16.20 - Configuring SSL for Dual Mode Operation - Teradata Ecosystem Manager

Teradata® Ecosystem Manager Installation, Configuration, and Upgrade Guide for Customers

prodname
Teradata Ecosystem Manager
vrm_release
16.20
created_date
December 2020
category
Configuration
Installation
featnum
B035-3203-107K
PrerequisiteTeradata recommends using the same password for all EM Servers and EM Agent Servers.
SSL configuration for the communication between the ActiveMQ, EM Server, and EM Agent Servers require an EM maintenance outage.
The following table identifies the server references used in the examples in this procedure.
Server Reference Description
EM Server Hostname of the current EM Server being configured
EM Server1

em1

Hostname of primary EM Server
EM Server2

em2

Hostname of secondary EM Server
keystore/truststore password Password created for use with EM Server and EM Agent Server keystores and truststores.

Complete the following steps on both the primary and secondary EM servers except for steps identified in "Final Steps to Complete the Dual Mode Configuration".

  1. Stop the tdactivemq service:
    /etc/init.d/tdactivemq stop
  2. Switch to syncuser and stop em services:

    su syncuser

    /opt/teradata/emserver/bin/emstopall.sh

  3. Create EM Server working folders:
    mkdir /home/em
    chmod 777 /home/em
    mkdir /home/em/backup
    chmod 777 /home/em/backup
    chown -R syncuser /home/em
  4. Back up existing broker certificates:
    mv /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ks /home/em/backup/broker.ks.original
    mv /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ts /home/em/backup/broker.ts.original
    cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/client.ks /home/em/backup/client.ks.original
    cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/client.ts /home/em/backup/client.ts.original
    cp /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/jetty.xml /home/em/backup/jetty.xml.original
    
  5. Generate the keytool extension:
    $EM_HOME/bin/emrestinternalgenerateself.sh

    The extension is formatted as follows and used in the broker store created in the next step.

    SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1

  6. Create a broker keystore (broker.ks):
    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -genkey -alias em1 -keyalg RSA -keystore broker.ks -ext SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1 -dname "CN=em1, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

    You will be prompted to enter the keystore password twice.

  7. Verify the contents of the broker keystore:
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore broker.ks
  8. Export the broker certificate:
    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -export -alias em1 -keystore broker.ks -file broker_cert.em1

    You will be prompted to enter the keystore password twice.

  9. Create the Server keystore (server.ks):
    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -genkey -alias <EM Server> -keyalg RSA -keystore server.ks -ext SAN=dns:em1,dns:em1,dns:localhost,ip:127.0.0.1 -dname "CN=em1, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

    You will be prompted to enter the keystore password twice.

  10. Verify the contents of the keystore:
    EM Server>
  11. Create the Server truststore by importing the broker certificate (server.ts):
    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias </opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore server.ks -alias <EM Server> -keystore server.ts -file broker_cert.<EM Server>
    You will be prompted for the following:
    • Trust this certificate (yes)
    • Enter the keystore password twice.
  12. Verify the server truststore is created:
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -list -keystore server.ks -alias /opt/teradata/jvm64/jdk8/jre/bin/keytool -list -alias <EM Server> -keystore server.ts
  13. Export the EM Server certificate from the Server truststore:
    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -export -alias <EM Server> -keystore server.ks -file server_cert.<EM Server>

    The certificate is generated and stored in server_cert.EM Server.

  14. Import the EM Server certificate to the broker truststore:

    This allows the broker to trust the EM Server.

    cd /home/em
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias <EM Server> -keystore broker.ts -file server_cert.<EM Server>
    You will be prompted for the following:
    • Trust this certificate (yes)
    • Enter the keystore password twice.
  15. Verify the contents of the broker keystore:
    /opt/teradata/jvm64/jdk8/jre/bin/keytool -list alias <EM Server> -keystore broker.ts
  16. Copy the broker keystore and truststore to the tdactivemq configuration directory.
    cd /home/em
    cp broker.ks broker.ts /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/
    cd /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/
    chown syncuser broker.ks broker.ts
    chmod 644 broker.ks broker.ts
  17. Add ACTIVEMQ_SSL_OPTS to /etc/profile.
    ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-
    5.15.9/conf/broker.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password>';
    export ACTIVEMQ_SSL_OPTS
  18. Confirm the lines were added:
    grep ACTIVEMQ_SSL_OPTS /etc/profile
  19. Source the profile in current shell:
    ./etc/profile
  20. Add $ACTIVEMQ_SSL_OPTS to /etc/init.d/tdactivemq so that it is set when tdactivemq starts:
    export ACTIVEMQ_OPTS=$ACTIVEMQ_OPTS $ACTIVEMQ_SSL_OPTS
  21. Edit the /opt/teradata/tdactivemq/config/td-broker.xml file to do the following:
    • Add the broker keystore password
    • Add the broker truststore password
    • Enable SSL over port 61617
    1. Add keystore password and truststore password under the existing tag, ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-<sslContext>.
      <sslContext>
         keyStore="file:${activemq.base}/conf/broker.ks
         keyStorePassword="keystore/truststore password"
         trustStore="file:${activemq.base}/conf/broker.ts
         trustStorePassword="keystore/truststore password"/>
      </sslContext>
    2. Enable SSL transport connector by removing comments.
      Note that both ports are open; 61616 can be commented later after confirming.
      <transportConnectors>
         <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
         <transportConnector name="ssl" uri="ssl://0.0.0.0:61617"/>
      </transportConnectors>
  22. Restart tdactivemq to confirm no errors:
    /etc/init.d/tdactivemq restart

    Check log for errors in the log file /var/opt/teradata/tdactivemq/logs/activemq.log.

