16.20 - Configuring SSL for Single Mode Operation - Teradata Ecosystem Manager

Teradata® Ecosystem Manager Installation, Configuration, and Upgrade Guide for Customers

prodname
Teradata Ecosystem Manager
vrm_release
16.20
created_date
December 2020
category
Configuration
Installation
featnum
B035-3203-107K
PrerequisiteTeradata recommends using the same password for EM Servers and EM Agents.
SSL configuration for the communication between the ActiveMQ, EM Server, and EM Agent Servers require an EM maintenance outage.
The following table identifies the server references used in the examples in this procedure.
Server Reference Description
EM Server

em1

Hostname of the EM Server
keystore/truststore password Password created for use with EM Server and EM Agent Server keystores and truststores.

Log on to the EM Server and perform the following steps.

  1. Stop the tdactivemq service:
    /etc/init.d/tdactivemq stop
  2. Switch to syncuser and stop em services:

    su syncuser

    /opt/teradata/emserver/bin/emstopall.sh

  3. Create EM Server working folders:
    mkdir /home/em
    chmod 777 /home/em
    mkdir /home/em/backup
    chmod 777 /home/em/backup
    chown -R syncuser /home/em
  4. Back up existing broker certificates:
    mv /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ks /home/em/backup/broker.ks.original
    mv /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ts /home/em/backup/broker.ts.original
    cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/client.ks /home/em/backup/client.ks.original
    cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/client.ts /home/em/backup/client.ts.original
    cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/jetty.xml /home/em/backup/jetty.xml.original
  5. Generate the keytool extension:
    $EM_HOME/bin/emrestinternalgenerateself.sh

    The extension is formatted as follows and used in the broker store created in the next step.

    SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1

  6. Create a broker keystore (broker.ks):
    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -genkey -alias em1 -keyalg RSA -keystore broker.ks -ext SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1 -dname "CN=em1, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

    You will be prompted to enter the keystore password twice.

  7. Verify the contents of the broker keystore:
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore broker.ks
  8. Export the broker certificate:
    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -export -alias em1 -keystore broker.ks -file broker_cert.em1

    You will be prompted to enter the keystore password twice.

  9. Create the Server keystore (server.ks):
    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -genkey -alias <EM Server> -keyalg RSA -keystore server.ks -ext SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1 -dname "CN=em1, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

    You will be prompted to enter the keystore password twice.

  10. Verify the contents of the keystore:
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore server.ks -alias <EM Server>
  11. Create the EM Server truststore by importing the broker certificate:
    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias <EM Server> -keystore server.ts -file broker_cert.<EM Server>
    You will be prompted for the following:
    • Trust this certificate (yes)
    • Enter the keystore password twice.
  12. Verify the server truststore is created:
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -list -alias <EM Server> -keystore server.ts
  13. Export the EM Server certificate from the server keystore:
    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -export -alias <EM Server> -keystore server.ks -file server_cert.<EM Server>

    The certificate is generated and stored in server_cert.EM Server.

  14. Import the EM Server certificate to the broker truststore:

    This allows the broker to trust the EM Server.

    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias <EM Server> -keystore broker.ts -file server_cert.<EM Server>
    You will be prompted for the following:
    • Trust this certificate (yes)
    • Enter the keystore password twice.
  15. Verify the contents of the broker keystore:
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -list alias <EM Server> -keystore broker.ts
  16. Copy the broker keystore and truststore to the tdactivemq configuration directory.
    cd /home/em
    cp broker.ks broker.ts /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/
    cd /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/
    chown syncuser broker.ks broker.ts
    chmod 644 broker.ks broker.ts
  17. Add ACTIVEMQ_SSL_OPTS to /etc/profile.
    ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-
    5.15.9/conf/broker.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password>';
    export ACTIVEMQ_SSL_OPTS
  18. Confirm the lines were added:
    grep ACTIVEMQ_SSL_OPTS /etc/profile
  19. Source the profile in current shell:
    ./etc/profile
  20. Add $ACTIVEMQ_SSL_OPTS to /etc/init.d/tdactivemq so that it is set when tdactivemq starts:
    export ACTIVEMQ_OPTS=$ACTIVEMQ_OPTS $ACTIVEMQ_SSL_OPTS
  21. Edit the /opt/teradata/tdactivemq/config/td-broker.xml file to do the following:
    • Add the broker keystore password
    • Add the broker truststore password
    • Enable SSL over port 61617
    1. Add keystore password and truststore password under the existing tag, <sslContext>.
      <sslContext>
         keyStore="file:${activemq.base}/conf/broker.ks
         keyStorePassword="<keystore/truststore password>"
         trustStore="file:${activemq.base}/conf/broker.ts
         trustStorePassword="<keystore/truststore password>"/>
      </sslContext>
    2. Enable SSL transport connector by removing comments.
      Note that ports 61616 and 61617 are both open. Port 61616 can be commented later after confirming.
      <transportConnectors>
         <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
         <transportConnector name="ssl" uri="ssl://0.0.0.0:61617"/>
      </transportConnectors>
  22. Restart the tdactivemq service to confirm no errors:
    /etc/init.d/tdactivemq restart

