Creating the Broker Truststore on the Ecosystem Manager Server - Teradata Ecosystem Manager

Teradata Ecosystem Manager Installation, Configuration, and Upgrade Guide for Customers

Product
Teradata Ecosystem Manager
Release Number
16.00
Published
December 2016
Language
English (United States)
Last Update
2018-03-29
dita:mapPath
zwe1470238783289.ditamap
dita:ditavalPath
3203_ICUCustomer_em_1600.ditaval.ditaval
dita:id
B035-3203
lifecycle
previous
Product Category
Analytical Ecosystem
Perform these steps on both Ecosystem Manager servers to import the client certificate to create the broker truststore. Repeat these steps for all client certificates.
  1. Create a folder named /home/em to place the client_cert and keystore files.
  2. Copy the client certificate file from the client and execute the command: keytool -import -alias <hostname-of-EM-client> -keystore broker.ts -file client_cert
    The system responds as follows:
    Enter keystore password:
    Re-enter new password:
    Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Serial number: ed415cb
    Valid from: Tue Jun 23 18:21:18 UTC 2015 until: Mon Sep 21 18:21:18 UTC 2015
    Certificate fingerprints:
             MD5:  9F:47:D4:AE:98:69:FA:D9:F6:C7:DB:F4:BA:2A:C2:59
             SHA1: 62:3A:AB:F0:72:F5:3E:91:FD:E9:3E:C5:85:DC:37:52:B3:34:FD:D0
             SHA256: 27:D2:02:A7:B1:0C:19:BA:D0:2A:E1:CA:86:B0:63:19:97:3F:08:61:DC:51:B1:B8:AB:0D:BE:E1:E6:19:BD:62
             Signature algorithm name: SHA256withRSA
             Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: BB C4 91 8C 24 04 54 1F   DF DB 3D 98 43 CE AE ED  ....$.T...=.C...
    ]
    ]
    
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    

    This creates a truststore for the broker, allowing the broker to trust the client. Make sure that broker.ts is created.

  3. Create a certificate/keystore for both Active and Standby Ecosystem Manager servers: keytool -genkey -alias <hostname-of-EM-client> -keyalg RSA -keystore server.ks
    The system prompts for the following information:
    Enter your keystore password:
    What is your first and last name?
    [Unknown]:
    What is the name of your organizational unit?
    [Unknown]:
    What is the name of your City or Locality?
    [Unknown]:
    What is the name of your State or Province?
    [Unknown]:
    What is the two-letter country code for this unit:
    [Unknown]:
    Is CN-Unknown, OU=Unknown, O=Unknown, ST=Unknown, C=Unknown correct?
    [no]: yes
    Enter key password for <hostname-of-EM-client>
    (RETURN if same as keystore password):
    Make sure that the keystore file is created on all participating EM client systems.
  4. Create a truststore for the server and import the broker's certificate on both Ecosystem Manager servers with the following commands:
    1. On the Active EM server run the following: keytool -import -alias <hostname-of-Active- Server> -keystore server.ts -file /opt/teradata/jvm64/jdk7/bin/broker_cert1
      The system responds with the following:
      Enter keystore password:
      Re-enter new password:
      Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Serial number: 559b65aa
      Valid from: Tue Jun 23 18:15:54 UTC 2015 until: Mon Sep 21 18:15:54 UTC 2015
      Certificate fingerprints:
               MD5:  97:3A:70:71:B5:5E:12:0A:7D:AD:A7:94:A5:BF:1A:0C
               SHA1: 8B:A9:37:A0:15:61:ED:25:1F:AA:47:6D:1F:F1:73:D5:D9:C4:69:54
               SHA256: 46:B9:B2:9D:E4:AE:E3:26:CC:D5:4C:B7:56:ED:98:8D:4F:82:76:87:73:0E:49:E3:CF:70:AC:2F:66:D4:88:1F
               Signature algorithm name: SHA256withRSA
               Version: 3
      
      Extensions:
      
      #1: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 0F CA D5 A2 22 6B 74 40   45 ED 2D 63 7F 7B 03 17  ...."kt@E.-c....
      0010: CA BE 18 0B                                        ....
      ]
      ]
      
