Teradata Ecosystem Manager | Almacén de confianza (TrustStore) del agente - 16.20 - Crear el almacén de confianza (TrustStore) del agente en el servidor de Ecosystem Manager - Teradata Ecosystem Manager

Teradata® Ecosystem Manager Guía de instalación, configuración y actualizaciónpara clientes

prodname
Teradata Ecosystem Manager
vrm_release
16.20
category
Configuración
Instalación
featnum
B035-3203-107K-ESN
Siga estos pasos en ambos servidores de Ecosystem Manager para importar el certificado de cliente con el objetivo de crear el almacén de confianza (TrustStore) del agente. Repita estos pasos para todos los certificados de cliente.
  1. Cree una carpeta llamada /home/em para colocar los archivos client_cert y keystore.
  2. Copie el archivo de certificado de cliente desde el cliente y ejecute el comando:keytool -import -alias <hostname-of-EM-client> -keystore broker.ts -file client_cert
    El sistema responde como se muestra a continuación:
    Enter keystore password:
    Re-enter new password:
    Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Serial number: ed415cb
    Valid from: Tue Jun 23 18:21:18 UTC 2015 until: Mon Sep 21 18:21:18 UTC 2015
    Certificate fingerprints:
             MD5:  9F:47:D4:AE:98:69:FA:D9:F6:C7:DB:F4:BA:2A:C2:59
             SHA1: 62:3A:AB:F0:72:F5:3E:91:FD:E9:3E:C5:85:DC:37:52:B3:34:FD:D0
             SHA256: 27:D2:02:A7:B1:0C:19:BA:D0:2A:E1:CA:86:B0:63:19:97:3F:08:61:DC:51:B1:B8:AB:0D:BE:E1:E6:19:BD:62
             Signature algorithm name: SHA256withRSA
             Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: BB C4 91 8C 24 04 54 1F   DF DB 3D 98 43 CE AE ED  ....$.T...=.C...
    ]
    ]
    
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    

    De este modo se crea un almacén de confianza (TrustStore) para el agente, lo que permite al agente confiar en el cliente. Asegúrese de que se crea broker.ts.

  3. Cree un certificado/almacén de claves para los servidores de Ecosystem Manager activos y en espera:keytool -genkey -alias <hostname-of-EM-client> -keyalg RSA -keystore server.ks
    El sistema solicitará la siguiente información:
    Enter your keystore password:
    What is your first and last name?
    [Unknown]:
    What is the name of your organizational unit?
    [Unknown]:
    What is the name of your City or Locality?
    [Unknown]:
    What is the name of your State or Province?
    [Unknown]:
    What is the two-letter country code for this unit:
    [Unknown]:
    Is CN-Unknown, OU=Unknown, O=Unknown, ST=Unknown, C=Unknown correct?
    [no]: yes
    Enter key password for <hostname-of-EM-client>
    (RETURN if same as keystore password):
    Asegúrese de que el archivo del almacén de claves se crea en todos los sistemas del cliente de EM que participan.
  4. Cree un almacén de confianza (TrustStore) para el servidor e importe el certificado del agente en ambos servidores de Ecosystem Manager con los siguientes comandos:
    1. En el servidor de EM activo, ejecute lo siguiente:keytool -import -alias <hostname-of-Active- Server> -keystore server.ts -file /opt/teradata/jvm64/jdk8/bin/broker_cert1
      El sistema responderá con lo siguiente:
      Enter keystore password:
      Re-enter new password:
      Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Serial number: 559b65aa
      Valid from: Tue Jun 23 18:15:54 UTC 2015 until: Mon Sep 21 18:15:54 UTC 2015
      Certificate fingerprints:
               MD5:  97:3A:70:71:B5:5E:12:0A:7D:AD:A7:94:A5:BF:1A:0C
               SHA1: 8B:A9:37:A0:15:61:ED:25:1F:AA:47:6D:1F:F1:73:D5:D9:C4:69:54
               SHA256: 46:B9:B2:9D:E4:AE:E3:26:CC:D5:4C:B7:56:ED:98:8D:4F:82:76:87:73:0E:49:E3:CF:70:AC:2F:66:D4:88:1F
               Signature algorithm name: SHA256withRSA
               Version: 3
      
