Server Reference | Description |
---|---|
EM Server | Hostname of the current EM Server being configured |
EM Server1
em1 |
Hostname of primary EM Server |
EM Server2
em2 |
Hostname of secondary EM Server |
keystore/truststore password | Password created for use with EM Server and EM Agent Server keystores and truststores. |
Complete the following steps on both the primary and secondary EM servers except for steps identified in "Final Steps to Complete the Dual Mode Configuration".
-
Stop the tdactivemq service:
/etc/init.d/tdactivemq stop
-
Switch to syncuser and stop em services:
su syncuser
/opt/teradata/emserver/bin/emstopall.sh
-
Create EM Server working folders:
mkdir /home/em chmod 777 /home/em mkdir /home/em/backup chmod 777 /home/em/backup chown -R syncuser /home/em
-
Back up existing broker certificates:
mv /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ks /home/em/backup/broker.ks.original mv /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ts /home/em/backup/broker.ts.original cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/client.ks /home/em/backup/client.ks.original cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/client.ts /home/em/backup/client.ts.original cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/jetty.xml /home/em/backup/jetty.xml.original
-
Generate the keytool extension:
$EM_HOME/bin/emrestinternalgenerateself.sh
The extension is formatted as follows and used in the broker store created in the next step.
SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1
-
Create a broker keystore (broker.ks):
cd /home/em /opt/teradata/jvm64/jdk8/jre/bin/keytool -genkey -alias em1 -keyalg RSA -keystore broker.ks -ext SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1 -dname "CN=em1, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"
You will be prompted to enter the keystore password twice.
-
Verify the contents of the broker keystore:
/opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore broker.ks
-
Export the broker certificate:
cd /home/em /opt/teradata/jvm64/jdk8/jre/bin/keytool -export -alias em1 -keystore broker.ks -file broker_cert.em1
You will be prompted to enter the keystore password twice.
-
Create the Server keystore (server.ks):
cd /home/em /opt/teradata/jvm64/jdk8/jre/bin/keytool -genkey -alias <EM Server> -keyalg RSA -keystore server.ks -ext SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1 -dname "CN=em1, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"
You will be prompted to enter the keystore password twice.
-
Verify the contents of the keystore:
EM Server>
-
Create the Server truststore by importing the broker certificate (server.ts):
cd /home/em /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias </opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore server.ks -alias <EM Server> -keystore server.ts -file broker_cert.<EM Server>
You will be prompted for the following:- Trust this certificate (yes)
- Enter the keystore password twice.
-
Verify the server truststore is created:
/opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore server.ks -alias /opt/teradata/jvm64/jdk8/jre/bin/keytool -list -alias <EM Server> -keystore server.ts
-
Export the EM Server certificate from the Server truststore:
cd /home/em /opt/teradata/jvm64/jdk8/jre/bin/keytool -export -alias <EM Server> -keystore server.ks -file server_cert.<EM Server>
The certificate is generated and stored in server_cert.EM Server.
-
Import the EM Server certificate to the broker truststore:
This allows the broker to trust the EM Server.
cd /home/em /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias <EM Server> -keystore broker.ts -file server_cert.<EM Server>
You will be prompted for the following:- Trust this certificate (yes)
- Enter the keystore password twice.
-
Verify the contents of the broker keystore:
/opt/teradata/jvm64/jdk8/jre/bin/keytool -list alias <EM Server> -keystore broker.ts
-
Copy the broker keystore and truststore to the tdactivemq configuration directory.
cd /home/em cp broker.ks broker.ts /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/ cd /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/ chown syncuser broker.ks broker.ts chmod 644 broker.ks broker.ts
-
Add ACTIVEMQ_SSL_OPTS to /etc/profile.
ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq- 5.15.9/conf/broker.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password>'; export ACTIVEMQ_SSL_OPTS
-
Confirm the lines were added:
grep ACTIVEMQ_SSL_OPTS /etc/profile
-
Source the profile in current shell:
./etc/profile
-
Add $ACTIVEMQ_SSL_OPTS to /etc/init.d/tdactivemq so that it is set when tdactivemq starts:
export ACTIVEMQ_OPTS=$ACTIVEMQ_OPTS $ACTIVEMQ_SSL_OPTS
-
Edit the /opt/teradata/tdactivemq/config/td-broker.xml file to do the following:
- Add the broker keystore password
- Add the broker truststore password
- Enable SSL over port 61617
-
Add keystore password and truststore password under the existing tag, ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-<sslContext>.
<sslContext> keyStore="file:${activemq.base}/conf/broker.ks keyStorePassword="keystore/truststore password" trustStore="file:${activemq.base}/conf/broker.ts trustStorePassword="keystore/truststore password"/> </sslContext>
-
Enable SSL transport connector by removing comments.
Note that both ports are open; 61616 can be commented later after confirming.
