Perform steps on the Ecosystem Manager server to import the client certificate to create the broker truststore. Repeat these steps for all client certificates.
- Create a folder named /home/em to place the client_cert and keystore files.
-
Copy the client certificate file from the client and execute the command:
keytool -import -alias <hostname-of-EM-client> -keystore broker.ts -file client_cert
The system responds as follows:
Enter keystore password: Re-enter new password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: ed415cb Valid from: Tue Jun 23 18:21:18 UTC 2015 until: Mon Sep 21 18:21:18 UTC 2015 Certificate fingerprints: MD5: 9F:47:D4:AE:98:69:FA:D9:F6:C7:DB:F4:BA:2A:C2:59 SHA1: 62:3A:AB:F0:72:F5:3E:91:FD:E9:3E:C5:85:DC:37:52:B3:34:FD:D0 SHA256: 27:D2:02:A7:B1:0C:19:BA:D0:2A:E1:CA:86:B0:63:19:97:3F:08:61:DC:51:B1:B8:AB:0D:BE:E1:E6:19:BD:62 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: BB C4 91 8C 24 04 54 1F DF DB 3D 98 43 CE AE ED ....$.T...=.C... ] ] Trust this certificate? [no]: yes Certificate was added to keystore
This creates a truststore for the broker, allowing the broker to trust the client. Make sure that broker.ts is created.
- Make sure that the broker.ts is created.
- Create a certificate/keystore for the Ecosystem Manager server: keytool -genkey -alias <hostname-of-EM-server> -keyalg RSA -keystore server.ks
-
Answer the same questions and use the password you saved when you created the broker key file.
Enter keystore password: What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <hostname-of-EM-server> (RETURN if same as keystore password):
-
Create a truststore for the server and import the broker's certificate using the following command:
keytool -import -alias <hostname-of-EM-server> -keystore server.ts -file /opt/teradata/jvm64/jdk7/bin/broker_cert
The system responds with the following:
Enter keystore password: Re-enter new password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 559b65aa Valid from: Tue Jun 23 18:15:54 UTC 2015 until: Mon Sep 21 18:15:54 UTC 2015 Certificate fingerprints: MD5: 97:3A:70:71:B5:5E:12:0A:7D:AD:A7:94:A5:BF:1A:0C SHA1: 8B:A9:37:A0:15:61:ED:25:1F:AA:47:6D:1F:F1:73:D5:D9:C4:69:54 SHA256: 46:B9:B2:9D:E4:AE:E3:26:CC:D5:4C:B7:56:ED:98:8D:4F:82:76:87:73:0E:49:E3:CF:70:AC:2F:66:D4:88:1F Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 0F CA D5 A2 22 6B 74 40 45 ED 2D 63 7F 7B 03 17 ...."kt@E.-c.... 0010: CA BE 18 0B .... ] ] Trust this certificate? [no]: yes Certificate was added to keystore
This establishes that the Ecosystem Manager services running on an Ecosystem Manager server "trusts" the broker and creates a truststore for the server.
-
Export the server's certificate, so it can be shared with the broker:
keytool -export -alias <hostname-of_EM-server> -keystore server.ks -file server_cert
The system responds with the following:
Enter keystore password: Certificate stored in file server_cert
-
Import the server's certificate:
keytool -import -alias <hostname-of-EM-server> -keystore broker.ts -file server_cert
The system responds with the following:
Enter keystore password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 300263d1 Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015 Certificate fingerprints: MD5: C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2 SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 83 75 6D 0E A2 76 EE 16 84 09 13 40 AF F4 88 8A .um..v.....@.... 0010: 50 65 D2 03 Pe.. ] ] Trust this certificate? [no]: yes Certificate was added to keystore
- Copy broker.ks and broker.ts files into /opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/.
-
Configure the environment variable ACTIVEMQ_SSL_OPTS by opening the /etc/profile file and adding the following entry at the end of the file:
ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/broker.ks -Djavax.net.ssl.keyStorePassword=password'; export ACTIVEMQ_SSL_OPTS
Use the keystore password in this command.
