16.20 - Enabling SSL - Setting Up Self-Signed Keys and Certificates - Data Stream Utility

Teradata® DSA - DSU Installation, Configuration, and Upgrade Guide

Data Stream Architecture
Data Stream Utility
September 2019
To prevent connection failure, you must follow the steps in Installing Teradata ActiveMQ and Configuring ActiveMQ for SSL or TCP before setting up the self-signed keys and certificates.
You must create self-signed keys and set up certificates for your SSL environment.
  1. Use the ssl_setup_cert_wrapper.sh script to create self-signed keys and certificates in the ActiveMQ directory. The script is located on the DSC server in the $DSA_DSC_ROOT directory.

    Script usage is ssl_setup_cert_wrapper.sh [-h] [-C] [-a activemq_dir], where:

    Option Description
    -h Displays help information.
    -C Cleans up the configuration files in the specified ActiveMQ directory.
    -a Specifies the directory where ActiveMQ is installed.
  2. [DSA 16.20.50 and earlier] Type the following at the prompts:
    Option Description
    Directory Full path to ActiveMQ directory


    Organizational Unit Used to generate a unique key
    Organization Used to generate a unique key
    City Used to generate a unique key
    State Used to generate a unique key
    Country Used to generate a unique key
    Keystore Password Keystore password for both broker and client keystores.

    If DSARest is set to https, the SSL keystore password must match the DSARest keystore password.

    ActiveMQ restarts after certificates are created.
    Certificates are created in: /opt/teradata/tdactivemq/apache-activemq-5.xx.xx/conf
  3. Copy files client.pem and client-keystore.pem and preserve file permissions as follows:
    1. Go to: /opt/teradata/tdactivemq/apache-activemq-5.xx.xx/conf
    2. For all Teradata systems and TPA nodes in the DSA environment, type: #cp -p <file_name> /etc/opt/teradata/tdconfig #chown teradata /etc/opt/teradata/tdconfig/<file_name> #chmod 600 /etc/opt/teradata/tdconfig/<file_name>
    3. For DSA media servers (anywhere ClientHandler is installed), type: #cp -p <file_name> /etc/opt/teradata/dsa/ #chown dscuser /etc/opt/teradata/dsa/<file_name> #chmod 600 /etc/opt/teradata/dsa/<file_name>
  4. Copy client.ts to the systems where DSC or BARCmdline are installed and preserve file permissions by typing: #cp -p <file_name> /etc/opt/teradata/dsa
    Certificates are valid for 20 years.
    [DSA 16.20.005 to DSA 16.20.51] #chown dscuser /etc/opt/teradata/dsa/<file_name> [DSA 16.20.005 to DSA 16.20.51] #chmod 600 /etc/opt/teradata/dsa/<file_name>
  5. Enable JMS SSL on the BAR portlets by installing the client.pem certificate on the Viewpoint portal:
    1. From the Teradata Viewpoint portal, click "".
    2. Open the Certificates portlet.
    3. From the Setup list, click Certificate Authority.
    4. Click Install Certificate.
    5. Enter an alias for the Certificate Authority, up to 30 characters.
    6. Click Browse and select the client.pem certificate.
      Important: Copy client.pem from /etc/opt/teradata/dsa.
    7. Click Install.
    8. Restart Viewpoint. /etc/init.d/viewpoint restart
  6. When you add the DSC using the BAR Setup portlet (see Enabling or Adding a DSC Server), select SSL as the Broker Connectivity and add the Broker Port.