<transportConnectors> <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/> <transportConnector name="ssl" uri="ssl://0.0.0.0:61617"/> </transportConnectors>
-
Restart tdactivemq to confirm no errors:
/etc/init.d/tdactivemq restart
Check log for errors in the log file /var/opt/teradata/tdactivemq/logs/activemq.log.
-
Test connecting to ports 61616 and 61617:
telnet <EM Server> 61616
telnet <EM Server> 61617
-
Back up the following EM Server scripts:
cp -i $EM_HOME/bin/emeventconsumer /home/em/backup/emeventconsumer.original cp -i $EM_HOME/conf/emeventconsumer /home/em/backup/emeventconsumer.conf.original cp -i $EM_HOME/bin/empublisher /home/em/backup/empublisher.original cp -i $EM_HOME/conf/empublisher /home/em/backup/empublisher.conf.original cp -i $EM_HOME/conf/transport.properties /home/em/backup/transport.properties.original
-
Add the broker keystore password, broker truststore password, and enable SSL over port 61617 in the eventconsumer daemon script $EM_HOME/bin/emeventconsumer".
-
Enable SSL by changing from tcp to ssl for the $BROKER_LIST variable, in the BuildTMSMBrokerList() function:
if ["$BROKER_LIST"=="" ] then BROKER_LIST="ssl://$BROKER?wireFormat.maxInactivityDuration=0" else BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0
-
Add keystore and truststore to emeventconsumer start() function:
start(){ if [ "X$pid" == "X" ]; then BuildTMSMBrokerList test -n "$BROKER_LIST" || exit 6 echo -n "Starting $prog:" if [ "$SYNCUSER" == "" ]; then #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=keystore/truststore password - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then #/bin/su $SYNCUSER -c "nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &" /bin/su $SYNCUSER -c "nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=keystore/truststore password - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &" else #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=keystore/truststore password - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & fi fi
-
Enable SSL by changing from tcp to ssl for the $BROKER_LIST variable, in the BuildTMSMBrokerList() function:
-
Edit the script $EM_HOME/conf/emeventconsumer to change the broker port number from 61616 to 61617:
BROKER=em1:61617
BROKER=em2:61617
-
Edit $EM_HOME/bin/empublisher to add the broker keystore password and broker truststore password:
start(){ if [ "X$pid" == "X" ]; then echo -n "Starting $prog:" if [ "$SYNCUSER" == "" ]; then #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 & nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=<keystore/truststore passwordkeystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &" else #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 & nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then #/bin/su $SYNCUSER -c "nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &" /bin/su $SYNCUSER -c "nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 & fi fi
-
Edit $EM_HOME/conf/transport.properties to change the protocol and port number:
msm.amq.brokerURL = failover:(ssl://em1:61617,ssl://em2:61617)?randomize=false\&maxReconnectDelay=25\&maxReconnectAttempts=2
-
Copy previously exported broker certificates between EM servers:
-
Log on to the secondary EM Server as syncuser and run the following command:
scp <EM Server1>>:/opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker_cert.em2 /home/em/
-
Log on to the primary EM Server as syncuser and run the following command:
scp <EM Server2>:/opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker_cert.em1 /home/em/
-
Log on to the secondary EM Server as syncuser and run the following command:
-
Import the EM Server certificate into the broker truststore on each EM Server (primary and secondary).
This allows the broker to trust the EM Server.
-
Log on to the primary EM Server and import the secondary EM Server's certificate:
cd /home/em /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias <EM Server2> -keystore broker.ts -file server_cert.<EM Server2>
You will be prompted for the following:- Trust this certificate (yes)
- Enter the keystore password twice.
-
Verify the contents of the keystore on the primary EM Server:
/opt/teradata/jvm64/jdk8/jre/bin/keytool -list alias <EM Server2> -keystore broker.ts
-
Log on to the secondary EM Server and import the primary EM Server's certificate:
cd /home/em /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias <EM Server1> -keystore broker.ts -file server_cert.<EM Server1>
You will be prompted for the following:- Trust this certificate (yes)
- Enter the keystore password twice.
-
Verify the contents of the keystore on the secondary EM Server:
/opt/teradata/jvm64/jdk8/jre/bin/keytool -list alias <EM Server1> -keystore broker.ts
-
Log on to the primary EM Server and import the secondary EM Server's certificate:
-
Bring the EM Server online in the primary EM Server as syncuser:
su syncuser
$EM_HOME/bin/emsetactive.sh
-
Perform the following validation checks:
-
Check the EM Services status.
$EM_HOME/bin/emstatus.sh
- Check the log files of emeventmaster, empublisher, and tdactivemq.
- Execute a sendevent (job) and make sure that it processed and displays in the EM Explorer portlets in the Jobs tab.
-
Check the EM Services status.
- Complete the steps in Configuring SSL for EM Agent Servers for all EM Agent servers.
Final Steps to Complete the Dual Mode Configuration