Configuring SSL for Single Mode Operation - Teradata Ecosystem Manager

Server Reference	Description
EM Server em1	Hostname of the EM Server
keystore/truststore password	Password created for use with EM Server and EM Agent Server keystores and truststores.

Stop the tdactivemq service:

/etc/init.d/tdactivemq stop

Switch to syncuser and stop em services:

su syncuser

/opt/teradata/emserver/bin/emstopall.sh

Create EM Server working folders:

mkdir /home/em
chmod 777 /home/em
mkdir /home/em/backup
chmod 777 /home/em/backup
chown -R syncuser /home/em

Back up existing broker certificates:

mv /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ks /home/em/backup/broker.ks.original
mv /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ts /home/em/backup/broker.ts.original
cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/client.ks /home/em/backup/client.ks.original
cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/client.ts /home/em/backup/client.ts.original
cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/jetty.xml /home/em/backup/jetty.xml.original

Generate the keytool extension:

$EM_HOME/bin/emrestinternalgenerateself.sh

The extension is formatted as follows and used in the broker store created in the next step.

SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1

Create a broker keystore (broker.ks):

cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -genkey -alias em1 -keyalg RSA -keystore broker.ks -ext SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1 -dname "CN=em1, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

You will be prompted to enter the keystore password twice.

Verify the contents of the broker keystore:

/opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore broker.ks

Export the broker certificate:

cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -export -alias em1 -keystore broker.ks -file broker_cert.em1

You will be prompted to enter the keystore password twice.

Create the Server keystore (server.ks):

cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -genkey -alias <EM Server> -keyalg RSA -keystore server.ks -ext SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1 -dname "CN=em1, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

You will be prompted to enter the keystore password twice.

Verify the contents of the keystore:

/opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore server.ks -alias

Create the EM Server truststore by importing the broker certificate:

cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias <EM Server> -keystore server.ts -file broker_cert.<EM Server>

You will be prompted for the following:

Trust this certificate (yes)
Enter the keystore password twice.

Verify the server truststore is created:

/opt/teradata/jvm64/jdk8/jre/bin/keytool -list -alias -keystore server.ts

Export the EM Server certificate from the server keystore:

cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -export -alias <EM Server> -keystore server.ks -file server_cert.<EM Server>

The certificate is generated and stored in server_cert.EM Server.

Import the EM Server certificate to the broker truststore:

This allows the broker to trust the EM Server.

cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias <EM Server> -keystore broker.ts -file server_cert.<EM Server>

You will be prompted for the following:

Trust this certificate (yes)
Enter the keystore password twice.

Verify the contents of the broker keystore:

/opt/teradata/jvm64/jdk8/jre/bin/keytool -list alias -keystore broker.ts

Copy the broker keystore and truststore to the tdactivemq configuration directory.

cd /home/em
cp broker.ks broker.ts /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/
cd /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/
chown syncuser broker.ks broker.ts
chmod 644 broker.ks broker.ts

Add ACTIVEMQ_SSL_OPTS to /etc/profile.

ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-
5.15.9/conf/broker.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password>';
export ACTIVEMQ_SSL_OPTS

Confirm the lines were added:

grep ACTIVEMQ_SSL_OPTS /etc/profile

Source the profile in current shell:

./etc/profile

Add $ACTIVEMQ_SSL_OPTS to /etc/init.d/tdactivemq so that it is set when tdactivemq starts:

export ACTIVEMQ_OPTS=$ACTIVEMQ_OPTS $ACTIVEMQ_SSL_OPTS

Edit the /opt/teradata/tdactivemq/config/td-broker.xml file to do the following:

Add the broker keystore password
Add the broker truststore password
Enable SSL over port 61617

Add keystore password and truststore password under the existing tag, <sslContext>.

<sslContext>
   keyStore="file:${activemq.base}/conf/broker.ks
   keyStorePassword="<keystore/truststore password>"
   trustStore="file:${activemq.base}/conf/broker.ts
   trustStorePassword="<keystore/truststore password>"/>
</sslContext>

Enable SSL transport connector by removing comments.

Note that ports 61616 and 61617 are both open. Port 61616 can be commented later after confirming.

<transportConnectors>
   <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
   <transportConnector name="ssl" uri="ssl://0.0.0.0:61617"/>
</transportConnectors>

Restart the tdactivemq service to confirm no errors:

/etc/init.d/tdactivemq restart

Check log for errors in the log file /var/opt/teradata/tdactivemq/logs/activemq.log.

Test connecting to ports 61616 and 61617:

telnet 61616

telnet 61617

Back up the following EM Server scripts:

cp -i $EM_HOME/bin/emeventconsumer /home/em/backup/emeventconsumer.original
cp -i $EM_HOME/conf/emeventconsumer /home/em/backup/emeventconsumer.conf.original
cp -i $EM_HOME/bin/empublisher /home/em/backup/empublisher.original
cp -i $EM_HOME/conf/empublisher /home/em/backup/empublisher.conf.original
cp -i $EM_HOME/conf/transport.properties /home/em/backup/transport.properties.original

Add the broker keystore and truststore passwords and enable SSL over port 61617 in the eventconsumer daemon script $EM_HOME/bin/emeventconsumer".

Enable SSL by changing from tcp to ssl for the variable, $BROKER_LIST, in function, BuildTMSMBrokerList():

if ["$BROKER_LIST"=="" ]
then
   BROKER_LIST="ssl://$BROKER?wireFormat.maxInactivityDuration=0"
else
   BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0

Add keystore and truststore to emeventconsumer start() function:

start(){

    if [ "X$pid" == "X" ]; then
        BuildTMSMBrokerList
        test -n "$BROKER_LIST" || exit 6
        echo -n "Starting $prog:"
            if [ "$SYNCUSER" == "" ]; then
                #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=<keystore/truststore password> - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
            else
                if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
                    #/bin/su $SYNCUSER -c "nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &"
                    /bin/su $SYNCUSER -c "nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password> - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &"
                else
                    #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                    nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password> - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                 fi
            fi

Edit the script $EM_HOME/conf/emeventconsumer to change the broker port number from 61616 to 61617:

BROKER=em1:61617

Edit $EM_HOME/bin/empublisher to add the broker keystore password and broker truststore password:

Replace <keystore/truststore password> references with the broker keystore password.

start(){

    if [ "X$pid" == "X" ]; then
        echo -n "Starting $prog:"
            if [ "$SYNCUSER" == "" ]; then
                #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=<keystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
            else
                if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
                    #/bin/su $SYNCUSER -c "nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &"
                    /bin/su $SYNCUSER -c "nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &"
                else
                    #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                    nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                 fi
            fi

Edit $EM_HOME/conf/transport.properties to change the protocol and port number:

msm.amq.brokerURL = failover:(ssl://cbatmsbwp01-em1:61617)?randomize=false\&maxReconnectDelay=25\&maxReconnectAttempts=2

Bring the EM Server online in the primary EM Server as syncuser:

su syncuser

$EM_HOME/bin/emsetactive.sh

Perform the following validation checks:

Check the EM Services status.
$EM_HOME/bin/emstatus.sh
Check log files of emeventmaster, empublisher, and tdactivemq.
Execute a sendevent (job) and make sure that it processed and displays in the EM Explorer portlets in the Jobs tab.

Complete the steps in Configuring SSL for EM Agent Servers.