Configuring SSL for Dual Mode Operation - Teradata Ecosystem Manager

PrerequisiteTeradata recommends using the same password for all EM Servers and EM Agent Servers.

SSL configuration for the communication between the ActiveMQ, EM Server, and EM Agent Servers require an EM maintenance outage.

The following table identifies the server references used in the examples in this procedure.

Server Reference	Description
EM Server	Hostname of the current EM Server being configured
EM Server1 em1	Hostname of primary EM Server
EM Server2 em2	Hostname of secondary EM Server
keystore/truststore password	Password created for use with EM Server and EM Agent Server keystores and truststores.

Complete the following steps on both the primary and secondary EM servers except for steps identified in "Final Steps to Complete the Dual Mode Configuration".

Stop the tdactivemq service:
/etc/init.d/tdactivemq stop
Switch to syncuser and stop em services:

su syncuser

/opt/teradata/emserver/bin/emstopall.sh

Create EM Server working folders:

mkdir /home/em
chmod 777 /home/em
mkdir /home/em/backup
chmod 777 /home/em/backup
chown -R syncuser /home/em

Back up existing broker certificates:

mv /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ks /home/em/backup/broker.ks.original
mv /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ts /home/em/backup/broker.ts.original
cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/client.ks /home/em/backup/client.ks.original
cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/client.ts /home/em/backup/client.ts.original
cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/jetty.xml /home/em/backup/jetty.xml.original

Generate the keytool extension:
$EM_HOME/bin/emrestinternalgenerateself.sh
The extension is formatted as follows and used in the broker store created in the next step.

SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1

Create a broker keystore (broker.ks):

cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -genkey -alias em1 -keyalg RSA -keystore broker.ks -ext SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1 -dname "CN=em1, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

You will be prompted to enter the keystore password twice.

Verify the contents of the broker keystore:
/opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore broker.ks

Export the broker certificate:

cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -export -alias em1 -keystore broker.ks -file broker_cert.em1

You will be prompted to enter the keystore password twice.

Create the Server keystore (server.ks):

cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -genkey -alias <EM Server> -keyalg RSA -keystore server.ks -ext SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1 -dname "CN=em1, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

You will be prompted to enter the keystore password twice.

Verify the contents of the keystore:
EM Server>

Create the Server truststore by importing the broker certificate (server.ts):

cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias </opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore server.ks -alias <EM Server> -keystore server.ts -file broker_cert.<EM Server>

You will be prompted for the following:

Trust this certificate (yes)
Enter the keystore password twice.

Verify the server truststore is created:
/opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore server.ks -alias /opt/teradata/jvm64/jdk8/jre/bin/keytool -list -alias -keystore server.ts

Export the EM Server certificate from the Server truststore:

cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -export -alias <EM Server> -keystore server.ks -file server_cert.<EM Server>

The certificate is generated and stored in server_cert.EM Server.

Import the EM Server certificate to the broker truststore:
This allows the broker to trust the EM Server.
```
cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias -keystore broker.ts -file server_cert.
```
You will be prompted for the following:
- Trust this certificate (yes)
- Enter the keystore password twice.
Verify the contents of the broker keystore:
/opt/teradata/jvm64/jdk8/jre/bin/keytool -list alias -keystore broker.ts

Copy the broker keystore and truststore to the tdactivemq configuration directory.

cd /home/em
cp broker.ks broker.ts /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/
cd /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/
chown syncuser broker.ks broker.ts
chmod 644 broker.ks broker.ts

Add ACTIVEMQ_SSL_OPTS to /etc/profile.

ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-
5.15.9/conf/broker.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password>';
export ACTIVEMQ_SSL_OPTS

Confirm the lines were added:
grep ACTIVEMQ_SSL_OPTS /etc/profile
Source the profile in current shell:
./etc/profile
Add $ACTIVEMQ_SSL_OPTS to /etc/init.d/tdactivemq so that it is set when tdactivemq starts:
export ACTIVEMQ_OPTS=$ACTIVEMQ_OPTS $ACTIVEMQ_SSL_OPTS
Edit the /opt/teradata/tdactivemq/config/td-broker.xml file to do the following:
- Add the broker keystore password
- Add the broker truststore password
- Enable SSL over port 61617
1. Add keystore password and truststore password under the existing tag, ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-<sslContext>.
```
<sslContext>
 keyStore="file:${activemq.base}/conf/broker.ks
 keyStorePassword="keystore/truststore password"
 trustStore="file:${activemq.base}/conf/broker.ts
 trustStorePassword="keystore/truststore password"/>
</sslContext>
```
2. Enable SSL transport connector by removing comments.
 Note that both ports are open; 61616 can be commented later after confirming.
```
<transportConnectors>
 <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
 <transportConnector name="ssl" uri="ssl://0.0.0.0:61617"/>
</transportConnectors>
```
Restart tdactivemq to confirm no errors:
/etc/init.d/tdactivemq restart
Check log for errors in the log file /var/opt/teradata/tdactivemq/logs/activemq.log.
Test connecting to ports 61616 and 61617:

telnet 61616

telnet 61617

Back up the following EM Server scripts:

cp -i $EM_HOME/bin/emeventconsumer /home/em/backup/emeventconsumer.original
cp -i $EM_HOME/conf/emeventconsumer /home/em/backup/emeventconsumer.conf.original
cp -i $EM_HOME/bin/empublisher /home/em/backup/empublisher.original
cp -i $EM_HOME/conf/empublisher /home/em/backup/empublisher.conf.original
cp -i $EM_HOME/conf/transport.properties /home/em/backup/transport.properties.original

Add the broker keystore password, broker truststore password, and enable SSL over port 61617 in the eventconsumer daemon script $EM_HOME/bin/emeventconsumer".

Enable SSL by changing from tcp to ssl for the $BROKER_LIST variable, in the BuildTMSMBrokerList() function:

if ["$BROKER_LIST"=="" ]
then
   BROKER_LIST="ssl://$BROKER?wireFormat.maxInactivityDuration=0"
else
   BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0

Add keystore and truststore to emeventconsumer start() function:

start(){

    if [ "X$pid" == "X" ]; then
        BuildTMSMBrokerList
        test -n "$BROKER_LIST" || exit 6
        echo -n "Starting $prog:"
            if [ "$SYNCUSER" == "" ]; then
                #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=keystore/truststore password - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
            else
                if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
                    #/bin/su $SYNCUSER -c "nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &"
                    /bin/su $SYNCUSER -c "nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=keystore/truststore password - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &"
                else
                    #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                    nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=keystore/truststore password - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                 fi
            fi

Edit the script $EM_HOME/conf/emeventconsumer to change the broker port number from 61616 to 61617:

BROKER=em1:61617

BROKER=em2:61617

Edit $EM_HOME/bin/empublisher to add the broker keystore password and broker truststore password:

start(){

    if [ "X$pid" == "X" ]; then
        echo -n "Starting $prog:"
            if [ "$SYNCUSER" == "" ]; then
                #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=<keystore/truststore passwordkeystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &"
                else
                    #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                    nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
            else
                if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
                    #/bin/su $SYNCUSER -c "nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &"
                    /bin/su $SYNCUSER -c "nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                 fi
            fi

Edit $EM_HOME/conf/transport.properties to change the protocol and port number:

msm.amq.brokerURL = failover:(ssl://em1:61617,ssl://em2:61617)?randomize=false\&maxReconnectDelay=25\&maxReconnectAttempts=2

Final Steps to Complete the Dual Mode Configuration

Copy previously exported broker certificates between EM servers:
1. Log on to the secondary EM Server as syncuser and run the following command:
 scp >:/opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker_cert.em2 /home/em/
2. Log on to the primary EM Server as syncuser and run the following command:
 scp :/opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker_cert.em1 /home/em/
Import the EM Server certificate into the broker truststore on each EM Server (primary and secondary).
This allows the broker to trust the EM Server.
1. Log on to the primary EM Server and import the secondary EM Server's certificate:
```
cd /home/em
 /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias -keystore broker.ts -file server_cert.
```
 You will be prompted for the following:
 - Trust this certificate (yes)
 - Enter the keystore password twice.
2. Verify the contents of the keystore on the primary EM Server:
 /opt/teradata/jvm64/jdk8/jre/bin/keytool -list alias -keystore broker.ts
3. Log on to the secondary EM Server and import the primary EM Server's certificate:
```
cd /home/em
/opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias -keystore broker.ts -file server_cert.
```
 You will be prompted for the following:
 - Trust this certificate (yes)
 - Enter the keystore password twice.
4. Verify the contents of the keystore on the secondary EM Server:
 /opt/teradata/jvm64/jdk8/jre/bin/keytool -list alias -keystore broker.ts
Bring the EM Server online in the primary EM Server as syncuser:

su syncuser

$EM_HOME/bin/emsetactive.sh
Perform the following validation checks:
1. Check the EM Services status.
  $EM_HOME/bin/emstatus.sh
2. Check the log files of emeventmaster, empublisher, and tdactivemq.
3. Execute a sendevent (job) and make sure that it processed and displays in the EM Explorer portlets in the Jobs tab.
Complete the steps in Configuring SSL for EM Agent Servers for all EM Agent servers.