在 Ecosystem Manager 服务器上执行以下步骤以导入客户端证书,从而创建代理程序信任库。针对所有客户端证书重复执行这些步骤。
- 创建名为 /home/em 的文件夹,用于放置 client_cert 和 keystore 文件。
- 复制客户端上的客户端证书文件,然后执行以下命令:keytool -import -alias <hostname-of-EM-client> -keystore broker.ts -file client_cert系统响应如下:
Enter keystore password: Re-enter new password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: ed415cb Valid from: Tue Jun 23 18:21:18 UTC 2015 until: Mon Sep 21 18:21:18 UTC 2015 Certificate fingerprints: MD5: 9F:47:D4:AE:98:69:FA:D9:F6:C7:DB:F4:BA:2A:C2:59 SHA1: 62:3A:AB:F0:72:F5:3E:91:FD:E9:3E:C5:85:DC:37:52:B3:34:FD:D0 SHA256: 27:D2:02:A7:B1:0C:19:BA:D0:2A:E1:CA:86:B0:63:19:97:3F:08:61:DC:51:B1:B8:AB:0D:BE:E1:E6:19:BD:62 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: BB C4 91 8C 24 04 54 1F DF DB 3D 98 43 CE AE ED ....$.T...=.C... ] ] Trust this certificate? [no]: yes Certificate was added to keystore
该操作将为代理程序创建一个信任库,以便代理程序可以信任该客户端。请确保 broker.ts 已创建。
- 确保已创建 broker.ts。
- 为 Ecosystem Manager 服务器创建证书/密钥库:keytool -genkey -alias <hostname-of-EM-server> -keyalg RSA -keystore server.ks
- 回答相同的问题,并使用您在创建代理程序密钥文件时保存的密码。
Enter keystore password: What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <hostname-of-EM-server> (RETURN if same as keystore password):
- 为服务器创建信任库并使用以下命令导入代理程序的证书:keytool -import -alias <hostname-of-EM-server> -keystore server.ts -file /opt/teradata/jvm64/jdk8/bin/broker_cert系统响应如下:
Enter keystore password: Re-enter new password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 559b65aa Valid from: Tue Jun 23 18:15:54 UTC 2015 until: Mon Sep 21 18:15:54 UTC 2015 Certificate fingerprints: MD5: 97:3A:70:71:B5:5E:12:0A:7D:AD:A7:94:A5:BF:1A:0C SHA1: 8B:A9:37:A0:15:61:ED:25:1F:AA:47:6D:1F:F1:73:D5:D9:C4:69:54 SHA256: 46:B9:B2:9D:E4:AE:E3:26:CC:D5:4C:B7:56:ED:98:8D:4F:82:76:87:73:0E:49:E3:CF:70:AC:2F:66:D4:88:1F Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 0F CA D5 A2 22 6B 74 40 45 ED 2D 63 7F 7B 03 17 ...."kt@E.-c.... 0010: CA BE 18 0B .... ] ] Trust this certificate? [no]: yes Certificate was added to keystore
该操作可确保在 Ecosystem Manager 服务器上运行的 Ecosystem Manager 服务可以“信任”代理程序,并为该服务器创建一个信任库。
- 导出服务器的证书,以便可与代理程序共享:keytool -export -alias <hostname-of_EM-server> -keystore server.ks -file server_cert系统响应如下:
Enter keystore password: Certificate stored in file server_cert
- 导入服务器的证书:keytool -import -alias <hostname-of-EM-server> -keystore broker.ts -file server_cert系统响应如下:
Enter keystore password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 300263d1 Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015 Certificate fingerprints: MD5: C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2 SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 83 75 6D 0E A2 76 EE 16 84 09 13 40 AF F4 88 8A .um..v.....@.... 0010: 50 65 D2 03 Pe.. ] ] Trust this certificate? [no]: yes Certificate was added to keystore
- 将 broker.ks 和 broker.ts 文件复制到 /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/ 中。
- 将 client.ks 和 client.ts 文件从 Ecosystem Manager 客户端复制到 opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/ folder。
- 配置环境变量 ACTIVEMQ_SSL_OPTS,方法是打开 /etc/profile 文件,并在文件末尾添加以下条目︰ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ks -Djavax.net.ssl.keyStorePassword=password'; export ACTIVEMQ_SSL_OPTS
使用此命令中的密钥库密码。
- 保存所做的更改以及 source/etc/profile,以使 ACTIVEMQ_SSL_OPTS 环境变量可供当前会话使用:source /etc/profile
- 更新两个 EM 服务器上的 /etc/init.d/tdactivemq。找到以 export ACTIVEMQ_OPTS=...=1500 开头的行。将其修改为 export ACTIVQMQ_OPTS=...=1500 $ACTIVEMQ_SSL_OPTS
- 打开 /opt/teradata/tdactivemq/config/td-broker.xml 中的代理程序配置文件并更改 keystorePassword 和 truststorePassword:
<sslContext> <sslContext keyStore="file:${activemq.base}/conf/broker.ks keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts trustStorePassword="password"/> </sslContext>
- 在 /opt/teradata/tdactivemq/config/td-broker.xml 中启用 SSL(如果已将其注释掉,请取消注释)
<transportConnectors> <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/> <transportConnector name="ssl" uri="ssl://0.0.0.0:61617? needClientAuth=true"/> </transportConnectors>
- 授予对 /home/em 及其所有文件的 777 访问权限。
- 更改 emeventconsumer 服务启动脚本以包括 SSL 选项:
- 复制原始文件:cp /opt/teradata/emserver/bin/emeventconsumer /opt/teradata/emserver/bin/emeventconsumer.original
