Siga estos pasos en el servidor de Ecosystem Manager para importar el certificado de cliente con el objetivo de crear el almacén de confianza (TrustStore) del agente. Repita estos pasos para todos los certificados de cliente.
- Cree una carpeta llamada /home/em para colocar los archivos client_cert y keystore.
- Copie el archivo de certificado de cliente desde el cliente y ejecute el comando:keytool -import -alias <nombre-de-host-del-cliente-de-EM> -keystore broker.ts -file client_certEl sistema responde como se muestra a continuación:
Enter keystore password: Re-enter new password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: ed415cb Valid from: Tue Jun 23 18:21:18 UTC 2015 until: Mon Sep 21 18:21:18 UTC 2015 Certificate fingerprints: MD5: 9F:47:D4:AE:98:69:FA:D9:F6:C7:DB:F4:BA:2A:C2:59 SHA1: 62:3A:AB:F0:72:F5:3E:91:FD:E9:3E:C5:85:DC:37:52:B3:34:FD:D0 SHA256: 27:D2:02:A7:B1:0C:19:BA:D0:2A:E1:CA:86:B0:63:19:97:3F:08:61:DC:51:B1:B8:AB:0D:BE:E1:E6:19:BD:62 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: BB C4 91 8C 24 04 54 1F DF DB 3D 98 43 CE AE ED ....$.T...=.C... ] ] Trust this certificate? [no]: yes Certificate was added to keystore
De este modo se crea un almacén de confianza (TrustStore) para el agente, lo que permite al agente confiar en el cliente. Asegúrese de que se crea broker.ts.
- Asegúrese de que se crea el archivo broker.ts.
- Cree un certificado/almacén de claves para el servidor de Ecosystem Manager:keytool -genkey -alias <nombre-de-host-del-servidor-de-EM> -keyalg RSA -keystore server.ks
- Responda las mismas preguntas y utilice la contraseña que guardó cuando creó el archivo de claves de agente.
Enter keystore password: What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <hostname-of-EM-server> (RETURN if same as keystore password):
- Cree un almacén de confianza para el servidor e importe el certificado del agente con el siguiente comando:keytool -import -alias <nombre-de-host-del-servidor-de-EM> -keystore server.ts -file /opt/teradata/jvm64/jdk7/bin/broker_certEl sistema responderá con lo siguiente:
Enter keystore password: Re-enter new password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 559b65aa Valid from: Tue Jun 23 18:15:54 UTC 2015 until: Mon Sep 21 18:15:54 UTC 2015 Certificate fingerprints: MD5: 97:3A:70:71:B5:5E:12:0A:7D:AD:A7:94:A5:BF:1A:0C SHA1: 8B:A9:37:A0:15:61:ED:25:1F:AA:47:6D:1F:F1:73:D5:D9:C4:69:54 SHA256: 46:B9:B2:9D:E4:AE:E3:26:CC:D5:4C:B7:56:ED:98:8D:4F:82:76:87:73:0E:49:E3:CF:70:AC:2F:66:D4:88:1F Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 0F CA D5 A2 22 6B 74 40 45 ED 2D 63 7F 7B 03 17 ...."kt@E.-c.... 0010: CA BE 18 0B .... ] ] Trust this certificate? [no]: yes Certificate was added to keystore
Esto establece que los servicios de Ecosystem Manager que se ejecutan en un servidor de Ecosystem Manager "confían" en el agente y crean un almacén de confianza (TrustStore) para el servidor.
- Exporte el certificado del servidor de modo que pueda compartirse con el agente:keytool -export -alias <hostname-of_EM-server> -keystore server.ks -file server_certEl sistema responderá con lo siguiente:
Enter keystore password: Certificate stored in file server_cert
- Importe el certificado del servidor:keytool -import -alias <nombre-de-host-del-servidor-de-EM> -keystore broker.ts -file server_certEl sistema responderá con lo siguiente:
Enter keystore password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 300263d1 Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015 Certificate fingerprints: MD5: C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2 SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 83 75 6D 0E A2 76 EE 16 84 09 13 40 AF F4 88 8A .um..v.....@.... 0010: 50 65 D2 03 Pe.. ] ] Trust this certificate? [no]: yes Certificate was added to keystore
- Copie los archivos broker.ks y broker.ts en /opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/.
- Para configurar la variable de entorno ACTIVEMQ_SSL_OPTS, abra el archivo /etc/profile y agregue la siguiente entrada al final del archivo:ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/broker.ks -Djavax.net.ssl.keyStorePassword=password'; export ACTIVEMQ_SSL_OPTS
Utilice la contraseña del almacén de claves en este comando.