      Trust this certificate? [no]:  yes
      Certificate was added to keystore
      
    2. On the Standby EM server run the following: keytool -import -alias <hostname-of-Standby- Server> -keystore server.ts -file /opt/teradata/jvm64/jdk7/bin/broker_cert2
      The system responds with the following:
      Enter keystore password:
      Re-enter new password:
      Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Serial number: 559b65aa
      Valid from: Tue Jun 23 18:15:54 UTC 2015 until: Mon Sep 21 18:15:54 UTC 2015
      Certificate fingerprints:
               MD5:  97:3A:70:71:B5:5E:12:0A:7D:AD:A7:94:A5:BF:1A:0C
               SHA1: 8B:A9:37:A0:15:61:ED:25:1F:AA:47:6D:1F:F1:73:D5:D9:C4:69:54
               SHA256: 46:B9:B2:9D:E4:AE:E3:26:CC:D5:4C:B7:56:ED:98:8D:4F:82:76:87:73:0E:49:E3:CF:70:AC:2F:66:D4:88:1F
               Signature algorithm name: SHA256withRSA
               Version: 3
      
      Extensions:
      
      #1: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 0F CA D5 A2 22 6B 74 40   45 ED 2D 63 7F 7B 03 17  ...."kt@E.-c....
      0010: CA BE 18 0B                                        ....
      ]
      ]
      
      Trust this certificate? [no]:  yes
      Certificate was added to keystore
      

      This establishes that the Ecosystem Manager services running on an Ecosystem Manager server "trusts" the broker and creates a truststore for the server.

  5. Export the server's certificate, so it can be shared with the broker by running the following commands on the EM servers:
    1. On the Active EM server, run: keytool -import -alias <hostname-of-Active-EM-server> -keystore server.ts -file server_cert
      The system responds with the following:
      Enter keystore password:
      Certificate stored in file server_cert
    2. On the Standby EM server, run: keytool -import -alias <hostname-of-Standby-EM-server> -keystore server.ts -file server_cert
      The system responds with the following:
      Enter keystore password:
      Certificate stored in file server_cert
  6. Import the server's certificate:
    1. On the Active EM server, run: keytool -import -alias <hostname-of-Active-EM-server> -keystore broker.ts -file server_cert
      The system responds with the following:
      Enter keystore password:
      Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Serial number: 300263d1
      Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015
      Certificate fingerprints:
               MD5:  C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D
               SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2
               SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2
               Signature algorithm name: SHA256withRSA
               Version: 3
      
      Extensions:
      
      #1: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 83 75 6D 0E A2 76 EE 16   84 09 13 40 AF F4 88 8A  .um..v.....@....
      0010: 50 65 D2 03                                        Pe..
      ]
      ]
      
      Trust this certificate? [no]:  yes
      Certificate was added to keystore
      
    2. On the Standby EM server, run: keytool -import -alias <hostname-of-EM-Standby server> -keystore broker.ts -file server_cert
      The system responds with:
      Enter keystore password:
      Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Serial number: 300263d1
      Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015
      Certificate fingerprints:
               MD5:  C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D
               SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2
               SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2
               Signature algorithm name: SHA256withRSA
               Version: 3
      
      Extensions:
      
      #1: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 83 75 6D 0E A2 76 EE 16   84 09 13 40 AF F4 88 8A  .um..v.....@....
      0010: 50 65 D2 03                                        Pe..
      ]
      ]
      
      Trust this certificate? [no]:  yes
      Certificate was added to keystore
      
  7. Copy broker.ks and broker.ts files into /opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/.
  8. Configure the environment variable ACTIVEMQ_SSL_OPTS by opening the /etc/profile file and adding the following entry at the end of the file: ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/broker.ks -Djavax.net.ssl.keyStorePassword=password'; export ACTIVEMQ_SSL_OPTS

    Use the keystore password in this command.

  9. Save the changes and source/etc/profile so the ACTIVEMQ_SSL_OPTS environment variable is available to the current session: source /etc/profile
  10. Update /etc/init.d/tdactivemq on both EM servers. Find the line which begins with export ACTIVEMQ_OPTS=...=1500. Modify it with export ACTIVQMQ_OPTS=...=1500 $ACTIVEMQ_SSL_OPTS
  11. Open the broker config file located at /opt/teradata/tdactivemq/config/td-broker.xml and change the keystorePassword and truststorePassword:
    <sslContext>
                <sslContext
                 keyStore="file:${activemq.base}/conf/broker.ks
                 keyStorePassword="password"
                 trustStore="file:${activemq.base}/conf/broker.ts
                 trustStorePassword="password"/>
    </sslContext>
    
  12. Enable (uncomment if commented) SSL in /opt/teradata/tdactivemq/config/td-broker.xml
    <transportConnectors>
                <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
                <transportConnector name="ssl" uri="ssl://0.0.0.0:61617?
                 needClientAuth=true"/>
            </transportConnectors>
    
