/td-broker.xml
<transportConnectors> <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/> <transportConnector name="ssl" uri="ssl://0.0.0.0:61617? needClientAuth=true"/> </transportConnectors>
- Otorgue permisos de acceso 777 /home/em y todos los archivos que contiene.
- Cambie el script de inicio del servicio emeventconsumer para que incluya la opción de SSL:
- Copie el archivo original:cp /opt/teradata/emserver/bin/emeventconsumer /opt/teradata/emserver/bin/emeventconsumer.original
- Inicie sesión como syncuser y abra el archivo $EM_HOME/bin/emeventconsumer; a continuación, cambie tcp por ssl:
BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2` if ["$BROKER" !="" ] then if ["$BROKER_LIST"=="" ] then BROKER_LIST="tcp ://$BROKER?wireFormat.maxInactivityDuration=0" else BROKER_LIST="$BROKER_LIST,tcp://$BROKER?wireFormat.maxInactivityDuration=0
Cambie a:
BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2` if ["$BROKER" !="" ] then if ["$BROKER_LIST"=="" ] then BROKER_LIST="ssl ://$BROKER?wireFormat.maxInactivityDuration=0" else BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0
- Abra el archivo $EM_HOME/bin/emeventconsumer y busque la función start:
if [ "$SYNCUSER" == "" ]; then nohup $JAVA -Djava.util.logging.config.file= $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then /bin/su $SYNCUSER -c "nohup $JAVA - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &" else nohup $JAVA -Djava.util.logging.config.file= $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & fi fi
Cambie a:if [ "$SYNCUSER" == "" ]; then nohup $JAVA -Djavax.net.ssl.keyStore=/ home/em/server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover: ($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName= $CONSUMERNAME --clientId=$CLIENTID --smtpServer=$SMTPSERVER -- fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=$ADMINEMAILADDR -- maxBatchMessageCount=$maxMessageCount --latencyTimer= $latencyTimer --reconnectingInterval=$reconnectingInterval – receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/ emeventconsumer.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then /bin/su $SYNCUSER -c "nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/ logs/emeventconsumer.log 2>&1 &" else nohup $JAVA -Djavax.net.ssl.keyStore=/ home/em/server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts- Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/ logs/emeventconsumer.log 2>&1 & fi fi
- Copie $EM_HOME/conf/emeventconsumer en $EM_HOME/conf/emeventconsumer.original.
- En el archivo $EM_HOME/conf/emeventconsumer, cambie 61616 por 61617.
- Cambie el script de inicio del servicio empublisher para que incluya la opción de SSL:
- Copie el archivo original:cp /opt/teradata/emserver/bin/empublisher /opt/teradata/emserver/bin/empublisher.original
- Abra el archivo $EM_HOME/bin/empublisher y busque la función start:
if [ "$SYNCUSER" == "" ];then nohup $JAVA -Dservice_name=empublisher $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG - classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then /bin/su $SYNCUSER -c "nohup $JAVA - Dservice_name=empublisher $SERVICE_FLAGS – Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &" else nohup $JAVA -Dservice_name=empublisher $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG - classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & Fi fi
Cambie a:if [ "$SYNCUSER" == "" ];then nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/ server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then /bin/su $SYNCUSER -c "nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &" else nohup $JAVA -Djavax.net.ssl.keyStore=/ home/em/server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & fi fi
- Copie el archivo $EM_HOME/conf/transport.properties en $EM_HOME/conf/transport.properties.original.
- En $EM_HOME/conf/transport.properties, cambie 61616 por 61617.
- En $EM_HOME/conf/transport.properties, cambie tcp por ssl.
- Copie los archivos broker.ks y broker.ts en la carpeta /opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/.
- Copie los archivos client.ks y client.ts de los clientes de Ecosystem Manager en opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/ folder.
- Inicie tdactivemq:/etc/init.d/tdactivemq start
- Compruebe el archivo de registro de activemq para asegurarse de que incluye 61616 y 61617:/var/opt/teradata/tdactivemq/logs/activemq.log
- Inicie todos los emservices con la ejecución del siguiente script como syncuser en el servidor de EM activo:$EM_HOME/bin/emsetactive.sh