    Check log for errors in the log file /var/opt/teradata/tdactivemq/logs/activemq.log.

  23. Test connecting to ports 61616 and 61617:

    telnet <EM Server> 61616

    telnet <EM Server> 61617

  24. Back up the following EM Server scripts:
    cp -i $EM_HOME/bin/emeventconsumer /home/em/backup/emeventconsumer.original
    cp -i $EM_HOME/conf/emeventconsumer /home/em/backup/emeventconsumer.conf.original
    cp -i $EM_HOME/bin/empublisher /home/em/backup/empublisher.original
    cp -i $EM_HOME/conf/empublisher /home/em/backup/empublisher.conf.original
    cp -i $EM_HOME/conf/transport.properties /home/em/backup/transport.properties.original
  25. Add the broker keystore and truststore passwords and enable SSL over port 61617 in the eventconsumer daemon script $EM_HOME/bin/emeventconsumer".
    1. Enable SSL by changing from tcp to ssl for the variable, $BROKER_LIST, in function, BuildTMSMBrokerList():
      if ["$BROKER_LIST"=="" ]
      then
         BROKER_LIST="ssl://$BROKER?wireFormat.maxInactivityDuration=0"
      else
         BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0
    2. Add keystore and truststore to emeventconsumer start() function:
      start(){
      
          if [ "X$pid" == "X" ]; then
              BuildTMSMBrokerList
              test -n "$BROKER_LIST" || exit 6
              echo -n "Starting $prog:"
                  if [ "$SYNCUSER" == "" ]; then
                      #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                      nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=<keystore/truststore password> - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                  else
                      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
                          #/bin/su $SYNCUSER -c "nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &"
                          /bin/su $SYNCUSER -c "nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password> - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &"
                      else
                          #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                          nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password> - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                       fi
                  fi
  26. Edit the script $EM_HOME/conf/emeventconsumer to change the broker port number from 61616 to 61617:
    BROKER=em1:61617
  27. Edit $EM_HOME/bin/empublisher to add the broker keystore password and broker truststore password:

    Replace <keystore/truststore password> references with the broker keystore password.

    start(){
    
        if [ "X$pid" == "X" ]; then
            echo -n "Starting $prog:"
                if [ "$SYNCUSER" == "" ]; then
                    #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                    nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=<keystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                else
                    if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
                        #/bin/su $SYNCUSER -c "nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &"
                        /bin/su $SYNCUSER -c "nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &"
                    else
                        #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                        nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                     fi
                fi
  28. Edit $EM_HOME/conf/transport.properties to change the protocol and port number:
    msm.amq.brokerURL = failover:(ssl://cbatmsbwp01-em1:61617)?randomize=false\&maxReconnectDelay=25\&maxReconnectAttempts=2
  29. Bring the EM Server online in the primary EM Server as syncuser:

    su syncuser

    $EM_HOME/bin/emsetactive.sh

  30. Perform the following validation checks:
    1. Check the EM Services status.
      $EM_HOME/bin/emstatus.sh
    2. Check log files of emeventmaster, empublisher, and tdactivemq.
    3. Execute a sendevent (job) and make sure that it processed and displays in the EM Explorer portlets in the Jobs tab.
  31. Complete the steps in Configuring SSL for EM Agent Servers.