      Extensions:
      
      #1: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 0F CA D5 A2 22 6B 74 40   45 ED 2D 63 7F 7B 03 17  ...."kt@E.-c....
      0010: CA BE 18 0B                                        ....
      ]
      ]
      
      Trust this certificate? [no]:  yes
      Certificate was added to keystore
      
    2. En el servidor de EM en espera, ejecute lo siguiente:keytool -import -alias <hostname-of-Standby- Server> -keystore server.ts -file /opt/teradata/jvm64/jdk8/bin/broker_cert2
      El sistema responderá con lo siguiente:
      Enter keystore password:
      Re-enter new password:
      Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Serial number: 559b65aa
      Valid from: Tue Jun 23 18:15:54 UTC 2015 until: Mon Sep 21 18:15:54 UTC 2015
      Certificate fingerprints:
               MD5:  97:3A:70:71:B5:5E:12:0A:7D:AD:A7:94:A5:BF:1A:0C
               SHA1: 8B:A9:37:A0:15:61:ED:25:1F:AA:47:6D:1F:F1:73:D5:D9:C4:69:54
               SHA256: 46:B9:B2:9D:E4:AE:E3:26:CC:D5:4C:B7:56:ED:98:8D:4F:82:76:87:73:0E:49:E3:CF:70:AC:2F:66:D4:88:1F
               Signature algorithm name: SHA256withRSA
               Version: 3
      
      Extensions:
      
      #1: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 0F CA D5 A2 22 6B 74 40   45 ED 2D 63 7F 7B 03 17  ...."kt@E.-c....
      0010: CA BE 18 0B                                        ....
      ]
      ]
      
      Trust this certificate? [no]:  yes
      Certificate was added to keystore
      

      Esto establece que los servicios de Ecosystem Manager que se ejecutan en un servidor de Ecosystem Manager "confían" en el agente y crean un almacén de confianza (TrustStore) para el servidor.

  5. Exporte el certificado del servidor de modo que pueda compartirse con el agente; para ello, ejecute los siguientes comandos en los servidores de EM:
    1. En el servidor de EM activo, ejecute:keytool -import -alias <hostname-of-Active-EM-server> -keystore server.ts -file server_cert
      El sistema responderá con lo siguiente:
      Enter keystore password:
      Certificate stored in file server_cert
    2. En el servidor de EM en espera, ejecute:keytool -import -alias <hostname-of-Standby-EM-server> -keystore server.ts -file server_cert
      El sistema responderá con lo siguiente:
      Enter keystore password:
      Certificate stored in file server_cert
  6. Importe el certificado del servidor:
    1. En el servidor de EM activo, ejecute:keytool -import -alias <hostname-of-Active-EM-server> -keystore broker.ts -file server_cert
      El sistema responderá con lo siguiente:
      Enter keystore password:
      Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Serial number: 300263d1
      Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015
      Certificate fingerprints:
               MD5:  C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D
               SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2
               SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2
               Signature algorithm name: SHA256withRSA
               Version: 3
      
      Extensions:
      
      #1: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 83 75 6D 0E A2 76 EE 16   84 09 13 40 AF F4 88 8A  .um..v.....@....
      0010: 50 65 D2 03                                        Pe..
      ]
      ]
      
      Trust this certificate? [no]:  yes
      Certificate was added to keystore
      
    2. En el servidor de EM en espera, ejecute:keytool -import -alias <hostname-of-EM-Standby server> -keystore broker.ts -file server_cert
      El sistema responderá con:
      Enter keystore password:
      Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
      Serial number: 300263d1
      Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015
      Certificate fingerprints:
               MD5:  C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D
               SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2
               SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2
               Signature algorithm name: SHA256withRSA
               Version: 3
      
      Extensions:
      
      #1: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 83 75 6D 0E A2 76 EE 16   84 09 13 40 AF F4 88 8A  .um..v.....@....
      0010: 50 65 D2 03                                        Pe..
      ]
      ]
      
      Trust this certificate? [no]:  yes
      Certificate was added to keystore
      
  7. Copie los archivos broker.ks y broker.ts en /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/.
  8. Para configurar la variable de entorno ACTIVEMQ_SSL_OPTS, abra el archivo /etc/profile y agregue la siguiente entrada al final del archivo:ACTIVEMQ_SSL_OPTS='-Djavax.net.ssl.keyStore=/opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/broker.ks -Djavax.net.ssl.keyStorePassword=password'; export ACTIVEMQ_SSL_OPTS

    Utilice la contraseña del almacén de claves en este comando.

