Teradata Ecosystem Manager | 代理程序信任库 - 16.20 - 在 Ecosystem Manager 服务器上创建代理程序信任库 - Teradata Ecosystem Manager

Teradata® Ecosystem Manager 安装、配置和升级指南(适用于客户)

prodname
Teradata Ecosystem Manager
vrm_release
16.20
category
安装
配置
featnum
B035-3203-107K-CHS
在 Ecosystem Manager 服务器上执行以下步骤以导入客户端证书,从而创建代理程序信任库。针对所有客户端证书重复执行这些步骤。
  1. 创建名为 /home/em 的文件夹,用于放置 client_cert 和 keystore 文件。
  2. 复制客户端上的客户端证书文件,然后执行以下命令:keytool -import -alias <hostname-of-EM-client> -keystore broker.ts -file client_cert
    系统响应如下:
    Enter keystore password:
    Re-enter new password:
    Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Serial number: ed415cb
    Valid from: Tue Jun 23 18:21:18 UTC 2015 until: Mon Sep 21 18:21:18 UTC 2015
    Certificate fingerprints:
             MD5:  9F:47:D4:AE:98:69:FA:D9:F6:C7:DB:F4:BA:2A:C2:59
             SHA1: 62:3A:AB:F0:72:F5:3E:91:FD:E9:3E:C5:85:DC:37:52:B3:34:FD:D0
             SHA256: 27:D2:02:A7:B1:0C:19:BA:D0:2A:E1:CA:86:B0:63:19:97:3F:08:61:DC:51:B1:B8:AB:0D:BE:E1:E6:19:BD:62
             Signature algorithm name: SHA256withRSA
             Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: BB C4 91 8C 24 04 54 1F   DF DB 3D 98 43 CE AE ED  ....$.T...=.C...
    ]
    ]
    
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    

    该操作将为代理程序创建一个信任库,以便代理程序可以信任该客户端。请确保 broker.ts 已创建。

  3. 确保已创建 broker.ts。
  4. 为 Ecosystem Manager 服务器创建证书/密钥库:keytool -genkey -alias <hostname-of-EM-server> -keyalg RSA -keystore server.ks
  5. 回答相同的问题,并使用您在创建代理程序密钥文件时保存的密码。
    Enter keystore password:
    What is your first and last name?
      [Unknown]:
    What is the name of your organizational unit?
      [Unknown]:
    What is the name of your organization?
      [Unknown]:
    What is the name of your City or Locality?
      [Unknown]:
    What is the name of your State or Province?
      [Unknown]:
    What is the two-letter country code for this unit?
      [Unknown]:
    Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
      [no]:  yes
    
    Enter key password for <hostname-of-EM-server>
            (RETURN if same as keystore password):
    
  6. 为服务器创建信任库并使用以下命令导入代理程序的证书:keytool -import -alias <hostname-of-EM-server> -keystore server.ts -file /opt/teradata/jvm64/jdk8/bin/broker_cert
    系统响应如下:
    Enter keystore password:
    Re-enter new password:
    Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Serial number: 559b65aa
    Valid from: Tue Jun 23 18:15:54 UTC 2015 until: Mon Sep 21 18:15:54 UTC 2015
    Certificate fingerprints:
             MD5:  97:3A:70:71:B5:5E:12:0A:7D:AD:A7:94:A5:BF:1A:0C
             SHA1: 8B:A9:37:A0:15:61:ED:25:1F:AA:47:6D:1F:F1:73:D5:D9:C4:69:54
             SHA256: 46:B9:B2:9D:E4:AE:E3:26:CC:D5:4C:B7:56:ED:98:8D:4F:82:76:87:73:0E:49:E3:CF:70:AC:2F:66:D4:88:1F
             Signature algorithm name: SHA256withRSA
             Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 0F CA D5 A2 22 6B 74 40   45 ED 2D 63 7F 7B 03 17  ...."kt@E.-c....
    0010: CA BE 18 0B                                        ....
    ]
    ]
    
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    

    该操作可确保在 Ecosystem Manager 服务器上运行的 Ecosystem Manager 服务可以“信任”代理程序,并为该服务器创建一个信任库。

  7. 导出服务器的证书,以便可与代理程序共享:keytool -export -alias <hostname-of_EM-server> -keystore server.ks -file server_cert
    系统响应如下:
    Enter keystore password:
    Certificate stored in file server_cert
  8. 导入服务器的证书:keytool -import -alias <hostname-of-EM-server> -keystore broker.ts -file server_cert
    系统响应如下:
    Enter keystore password:
    Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Serial number: 300263d1
    Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015
    Certificate fingerprints:
             MD5:  C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D
             SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2
             SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2
             Signature algorithm name: SHA256withRSA
             Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 83 75 6D 0E A2 76 EE 16   84 09 13 40 AF F4 88 8A  .um..v.....@....
    0010: 50 65 D2 03                                        Pe..
    ]
    ]
    
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    
  9. broker.ksbroker.ts 文件复制到 /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/ 中。
  10. client.ksclient.ts 文件从 Ecosystem Manager 客户端复制到 opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/ folder
  11. 配置环境变量 ACTIVEMQ_SSL_OPTS,方法是打开 /etc/profile 文件,并在文件末尾添加以下条目︰ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ks -Djavax.net.ssl.keyStorePassword=password'; export ACTIVEMQ_SSL_OPTS

