16.00 - Creating the Keystore File on an Ecosystem Manager Client - Teradata Ecosystem Manager

Teradata Ecosystem Manager Installation, Configuration, and Upgrade Guide for Customers

prodname
Teradata Ecosystem Manager
vrm_release
16.00
created_date
December 2016
category
Configuration
Installation
featnum
B035-3203-116K
Perform the following tasks on the Ecosystem Manager Client and all clients that need to be configured with SSL. If multiple clients point to the Ecosystem Manager server, add a suffix or prefix <hostname-of-EM-client> to the generated keystore and truststore files on each client.
  1. Create and navigate to a folder named /home/em where you will place the keystore files.
  2. Create a certificate/keystore for both Active and Standby Ecosystem Manager servers: keytool -genkey -alias <hostname-of-EM-client> -keyalg RSA -keystore server.ks
    The system prompts for the following information:
    Enter your keystore password:
    What is your first and last name?
    [Unknown]:
    What is the name of your organizational unit?
    [Unknown]:
    What is the name of your City or Locality?
    [Unknown]:
    What is the name of your State or Province?
    [Unknown]:
    What is the two-letter country code for this unit:
    [Unknown]:
    Is CN-Unknown, OU=Unknown, O=Unknown, ST=Unknown, C=Unknown correct?
    [no]: yes
    Enter key password for <hostname-of-EM-client>
    (RETURN if same as keystore password):
    Make sure that the keystore file is created on all participating EM client systems.
  3. Copy the broker_cert1 and broker_cert2 files from the Ecosystem Manager servers to the client and then execute the following command on the client: Keytool -import -alias <hostname-of-EM-server1 or 2> -keystore client.ts -file broker_cert

    Replace <hostname-of-EM-server1 > with the hostname of the Active EM server, and <hostname-of-EM-server 2> with the hostname of the Standby EM server.

  4. Use the same password that used to create the broker key file.
    Enter keystore password:
    Re-enter new password:
    Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Serial number: 300263d1
    Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015
    Certificate fingerprints:
             MD5:  C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D
             SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2
             SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2
             Signature algorithm name: SHA256withRSA
             Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 83 75 6D 0E A2 76 EE 16   84 09 13 40 AF F4 88 8A  .um..v.....@....
    0010: 50 65 D2 03                                        Pe..
    ]
    ]
    
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    
    This creates a truststore and sets the client trusts the broker.
  5. For both Ecosystem Manager servers, export the client's certificate, so it can be shared with the broker. keytool -export -alias <hostname-of_EM-client> -keystore client.ks -file client_cert
    Enter keystore password:
    Certificate stored in file <client_cert>
    
    Make sure the client_cert file is created.
  6. Copy the client_certificate to the Ecosystem Manager servers.
  7. Give 777 access rights to /home/em and all files within it.