- 以 syncuser 身份登录,打开 $EM_HOME/bin/emeventconsumer 文件,并将 tcp 更改为 ssl:
BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2` if ["$BROKER" !="" ] then if ["$BROKER_LIST"=="" ] then BROKER_LIST="tcp ://$BROKER?wireFormat.maxInactivityDuration=0" else BROKER_LIST="$BROKER_LIST,tcp://$BROKER?wireFormat.maxInactivityDuration=0
更改为:
BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2` if ["$BROKER" !="" ] then if ["$BROKER_LIST"=="" ] then BROKER_LIST="ssl ://$BROKER?wireFormat.maxInactivityDuration=0" else BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0
- 打开 $EM_HOME/bin/emeventconsumer 文件并找到 start 函数:
if [ "$SYNCUSER" == "" ]; then nohup $JAVA -Djava.util.logging.config.file= $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then /bin/su $SYNCUSER -c "nohup $JAVA - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 &" else nohup $JAVA -Djava.util.logging.config.file= $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/emeventconsumer.log 2>&1 & fi fi
更改为:if [ "$SYNCUSER" == "" ]; then nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/ server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover: ($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName= $CONSUMERNAME --clientId=$CLIENTID --smtpServer=$SMTPSERVER -- fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=$ADMINEMAILADDR -- maxBatchMessageCount=$maxMessageCount --latencyTimer= $latencyTimer --reconnectingInterval=$reconnectingInterval – receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/ emeventconsumer.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then /bin/su $SYNCUSER -c "nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/ logs/emeventconsumer.log 2>&1 &" else nohup $JAVA -Djavax.net.ssl.keyStore=/home/em/ server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts- Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS -- url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM -- consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer= $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr= $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount -- latencyTimer=$latencyTimer --reconnectingInterval= $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/ logs/emeventconsumer.log 2>&1 & fi fi
- 将 $EM_HOME/conf/emeventconsumer 复制到 $EM_HOME/conf/emeventconsumer.original。
- 在 $EM_HOME/conf/emeventconsumer 文件中,将 61616 更改为 61617。
- 更改 empublisher 服务启动脚本以包括 SSL 选项:
- 复制原始文件:cp /opt/teradata/emserver/bin/empublisher /opt/teradata/emserver/bin/empublisher.original
- 打开 $EM_HOME/bin/empublisher 文件并找到 start 函数:
if [ "$SYNCUSER" == "" ];then nohup $JAVA -Dservice_name=empublisher $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG - classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then /bin/su $SYNCUSER -c "nohup $JAVA - Dservice_name=empublisher $SERVICE_FLAGS – Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &" else nohup $JAVA -Dservice_name=empublisher $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG - classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & Fi fi
更改为:if [ "$SYNCUSER" == "" ];then nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/ server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & else if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then /bin/su $SYNCUSER -c "nohup $JAVA - Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &" else nohup $JAVA -Djavax.net.ssl.keyStore=/ home/em/server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - Dservice_name=empublisher $SERVICE_FLAGS - Djava.util.logging.config.file=$LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize= $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 & fi fi
- 将 $EM_HOME/conf/transport.properties 文件复制到 $EM_HOME/conf/transport.properties.original。
- 在 $EM_HOME/conf/transport.properties 中,将 61616 更改为 61617。
- 在 $EM_HOME/conf/transport.properties 中,将 tcp 更改为 ssl。
- 将 broker.ks 和 broker.ts 文件复制到 /opt/teradata/tdactivemq/apache-activemq-5/15.9/conf/folder 中。
- 启动 tdactivemq:/etc/init.d/tdactivemq start
- 检查 activemq 日志文件,确保其中列出 61616 和 61617:/var/opt/teradata/tdactivemq/logs/activemq.log
- 以 syncuser 身份运行以下脚本来启动所有 emservice:$EM_HOME/bin/set_master_single.sh