    使用此命令中的密钥库密码。

  12. 保存所做的更改以及 source/etc/profile,以使 ACTIVEMQ_SSL_OPTS 环境变量可供当前会话使用:source /etc/profile
  13. 更新两个 EM 服务器上的 /etc/init.d/tdactivemq找到以 export ACTIVEMQ_OPTS=...=1500 开头的行。将其修改为 export ACTIVQMQ_OPTS=...=1500 $ACTIVEMQ_SSL_OPTS
  14. 打开 /opt/teradata/tdactivemq/config/td-broker.xml 中的代理程序配置文件并更改 keystorePassword 和 truststorePassword:
    <sslContext>
                <sslContext
                 keyStore="file:${activemq.base}/conf/broker.ks
                 keyStorePassword="password"
                 trustStore="file:${activemq.base}/conf/broker.ts
                 trustStorePassword="password"/>
    </sslContext>
    
  15. /opt/teradata/tdactivemq/config/td-broker.xml 中启用 SSL(如果已将其注释掉,请取消注释)
    <transportConnectors>
                <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
                <transportConnector name="ssl" uri="ssl://0.0.0.0:61617?
                 needClientAuth=true"/>
            </transportConnectors>
    
  16. 授予对 /home/em 及其所有文件的 777 访问权限。
  17. 更改 emeventconsumer 服务启动脚本以包括 SSL 选项:
    1. 复制原始文件:cp /opt/teradata/emserver/bin/emeventconsumer /opt/teradata/emserver/bin/emeventconsumer.original
    2. 以 syncuser 身份登录,打开 $EM_HOME/bin/emeventconsumer 文件,并将 tcp 更改为 ssl
       BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2`
            if ["$BROKER" !="" ]
            then
              if ["$BROKER_LIST"=="" ]
              then
                BROKER_LIST="tcp ://$BROKER?wireFormat.maxInactivityDuration=0"
              else
                BROKER_LIST="$BROKER_LIST,tcp://$BROKER?wireFormat.maxInactivityDuration=0
      

      更改为:

       BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2`
            if ["$BROKER" !="" ]
            then
              if ["$BROKER_LIST"=="" ]
              then
                BROKER_LIST="ssl ://$BROKER?wireFormat.maxInactivityDuration=0"
              else
                BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0
      
    3. 打开 $EM_HOME/bin/emeventconsumer 文件并找到 start 函数:
                if [ "$SYNCUSER" == "" ]; then
      nohup $JAVA -Djava.util.logging.config.file=
      $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS
      "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL >
      $EM_HOME/logs/emeventconsumer.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
      /bin/su $SYNCUSER -c "nohup $JAVA -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL >
      $EM_HOME/logs/emeventconsumer.log 2>&1 &"
      else
      nohup $JAVA -Djava.util.logging.config.file=
      $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL >
      $EM_HOME/logs/emeventconsumer.log 2>&1 &
      fi
      fi
      
      更改为:
      if [ "$SYNCUSER" == "" ]; then
      nohup $JAVA 
       -Djavax.net.ssl.keyStore=/home/em/ server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:
      ($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=
      $CONSUMERNAME --clientId=$CLIENTID --smtpServer=$SMTPSERVER --
      fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=$ADMINEMAILADDR --
      maxBatchMessageCount=$maxMessageCount --latencyTimer=
      $latencyTimer --reconnectingInterval=$reconnectingInterval –
      receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/
      emeventconsumer.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
      /bin/su $SYNCUSER -c "nohup $JAVA -
       Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/
      logs/emeventconsumer.log 2>&1 &"
      else
      nohup $JAVA  -Djavax.net.ssl.keyStore=/home/em/ server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts-
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/
      logs/emeventconsumer.log 2>&1 &
      fi
      fi
      
    4. $EM_HOME/conf/emeventconsumer 复制到 $EM_HOME/conf/emeventconsumer.original
    5. $EM_HOME/conf/emeventconsumer 文件中,将 61616 更改为 61617
  18. 更改 empublisher 服务启动脚本以包括 SSL 选项:
    1. 复制原始文件:cp /opt/teradata/emserver/bin/empublisher /opt/teradata/emserver/bin/empublisher.original
    2. 打开 $EM_HOME/bin/empublisher 文件并找到 start 函数:
                 if [ "$SYNCUSER" == "" ];then
      nohup $JAVA -Dservice_name=empublisher
      $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG -
      classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then
      /bin/su $SYNCUSER -c "nohup $JAVA -
      Dservice_name=empublisher $SERVICE_FLAGS –
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &"
      else
      nohup $JAVA -Dservice_name=empublisher
      $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG -
      classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      Fi
      fi
      
      更改为:
                  if [ "$SYNCUSER" == "" ];then
      nohup $JAVA -
       Djavax.net.ssl.keyStore=/home/em/ server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - 
      Dservice_name=empublisher $SERVICE_FLAGS -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then
      /bin/su $SYNCUSER -c "nohup $JAVA -
       Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Dservice_name=empublisher $SERVICE_FLAGS -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &"
      else
      nohup $JAVA  -Djavax.net.ssl.keyStore=/ home/em/server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Dservice_name=empublisher $SERVICE_FLAGS -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      fi
      fi
      
    3. $EM_HOME/conf/transport.properties 文件复制到 $EM_HOME/conf/transport.properties.original
    4. $EM_HOME/conf/transport.properties 中,将 61616 更改为 61617
    5. $EM_HOME/conf/transport.properties 中,将 tcp 更改为 ssl
  19. broker.ksbroker.ts 文件复制到 /opt/teradata/tdactivemq/apache-activemq-5/15.9/conf/folder 中。
  20. 启动 tdactivemq:/etc/init.d/tdactivemq start
  21. 检查 activemq 日志文件,确保其中列出 6161661617/var/opt/teradata/tdactivemq/logs/activemq.log
  22. 以 syncuser 身份运行以下脚本来启动所有 emservice:$EM_HOME/bin/set_master_single.sh