  13. Give 777 access rights to /home/em and all files within it.
  14. Change the emeventconsumer service startup script to include the SSL option:
    1. Copy the original file: cp /opt/teradata/emserver/bin/emeventconsumer /opt/teradata/emserver/bin/emeventconsumer.original
    2. Log on as syncuser and open the $EM_HOME/bin/emeventconsumer file and change tcp to ssl:
       BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2`
            if ["$BROKER" !="" ]
            then
              if ["$BROKER_LIST"=="" ]
              then
                BROKER_LIST="tcp ://$BROKER?wireFormat.maxInactivityDuration=0"
              else
                BROKER_LIST="$BROKER_LIST,tcp://$BROKER?wireFormat.maxInactivityDuration=0
      

      Change to:

       BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2`
            if ["$BROKER" !="" ]
            then
              if ["$BROKER_LIST"=="" ]
              then
                BROKER_LIST="ssl ://$BROKER?wireFormat.maxInactivityDuration=0"
              else
                BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0
      
    3. Open the $EM_HOME/bin/emeventconsumer file and locate the start function:
                if [ "$SYNCUSER" == "" ]; then
      nohup $JAVA -Djava.util.logging.config.file=
      $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS
      "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL >
      $EM_HOME/logs/emeventconsumer.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
      /bin/su $SYNCUSER -c "nohup $JAVA -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL >
      $EM_HOME/logs/emeventconsumer.log 2>&1 &"
      else
      nohup $JAVA -Djava.util.logging.config.file=
      $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL >
      $EM_HOME/logs/emeventconsumer.log 2>&1 &
      fi
      fi
      
      Change to:
      if [ "$SYNCUSER" == "" ]; then
      nohup $JAVA 
       -Djavax.net.ssl.keyStore=/home/em/ server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:
      ($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=
      $CONSUMERNAME --clientId=$CLIENTID --smtpServer=$SMTPSERVER --
      fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=$ADMINEMAILADDR --
      maxBatchMessageCount=$maxMessageCount --latencyTimer=
      $latencyTimer --reconnectingInterval=$reconnectingInterval –
      receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/
      emeventconsumer.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
      /bin/su $SYNCUSER -c "nohup $JAVA -
       Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/
      logs/emeventconsumer.log 2>&1 &"
      else
      nohup $JAVA  -Djavax.net.ssl.keyStore=/home/em/ server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts-
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/
      logs/emeventconsumer.log 2>&1 &
      fi
      fi
      
    4. Copy $EM_HOME/conf/emeventconsumer to $EM_HOME/conf/emeventconsumer.original.
    5. In the $EM_HOME/conf/emeventconsumer file, change 61616 to 61617.
  15. Change the empublisher service startup script to include the SSL option:
    1. Copy the original file: cp /opt/teradata/emserver/bin/empublisher /opt/teradata/emserver/bin/empublisher.original
    2. Open the $EM_HOME/bin/empublisher file and locate the start function:
                 if [ "$SYNCUSER" == "" ];then
      nohup $JAVA -Dservice_name=empublisher
      $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG -
      classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then
      /bin/su $SYNCUSER -c "nohup $JAVA -
      Dservice_name=empublisher $SERVICE_FLAGS –
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &"
      else
      nohup $JAVA -Dservice_name=empublisher
      $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG -
      classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      Fi
      fi
      
      Change to:
                  if [ "$SYNCUSER" == "" ];then
      nohup $JAVA -
       Djavax.net.ssl.keyStore=/home/em/ server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - 
      Dservice_name=empublisher $SERVICE_FLAGS -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then
      /bin/su $SYNCUSER -c "nohup $JAVA -
       Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Dservice_name=empublisher $SERVICE_FLAGS -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &"
      else
      nohup $JAVA  -Djavax.net.ssl.keyStore=/ home/em/server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Dservice_name=empublisher $SERVICE_FLAGS -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      fi
      fi
      
    3. Copy the $EM_HOME/conf/transport.properties file to $EM_HOME/conf/transport.properties.original.
    4. In $EM_HOME/conf/transport.properties , change 61616 to 61617.
    5. In $EM_HOME/conf/transport.properties , change tcp to ssl.
  16. Copy the broker.ks and broker.ts files into /opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/ folder.
  17. Copy the client.ks and client.ts files from the Ecosystem Manager clients to opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/ folder.
  18. Start tdactivemq: /etc/init.d/tdactivemq start
  19. Check the activemq log file to make sure it lists both 61616 and 61617: /var/opt/teradata/tdactivemq/logs/activemq.log
  20. Start all emservices by running the following script as syncuser on the Active EM server: $EM_HOME/bin/emsetactive.sh