16.20 - Replacing the emrest Certificate - Teradata Ecosystem Manager

Teradata® Ecosystem Manager Installation, Configuration, and Upgrade Guide for Customers

prodname
Teradata Ecosystem Manager
vrm_release
16.20
created_date
December 2020
category
Configuration
Installation
featnum
B035-3203-107K
PrerequisiteBy default, emrest is installed with a self-signed certificate. If this certificate does not meet your company's security requirements, it can be replaced with a trusted root certificate.
  • Generate a PKCS#12/PFX certificate that contains the following:
    • Private key that was used to generate the certificate signing request
    • Root certificate
    • Intermediate certificate
    • Server/public certificate
  • Make sure the user syncuser has full access to the certificate.
  • Teradata recommends using the .p12 extension for the PKCS#12/PFX certificate you generated.
  • Verify all EM services (including emrest) are running normally before proceeding.
Log on to the EM TMS node with syncuser and complete the following steps.

In a dual-mode environment, complete the steps on the primary and secondary EM TMS nodes.

  1. Make a copy of the emrest.properties file:
    cp /opt/teradata/emserver/conf/emrest.properties /opt/teradata/emserver/conf/emrest.properties.org
  2. Run /opt/teradata/emserver/bin/emrestconfig.sh.
    The user is prompted for the .p12 certificate path, certificate password, and alias specified while generating the .p12 certificate.
    • Enter emrest@super when prompted for password for user emrestsuper.
    • Select option 3.
    • Enter the full path to the .p12 certificate.
    • Enter the keystore password.

      Use the same password when prompted for the .p12 certificate key password, if a different password is not present.

    • Enter the .p12 certificate key password.
    • Enter the alias. This is the alias given while generating the .p12 certificate.

      This is not the import alias. If an alias was not specified while generating the .p12 certificate, enter a dummy value, such as test.

    • Sample output is shown below.
    syncuser@<SERVER>:/opt/teradata/emserver/bin> ./emrestconfig.sh
    Please enter password for user emrestsuper to proceed
    emrest@super
    The current keystore is /etc/opt/teradata/em/emrest.ts
    Please press 
     1) To add a trusted certificate. You will be asked to provide alias
     2) To add a PKCS12 formatted certificate key chain. You will be asked to provide password. 
     3)  To Associate a password protected keyStore that has PKCS12 formatted certificate key chain. You will be asked to provide keystore path, keyStore's password, key's password and key alias. 
     4) To set the configuration in HTTP mode only 
     5) To set the configuration in HTTP and HTTPS mode. This will require a certificate already configured with EM. 
     6) To set the configuration in HTTPS mode(with browser redirect). This will require a certificate already configured with EM 
     7) To exit from the utility
    3
    Enter full path to keyStore
    /tmp/cert.p12
    
    Enter KeyStore's password
    test123
    
    Enter key password
    test123
    Enter alias
    test
  3. If a dummy value was specified for alias, run the following command:
    sed -i 's/^sslKeyAlias/#sslKeyAlias/' /opt/teradata/emserver/conf/emrest.properties
  4. [Ecosystem Manager versions below 16.20.34.00] Open /opt/teradata/emserver/conf/emrest.properties and do the following:
    1. Comment the sslCiphers property.
    2. Add the following property in the file:
      sslCiphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    3. Save /opt/teradata/emserver/conf/emrest.properties.
  5. Restart emrest:
    /etc/init.d/emrest restart