  9. Guarde los cambios y source/etc/profile para que la variable de entorno ACTIVEMQ_SSL_OPTS esté disponible en la sesión actual:source /etc/profile
  10. Actualice /etc/init.d/tdactivemq en ambos servidores de EM.Busque la línea que comienza con export ACTIVEMQ_OPTS=...=1500 y cámbiela por export ACTIVQMQ_OPTS=...=1500 $ACTIVEMQ_SSL_OPTS.
  11. Abra el archivo de configuración del agente ubicado en /opt/teradata/tdactivemq/config/td-broker.xml y cambie keystorePassword y truststorePassword:
    <sslContext>
                <sslContext
                 keyStore="file:${activemq.base}/conf/broker.ks
                 keyStorePassword="password"
                 trustStore="file:${activemq.base}/conf/broker.ts
                 trustStorePassword="password"/>
    </sslContext>
    
  12. Habilite (quitar marca de comentario si está comentado) SSL en /opt/teradata/tdactivemq/config/td-broker.xml
    <transportConnectors>
                <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
                <transportConnector name="ssl" uri="ssl://0.0.0.0:61617?
                 needClientAuth=true"/>
            </transportConnectors>
    
  13. Otorgue permisos de acceso 777 /home/em y todos los archivos que contiene.
  14. Cambie el script de inicio del servicio emeventconsumer para que incluya la opción de SSL:
    1. Copie el archivo original:cp /opt/teradata/emserver/bin/emeventconsumer /opt/teradata/emserver/bin/emeventconsumer.original
    2. Inicie sesión como syncuser y abra el archivo $EM_HOME/bin/emeventconsumer; a continuación, cambie tcp por ssl:
       BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2`
            if ["$BROKER" !="" ]
            then
              if ["$BROKER_LIST"=="" ]
              then
                BROKER_LIST="tcp ://$BROKER?wireFormat.maxInactivityDuration=0"
              else
                BROKER_LIST="$BROKER_LIST,tcp://$BROKER?wireFormat.maxInactivityDuration=0
      

      Cambie a:

       BROKER=`echo $line | grep -e "BROKER=" | cut -d"#" -f1 | cut -d"=" -f2`
            if ["$BROKER" !="" ]
            then
              if ["$BROKER_LIST"=="" ]
              then
                BROKER_LIST="ssl ://$BROKER?wireFormat.maxInactivityDuration=0"
              else
                BROKER_LIST="$BROKER_LIST,ssl://$BROKER?wireFormat.maxInactivityDuration=0
      
    3. Abra el archivo $EM_HOME/bin/emeventconsumer y busque la función start:
                if [ "$SYNCUSER" == "" ]; then
      nohup $JAVA -Djava.util.logging.config.file=
      $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS
      "--url=failover:($BROKER_LIST)" --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL >
      $EM_HOME/logs/emeventconsumer.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
      /bin/su $SYNCUSER -c "nohup $JAVA -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL >
      $EM_HOME/logs/emeventconsumer.log 2>&1 &"
      else
      nohup $JAVA -Djava.util.logging.config.file=
      $LOGGING_CONFIG -classpath $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL >
      $EM_HOME/logs/emeventconsumer.log 2>&1 &
      fi
      fi
      