- Save the changes and source/etc/profile so the ACTIVEMQ_SSL_OPTS environment variable is available to the current session: source /etc/profile
- Update /etc/init.d/tdactivemq on both EM servers. Find the line which begins with export ACTIVEMQ_OPTS=...=1500. Modify it with export ACTIVQMQ_OPTS=...=1500 $ACTIVEMQ_SSL_OPTS
-
Open the broker config file located at /opt/teradata/tdactivemq/config/td-broker.xml and change the keystorePassword and truststorePassword:
<sslContext> <sslContext keyStore="file:${activemq.base}/conf/broker.ks keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts trustStorePassword="password"/> </sslContext>
-
Enable (uncomment if commented) SSL in /opt/teradata/tdactivemq/config/td-broker.xml
<transportConnectors> <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/> <transportConnector name="ssl" uri="ssl://0.0.0.0:61617? needClientAuth=true"/> </transportConnectors>
- Give 777 access rights to /home/em and all files within it.
-
Change the emeventconsumer service startup script to include the SSL option:
- Copy the original file: cp /opt/teradata/emserver/bin/emeventconsumer /opt/teradata/emserver/bin/emeventconsumer.original
-
Log on as syncuser and open the $EM_HOME/bin/emeventconsumer file and change tcp to ssl:
BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2` if ["$BROKER" !="" ] then if ["$BROKER_LIST"=="" ] then BROKER_LIST="tcp ://$BROKER?wireFormat.maxInactivityDuration=0" else BROKER_LIST="$BROKER_LIST,tcp://$BROKER?wireFormat.maxInactivityDuration=0
Change to:
BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2` if ["$BROKER" !="" ] then if ["$BROKER_LIST"=="" ] then BROKER_LIST="ssl ://$BROKER?wireFormat.maxInactivityDuration=0" else BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0
-
Open the $EM_HOME/bin/emeventconsumer file and locate the start function:
if [ "$SYNCUSER" == "" ]; then nohup $JAVA -Djava.util.logging.config.file= $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then /bin/su $SYNCUSER -c "nohup $JAVA - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &" else nohup $JAVA -Djava.util.logging.config.file= $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & fi fi
Change to:if [ "$SYNCUSER" == "" ]; then nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/ server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover: ($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName= $CONSUMERNAME --clientId=$CLIENTID --smtpServer=$SMTPSERVER -- fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=$ADMINEMAILADDR -- maxBatchMessageCount=$maxMessageCount --latencyTimer= $latencyTimer --reconnectingInterval=$reconnectingInterval – receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/ emeventconsumer.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then /bin/su $SYNCUSER -c "nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/ logs/emeventconsumer.log 2>&1 &" else nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/ server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts- Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/ logs/emeventconsumer.log 2>&1 & fi fi
- Copy $EM_HOME/conf/emeventconsumer to $EM_HOME/conf/emeventconsumer.original.
- In the $EM_HOME/conf/emeventconsumer file, change 61616 to 61617.
-
Change the empublisher service startup script to include the SSL option:
- Copy the original file: cp /opt/teradata/emserver/bin/empublisher /opt/teradata/emserver/bin/empublisher.original
-
Open the $EM_HOME/bin/empublisher file and locate the start function:
if [ "$SYNCUSER" == "" ];then nohup $JAVA -Dservice_name=empublisher $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG - classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then /bin/su $SYNCUSER -c "nohup $JAVA - Dservice_name=empublisher $SERVICE_FLAGS – Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &" else nohup $JAVA -Dservice_name=empublisher $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG - classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & Fi fi
Change to:if [ "$SYNCUSER" == "" ];then nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/ server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then /bin/su $SYNCUSER -c "nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &" else nohup $JAVA -Djavax.net.ssl.keyStore=/ home/em/server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & fi fi
- Copy the $EM_HOME/conf/transport.properties file to $EM_HOME/conf/transport.properties.original.
- In $EM_HOME/conf/transport.properties , change 61616 to 61617.
- In $EM_HOME/conf/transport.properties , change tcp to ssl.
- Copy the broker.ks and broker.ts files into /opt/teradata/tdactivemq/apache-activemq-5/13.1/conf/folder.
- Copy the client.ks and client.ts files from the Ecosystem Manager clients to opt/teradata/tdactivemq/apache-activemq-5.13.1/conf/ folder.
- Start tdactivemq: /etc/init.d/tdactivemq start
- Check the activemq log file to make sure it lists both 61616 and 61617: /var/opt/teradata/tdactivemq/logs/activemq.log
- Start all emservices by running the following script as syncuser: $EM_HOME/bin/set_master_single.sh