  23. Test connecting to ports 61616 and 61617:

    telnet <EM Server> 61616

    telnet <EM Server> 61617

  24. Back up the following EM Server scripts:
    cp -i $EM_HOME/bin/emeventconsumer /home/em/backup/emeventconsumer.original
    cp -i $EM_HOME/conf/emeventconsumer /home/em/backup/emeventconsumer.conf.original
    cp -i $EM_HOME/bin/empublisher /home/em/backup/empublisher.original
    cp -i $EM_HOME/conf/empublisher /home/em/backup/empublisher.conf.original
    cp -i $EM_HOME/conf/transport.properties /home/em/backup/transport.properties.original
  25. Add the broker keystore password, broker truststore password, and enable SSL over port 61617 in the eventconsumer daemon script $EM_HOME/bin/emeventconsumer".
    1. Enable SSL by changing from tcp to ssl for the $BROKER_LIST variable, in the BuildTMSMBrokerList() function:
      if ["$BROKER_LIST"=="" ]
      then
         BROKER_LIST="ssl://$BROKER?wireFormat.maxInactivityDuration=0"
      else
         BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0
    2. Add keystore and truststore to emeventconsumer start() function:
      start(){
      
          if [ "X$pid" == "X" ]; then
              BuildTMSMBrokerList
              test -n "$BROKER_LIST" || exit 6
              echo -n "Starting $prog:"
                  if [ "$SYNCUSER" == "" ]; then
                      #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                      nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=keystore/truststore password - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                  else
                      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
                          #/bin/su $SYNCUSER -c "nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &"
                          /bin/su $SYNCUSER -c "nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=keystore/truststore password - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &"
                      else
                          #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                          nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=keystore/truststore password - Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &
                       fi
                  fi
  26. Edit the script $EM_HOME/conf/emeventconsumer to change the broker port number from 61616 to 61617:

    BROKER=em1:61617

    BROKER=em2:61617

  27. Edit $EM_HOME/bin/empublisher to add the broker keystore password and broker truststore password:
    start(){
    
        if [ "X$pid" == "X" ]; then
            echo -n "Starting $prog:"
                if [ "$SYNCUSER" == "" ]; then
                    #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                    nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=<keystore/truststore passwordkeystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &"
                    else
                        #nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                        nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                else
                    if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
                        #/bin/su $SYNCUSER -c "nohup $JAVA -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount  --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &"
                        /bin/su $SYNCUSER -c "nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/server.ks -Djavax.net.ssl.keyStorePassword=<keystore/truststore password> -Djavax.net.ssl.trustStore=/home/em/server.ts -Djava.util.logging.config.file=$LOGGING_CONFIG $OPTS -classpath  $CLASSPATH_SERVICE $CONSUMER_CLASS --url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --consumerName=$CONSUMERNAME --clientId=$CLIENTID --maxBatchMessageCount=$maxMessageCount --latencyTimer=$latencyTimer  --reconnectingInterval=$reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/empublisher.log 2>&1 &
                     fi
                fi
  28. Edit $EM_HOME/conf/transport.properties to change the protocol and port number:
    msm.amq.brokerURL = failover:(ssl://em1:61617,ssl://em2:61617)?randomize=false\&maxReconnectDelay=25\&maxReconnectAttempts=2
  29. Final Steps to Complete the Dual Mode Configuration

  30. Copy previously exported broker certificates between EM servers:
    1. Log on to the secondary EM Server as syncuser and run the following command:
      scp <EM Server1>>:/opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker_cert.em2 /home/em/
    2. Log on to the primary EM Server as syncuser and run the following command:
      scp <EM Server2>:/opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker_cert.em1 /home/em/
  31. Import the EM Server certificate into the broker truststore on each EM Server (primary and secondary).
    This allows the broker to trust the EM Server.
    1. Log on to the primary EM Server and import the secondary EM Server's certificate:
      cd /home/em
             /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias <EM Server2> -keystore broker.ts -file  server_cert.<EM Server2>
      
      You will be prompted for the following:
      • Trust this certificate (yes)
      • Enter the keystore password twice.
    2. Verify the contents of the keystore on the primary EM Server:
      /opt/teradata/jvm64/jdk8/jre/bin/keytool -list alias <EM Server2> -keystore broker.ts
    3. Log on to the secondary EM Server and import the primary EM Server's certificate:
      cd /home/em
      /opt/teradata/jvm64/jdk8/jre/bin/keytool -import -alias <EM Server1> -keystore broker.ts -file server_cert.<EM Server1>
      You will be prompted for the following:
      • Trust this certificate (yes)
      • Enter the keystore password twice.
    4. Verify the contents of the keystore on the secondary EM Server:
      /opt/teradata/jvm64/jdk8/jre/bin/keytool -list alias <EM Server1> -keystore broker.ts
  32. Bring the EM Server online in the primary EM Server as syncuser:

    su syncuser

    $EM_HOME/bin/emsetactive.sh

  33. Perform the following validation checks:
    1. Check the EM Services status.
      $EM_HOME/bin/emstatus.sh
    2. Check the log files of emeventmaster, empublisher, and tdactivemq.
    3. Execute a sendevent (job) and make sure that it processed and displays in the EM Explorer portlets in the Jobs tab.
  34. Complete the steps in Configuring SSL for EM Agent Servers for all EM Agent servers.