- Guarde los cambios y source/etc/profile para que la variable de entorno ACTIVEMQ_SSL_OPTS esté disponible en la sesión actual:source /etc/profile
- Actualice /etc/init.d/tdactivemq en ambos servidores de EM.Find the line which begins with export ACTIVEMQ_OPTS=...=1500. Modify it with export ACTIVQMQ_OPTS=...=1500 $ACTIVEMQ_SSL_OPTS
- Abra el archivo de configuración del agente ubicado en /opt/teradata/tdactivemq/config/td-broker.xml y cambie keystorePassword y truststorePassword:
<sslContext> <sslContext keyStore="file:${activemq.base}/conf/broker.ks keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts trustStorePassword="password"/> </sslContext>
- Habilite (quitar marca de comentario si está comentado) SSL en /opt/teradata/tdactivemq/config/td-broker.xml
<transportConnectors> <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/> <transportConnector name="ssl" uri="ssl://0.0.0.0:61617? needClientAuth=true"/> </transportConnectors>
- Otorgue permisos de acceso 777 /home/em y todos los archivos que contiene.
- Cambie el script de inicio del servicio emeventconsumer para que incluya la opción de SSL:
- Copie el archivo original:cp /opt/teradata/emserver/bin/emeventconsumer /opt/teradata/emserver/bin/emeventconsumer.original
- Inicie sesión como syncuser y abra el archivo $EM_HOME/bin/emeventconsumer; a continuación, cambie tcp por ssl:
BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2` if ["$BROKER" !="" ] then if ["$BROKER_LIST"=="" ] then BROKER_LIST="tcp ://$BROKER?wireFormat.maxInactivityDuration=0" else BROKER_LIST="$BROKER_LIST,tcp://$BROKER?wireFormat.maxInactivityDuration=0
Cambie a:
BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2` if ["$BROKER" !="" ] then if ["$BROKER_LIST"=="" ] then BROKER_LIST="ssl ://$BROKER?wireFormat.maxInactivityDuration=0" else BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0
- Abra el archivo $EM_HOME/bin/emeventconsumer y busque la función start:
if [ "$SYNCUSER" == "" ]; then nohup $JAVA -Djava.util.logging.config.file= $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then /bin/su $SYNCUSER -c "nohup $JAVA - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &" else nohup $JAVA -Djava.util.logging.config.file= $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & fi fi
Cambie a:if [ "$SYNCUSER" == "" ]; then nohup $JAVA -Djavax.net.ssl.keyStore=/ home/em/server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover: ($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName= $CONSUMERNAME --clientId=$CLIENTID --smtpServer=$SMTPSERVER -- fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=$ADMINEMAILADDR -- maxBatchMessageCount=$maxMessageCount --latencyTimer= $latencyTimer --reconnectingInterval=$reconnectingInterval – receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/ emeventconsumer.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then /bin/su $SYNCUSER -c "nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/ logs/emeventconsumer.log 2>&1 &" else nohup $JAVA -Djavax.net.ssl.keyStore=/ home/em/server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts- Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/ logs/emeventconsumer.log 2>&1 & fi fi
- Copie $EM_HOME/conf/emeventconsumer en $EM_HOME/conf/emeventconsumer.original.
- En el archivo $EM_HOME/conf/emeventconsumer, cambie 61616 por 61617.
- Cambie el script de inicio del servicio empublisher para que incluya la opción de SSL:
- Copie el archivo original:cp /opt/teradata/emserver/bin/empublisher /opt/teradata/emserver/bin/empublisher.original
- Abra el archivo $EM_HOME/bin/empublisher y busque la función start:
if [ "$SYNCUSER" == "" ];then nohup $JAVA -Dservice_name=empublisher $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG - classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then /bin/su $SYNCUSER -c "nohup $JAVA - Dservice_name=empublisher $SERVICE_FLAGS – Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &" else nohup $JAVA -Dservice_name=empublisher $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG - classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & Fi fi
Cambie a:if [ "$SYNCUSER" == "" ];then nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/ server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then /bin/su $SYNCUSER -c "nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &" else nohup $JAVA -Djavax.net.ssl.keyStore=/ home/em/server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & fi fi
- Copie el archivo $EM_HOME/conf/transport.properties en $EM_HOME/conf/transport.properties.original.
- En $EM_HOME/conf/transport.properties, cambie 61616 por 61617.
- En $EM_HOME/conf/transport.properties, cambie tcp por ssl.
- Copie los archivos broker.ks y broker.ts en /opt/teradata/tdactivemq/apache-activemq-5/13.1/conf/folder.
- Copie los archivos client.ks y client.ts de los clientes de Ecosystem Manager en opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/ folder.
- Inicie tdactivemq:/etc/init.d/tdactivemq start
- Compruebe el archivo de registro de activemq para asegurarse de que incluye 61616 y 61617:/var/opt/teradata/tdactivemq/logs/activemq.log
- Inicie todos los emservices ejecutando el siguiente script como syncuser:$EM_HOME/bin/set_master_single.sh