16.20 - Configuring SSL for EM Agent Servers - Teradata Ecosystem Manager

Teradata® Ecosystem Manager Installation, Configuration, and Upgrade Guide for Customers

prodname
Teradata Ecosystem Manager
vrm_release
16.20
created_date
December 2020
category
Configuration
Installation
featnum
B035-3203-107K
PrerequisiteTeradata recommends using the same password for all EM Servers and EM Agent Servers.
SSL configuration for the communication between the ActiveMQ, EM Server(s), and EM Agent Servers require an EM maintenance outage.
The following table identifies the server references used in the examples in this procedure.
Server Reference Description
EM Agent Server Hostname of the current EM Agent Server being configured
em1 Hostname of primary EM Server
em2 Hostname of secondary EM Server (applies to Dual Mode operation)
keystore/truststore password Password created for use with EM Server and EM Agent Server keystores and truststores.

Log on to the EM Agent Server and perform the following steps.

  1. Stop all EM services:
    /opt/teradata/client/em/bin/emstopall.sh
  2. Create the certificate working directory:
    mkdir /home/em
    chmod 755 /home/em
    mkdir /home/em/backup
    chmod 755 /home/em/backup
  3. Back up the EM scripts:
    cp -i $EM_HOME/bin/empublisher /home/em/backup/empublisher.original
    cp -i $EM_HOME/conf/transport.properties /home/em/backup/transport.properties.original
  4. Set the keytool extension value to be used in the store creation:
    SAN=dns:<EM Agent Server>,dns:<EM Agent Server>,dns:localhost,ip:127.0.0.1
  5. Create an EM Agent Server keystore (client.ks):
    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -genkey -alias <EM Agent Server> -keyalg RSA -keystore client.ks -ext SAN=dns:<EM Agent Server>,dns:<EM Agent>,dns:localhost,ip:127.0.0.1 -dname "CN=<EM Agent Server>, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

    You will be prompted to enter the keystore password twice.

  6. Verify the contents of the keystore:
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -list -v -keystore client.ks
  7. Export the EM Agent Server certificate from the client keystore.

    A separate EM Agent Server certificate is required for each EM Agent, and will be shared with the EM Server(s).

    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -export -alias <EM Agent Server> -keystore client.ks -file client_cert.<EM Agent Server>
    You will be prompted for the following:
    • Trust this certificate (yes)
    • Enter the keystore password twice.
  8. Copy the EM Server broker certificate(s) to the EM Agent Server:
    • [Single Mode operation]
      cd /home/em
      scp em1:/home/em/broker_cert.em1 .
    • [Dual Mode operation]
      cd /home/em
      scp em1:/home/em/broker_cert.em1 .
      scp em2:/home/em/broker_cert.em2 .
      
  9. Create the EM Agent Server truststore by importing the EM Server broker certificate(s) copied in the previous step.
    There is a separate broker certificate for each EM Server.
    1. Import the primary EM Server certificate:
      cd /home/em
      /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias em1 -keystore client.ts -file broker_cert.em1
      You will be prompted for the following:
      • Trust this certificate (yes)
      • Enter the keystore password twice.
    2. [Dual Mode operation] Import the secondary EM Server certificate:
      /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias em2 -keystore client.ts -file broker_cert.em2
      You will be prompted for the following:
      • Trust this certificate (yes)
      • Enter the keystore password twice.
  10. Verify the contents of the keystore:
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -list -v -keystore client.ts
  11. Copy the EM Agent Server certificate to the EM Server(s):
    • [Single Mode operation]
      cd /home/em
      scp client_cert.<EM Agent Server> em1:/home/em/
    • [Dual Mode operation]
      cd /home/em
      scp client_cert.<EM Agent Server> em1:/home/em/
      scp client_cert.<EM Agent Server> em2:/home/em/
  12. Back up the following scripts on the EM Agent Server prior to editing.
    cp -i $EM_HOME/bin/empublisher /home/em/backup/empublisher.original
    cp -i $EM_HOME/conf/transport.properties /home/em/backup/transport.properties.original
  13. Edit $EM_HOME/bin/empublisher (start function) to add the client keystore and broker truststore passwords:
    start(){
        	if [ "X$pid" == "X" ]; then
            	echo -n "Starting $prog:"
                 if [ "$SYNCUSER" == "" ]; then
                    #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                    nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/client.ks - Djavax.net.ssl.keyStorePassword=<keystore/truststore password> - Djavax.net.ssl.trustStore=/home/em/client.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
  14. Edit $EM_HOME/conf/transport.properties to change the protocol and port number:
    • [Single Mode operation]
      msm.amq.brokerURL = failover:(ssl://em1:61617)?randomize=false\&maxReconnectDelay=25\&maxReconnectAttempts=2
    • [Dual Mode operation]
      msm.amq.brokerURL = failover:(ssl://em1:61617,ssl://em2:61617)?randomize=false\&maxReconnectDelay=25\&maxReconnectAttempts=2
  15. Start the EM services on the EM Agent Server:
    $EM_HOME/bin/emstartall.sh
  16. Final Steps to Complete on the EM Server(s)

  17. Log on to the EM Server.
    For Dual Mode operation, complete the following steps on the primary and secondary EM Servers.
  18. Copy the broker keystore and truststore to the tdactivemq configuration directory:
    cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ts /home/em/backup/broker.ts.<yyyymmdd>.save
    cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ts /home/em
    chmod 644 /home/em/broker.ts
    chown syncuser /home/em/broker.ts
  19. Import the EM Agent Server certificate into the EM Server broker truststore.

    There is a separate client certificate for each EM Agent Server.

    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias <EM Agent Server> -keystore broker.ts -file client_cert.<EM Agent Server>
    You will be prompted for the following:
    • Trust this certificate (yes)
    • Enter the keystore password twice.
  20. Verify the contents of the keystore:
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -list -v -alias <EM Agent Server> -keystore broker.ts
  21. Copy the broker keystore and truststore to the tdactivemq configuration directory:
    cp /home/em/broker.ks /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ks
    cp /home/em/broker.ts /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ts
    chmod 644 /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ts
    chown syncuser /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ts
  22. Do the following on the EM Server(s):
    1. Stop the EM services:

      su syncuser

      $EM_HOME/bin/emstopall.sh

    2. As root user, restart the tdactivemq service:
      /etc/init.d/tdactivemq restart
    3. Bring the em service online:
      For Dual Mode operation, perform this step on the primary EM Server.

      su syncuser

      $EM_HOME/bin/emsetactive.sh

  23. Final Step for the EM Agent Server

  24. Perform the following validation checks on the EM Agent Server:
    1. Check the EM services status:
      $EM_HOME/bin/emstatus.sh
    2. Check the log file for any exceptions or errors:
      /var/opt/teradata/em/logs/empublisher0_0.log
    3. Execute a sendevent (job) and make sure that it processed and displays in the EM Explorer portlets in the Jobs tab.