When QueryGrid Manager is first started, a certificate authority is created. The certificate authority is used to generate the QueryGrid Manager server certificates used for securing communications. When a QueryGrid Manager instance is added to a cluster, the new instance inherits the certificate authority of the cluster. Every QueryGrid node in the cluster has a copy of that certificate authority to verify communication is with a trusted QueryGrid Manager instance.
The default expiration of a certificate authority is 100 years. When QueryGrid detects that a certificate authority is within 90 days of expiration, an alert is generated and displays in the Viewpoint QueryGrid portlet Issues view.
To change an expiration date or rotate certificate authority keys, all QueryGrid Managers, nodes, and fabrics must be online and running QueryGrid version 02.13 or later.
Use the following command to change the expiration date of the certificate authority or rotate the certificate authority keys, as required by security guidelines:
/opt/teradta/tdqgm/bin/rotate-cert.sh
If the rotate-cert command fails, the task is stopped and QueryGrid remains functional.
- RSA - supported key size is 2048+
- EC (ECDSA) - supported key size options are 256, 384, or 521
/opt/teradta/tdqgm/bin/rotate-cert.sh -r
Rotate Certificate Authority Keys
Running the rotate-cert command requires multiple restarts of QueryGrid Manager and can take an average of 5 minutes per QueryGrid Manager instance in the cluster. The following is an example of a successful rotate-cert command:
Starting rotate-cert command, just a moment... Checking Manager, Nodes, and Fabric versions for compatibility Generating new Certificate Authority certificate Enter validity period in days for Certificate Authority [365-40000]: 3650 Adding new Certificate Authority to Managers trust store (requires Manager restart) Restarting Manager on qgm1... Manager on qgm1 restarted successfully Restarting Manager on qgm2... Manager on qgm2 restarted successfully Verifying Managers trust new Certificate Authority Verifying Nodes trust new Certificate Authority Activating new Certificate Authority (requires Manager restart) Restarting Manager on qgm1... Manager on qgm1 restarted successfully Restarting Manager on qgm2... Manager on qgm2 restarted successfully Removing previous Certificate Authority (requires Manager restart) Restarting Manager on qgm1... Manager on qgm1 restarted successfully Restarting Manager on qgm2... Manager on qgm2 restarted successfully Verifying previous Certificate Authority is removed rotate-cert command successful. === Additional Information === - If not using a custom certificate for port 9443 then add the new CA public certificate to Viewpoint to enable the QueryGrid portlet to continue to work. - If using Automatic Deployment of QueryGrid on scalable clusters, tdqg-node.json will need to be regenerated so it contains the new certificate. - If operating Teradata SQLE in AWS, a new NFR image will need to be generated so it has the updated certificate.
- If not using a custom certificate for port 9443, add the new certificate authority public certificate to Viewpoint to enable the QueryGrid portlet to continue working.
- If using Automatic Deployment of QueryGrid on scalable clusters, regenerate tdqg-node.json to add the new certificate.
- If operating Vantage Analytics Database in AWS or Google Cloud, generate a new NFR image to update the certificate.
Change Server Certificate Expiration
Default server certificates generate automatically on startup from the QueryGrid Manager cluster-wide certificate authority. The default expiration of a server certificate is 2 years. When QueryGrid detects a server certificate is within 90 days of expiration, an alert is generated and displays in the Viewpoint QueryGrid portlet Issues view. After a server certificate expires, communication with the QueryGrid Manager instance is no longer allowed. Restarting QueryGrid Manager generates a new certificate.
The following command changes the expiration date of the server certificate:
/opt/teradata/tdqgm/rotate-cert.sh -s days
This command only changes the server certificate for the local QueryGrid Manager and restarts the QueryGrid Manager to take effect. Any custom server certificates that have been installed for access over port 9443 are not affected by this command.
Change Root Certificate Authority Certificate Expiration
The default root Certificate Authority (CA) expires in 100 years. Your security policy may require a root CA that expires in a shorter amount of time.
/opt/teradata/tdqgm/rotate-cert.sh -c [days 365-40000]
This command changes the expiration date of the root CA for all QueryGrid Manager in the cluster. This command also restarts all the QueryGrid Managers in the cluster. The cluster must be operational during the process for high availability continuity.