      Cambie a:
      if [ "$SYNCUSER" == "" ]; then
      nohup $JAVA 
       -Djavax.net.ssl.keyStore=/home/em/ server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS "--url=failover:
      ($BROKER_LIST)" --dbsystem=$DBSYSTEM --consumerName=
      $CONSUMERNAME --clientId=$CLIENTID --smtpServer=$SMTPSERVER --
      fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=$ADMINEMAILADDR --
      maxBatchMessageCount=$maxMessageCount --latencyTimer=
      $latencyTimer --reconnectingInterval=$reconnectingInterval –
      receiveTimeOut=$POLINGINTERVAL > $EM_HOME/logs/
      emeventconsumer.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ]; then
      /bin/su $SYNCUSER -c "nohup $JAVA -
       Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/
      logs/emeventconsumer.log 2>&1 &"
      else
      nohup $JAVA  -Djavax.net.ssl.keyStore=/home/em/ server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts-
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $CONSUMER_CLASS --
      url=failover:'('$BROKER_LIST')' --dbsystem=$DBSYSTEM --
      consumerName=$CONSUMERNAME --clientId=$CLIENTID --smtpServer=
      $SMTPSERVER --fromEmailAddr=$FROMEMAILADDR --adminEmailAddr=
      $ADMINEMAILADDR --maxBatchMessageCount=$maxMessageCount --
      latencyTimer=$latencyTimer --reconnectingInterval=
      $reconnectingInterval --receiveTimeOut=$POLINGINTERVAL > $EM_HOME/
      logs/emeventconsumer.log 2>&1 &
      fi
      fi
      
    4. Copie $EM_HOME/conf/emeventconsumer en $EM_HOME/conf/emeventconsumer.original.
    5. En el archivo $EM_HOME/conf/emeventconsumer, cambie 61616 por 61617.
  15. Cambie el script de inicio del servicio empublisher para que incluya la opción de SSL:
    1. Copie el archivo original:cp /opt/teradata/emserver/bin/empublisher /opt/teradata/emserver/bin/empublisher.original
    2. Abra el archivo $EM_HOME/bin/empublisher y busque la función start:
                 if [ "$SYNCUSER" == "" ];then
      nohup $JAVA -Dservice_name=empublisher
      $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG -
      classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then
      /bin/su $SYNCUSER -c "nohup $JAVA -
      Dservice_name=empublisher $SERVICE_FLAGS –
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &"
      else
      nohup $JAVA -Dservice_name=empublisher
      $SERVICE_FLAGS -Djava.util.logging.config.file=$LOGGING_CONFIG -
      classpath $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      Fi
      fi
      
      Cambie a:
                  if [ "$SYNCUSER" == "" ];then
      nohup $JAVA -
       Djavax.net.ssl.keyStore=/home/em/ server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts - 
      Dservice_name=empublisher $SERVICE_FLAGS -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      else
      if [ "$EFFECTIVEUSER" != "$SYNCUSER" ];then
      /bin/su $SYNCUSER -c "nohup $JAVA -
       Djavax.net.ssl.keyStore=/home/em/server.ks - Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Dservice_name=empublisher $SERVICE_FLAGS -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &"
      else
      nohup $JAVA  -Djavax.net.ssl.keyStore=/ home/em/server.ks -Djavax.net.ssl.keyStorePassword=password - Djavax.net.ssl.trustStore=/home/em/server.ts  -
      Dservice_name=empublisher $SERVICE_FLAGS -
      Djava.util.logging.config.file=$LOGGING_CONFIG -classpath
      $CLASSPATH_SERVICE $PUBLISHER_CLASS --threadPoolSize=
      $NUM_THREADS > $EM_HOME/logs/empublisher.log 2>&1 &
      fi
      fi
      
    3. Copie el archivo $EM_HOME/conf/transport.properties en $EM_HOME/conf/transport.properties.original.
    4. En $EM_HOME/conf/transport.properties, cambie 61616 por 61617.
    5. En $EM_HOME/conf/transport.properties, cambie tcp por ssl.
  16. Copie los archivos broker.ks y broker.ts en la carpeta /opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/.
  17. Copie los archivos client.ks y client.ts de los clientes de Ecosystem Manager en opt/teradata/tdactivemq/apache-activemq-5.15.9/conf/ folder.
  18. Inicie tdactivemq:/etc/init.d/tdactivemq start
  19. Compruebe el archivo de registro de activemq para asegurarse de que incluye 61616 y 61617:/var/opt/teradata/tdactivemq/logs/activemq.log
  20. Inicie todos los emservices con la ejecución del siguiente script como syncuser en el servidor de EM activo:$EM_HOME/bin/emsetactive.sh