Replacing the emrest Certificate - Teradata Ecosystem Manager

Teradata® Ecosystem Manager Installation, Configuration, and Upgrade Guide for Customers
Product
Teradata Ecosystem Manager
Release Number
16.20
Published
December 2020
Language
English (United States)
Last Update
2020-12-23
dita:mapPath
ntu1488477755124.ditamap
dita:ditavalPath
3203_ICUCustomer_em_1610.ditaval.ditaval
dita:id
B035-3203
Product Category
Analytical Ecosystem
PrerequisiteBy default, emrest is installed with a self-signed certificate. If this certificate does not meet your company's security requirements, it can be replaced with a trusted root certificate.
  • Generate a PKCS#12/PFX certificate that contains the following:
    • Private key that was used to generate the certificate signing request
    • Root certificate
    • Intermediate certificate
    • Server/public certificate
  • Make sure the user syncuser has full access to the certificate.
  • Teradata recommends using the .p12 extension for the PKCS#12/PFX certificate you generated.
  • Verify all EM services (including emrest) are running normally before proceeding.
Log on to the EM TMS node with syncuser and complete the following steps.

In a dual-mode environment, complete the steps on the primary and secondary EM TMS nodes.

  1. Make a copy of the emrest.properties file:
    cp /opt/teradata/emserver/conf/emrest.properties /opt/teradata/emserver/conf/emrest.properties.org
  2. Run /opt/teradata/emserver/bin/emrestconfig.sh.
    The user is prompted for the .p12 certificate path, certificate password, and alias specified while generating the .p12 certificate.
    • Enter emrest@super when prompted for password for user emrestsuper.
    • Select option 3.
    • Enter the full path to the .p12 certificate.
    • Enter the keystore password.

      Use the same password when prompted for the .p12 certificate key password, if a different password is not present.

    • Enter the .p12 certificate key password.
    • Enter the alias. This is the alias given while generating the .p12 certificate.

      This is not the import alias. If an alias was not specified while generating the .p12 certificate, enter a dummy value, such as test.

    • Sample output is shown below.
    syncuser@<SERVER>:/opt/teradata/emserver/bin> ./emrestconfig.sh
Please enter password for user emrestsuper to proceed
emrest@super
The current keystore is /etc/opt/teradata/em/emrest.ts
Please press 
 1) To add a trusted certificate. You will be asked to provide alias
 2) To add a PKCS12 formatted certificate key chain. You will be asked to provide password. 
 3)  To Associate a password protected keyStore that has PKCS12 formatted certificate key chain. You will be asked to provide keystore path, keyStore's password, key's password and key alias. 
 4) To set the configuration in HTTP mode only 
 5) To set the configuration in HTTP and HTTPS mode. This will require a certificate already configured with EM. 
 6) To set the configuration in HTTPS mode(with browser redirect). This will require a certificate already configured with EM 
 7) To exit from the utility
3
Enter full path to keyStore
/tmp/cert.p12

Enter KeyStore's password
test123

Enter key password
test123
Enter alias
test
  3. If a dummy value was specified for alias, run the following command:
    sed -i 's/^sslKeyAlias/#sslKeyAlias/' /opt/teradata/emserver/conf/emrest.properties
  4. [Ecosystem Manager versions below 16.20.34.00] Open /opt/teradata/emserver/conf/emrest.properties and do the following:
    1. Comment the sslCiphers property.
    2. Add the following property in the file:
      sslCiphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    3. Save /opt/teradata/emserver/conf/emrest.properties.
  5. Restart emrest:
    /etc/init.d/emrest restart