Grid SSL configuration steps on Grid Architecture and Combo Profile.
Steps to create the certificates for Combo server (director + broker)
1. Create a temporary directory (such as /opt/mycerts) and execute the following commands within it.
2. Copy the cacerts file from the JDK to the ssl.keystore
cp $JAVA_HOME/jre/lib/security/cacerts ssl.keystore
3. Create server.key and server.crt
openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:2048 -keyout server.key -out server.crt
4. Import the server.crt into ssl.keystore
keytool -importcert -file server.crt -keystore ssl.keystore -alias MySelfSigned -storepass changeit
5. Create a PKCS #12 format file
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
6. Convert it to a JKS format keystore
keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype pkcs12 -srcstorepass changeit -destkeystore server.keystore -deststoretype jks -deststorepass changeit
7.Copy the server.crt file to ssl.pem :
cp server.crt ssl.pem
8. Copy the created certificates on DS_DATA/certs
cp server.crt server.key ssl.keystore server.keystore DS_DATA/manager-data/certs
9. Copy the ssl certificates on DS_DATA/engineUpdate/shared
cp ssl.keystore ssl.pem DS_DATA/engineUpdate/shared
10. Edit the server.xml file and disable HTTP connectors and enable HTTPS connectors.
Add SSLPassword="changeit" in HTTPS connectors.
11. Set DSConfigureOnStartup to true in installation.properties file.
12. Start the server.
Steps to create the SSL certificates on Grid architecture
Steps to create the certificates for the primary director:
1. Create a temporary directory (such as /opt/mycerts) and execute the following commands within it.
2. Copy the cacerts file from the JDK to the ssl.keystore
cp $JAVA_HOME/jre/lib/security/cacerts ssl.keystore
3. Create server.key and server.crt
openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:2048 -keyout server.key -out server.crt
4. Import the server.crt into ssl.keystore
keytool -importcert -file server.crt -keystore ssl.keystore -alias MySelfSigned -storepass changeit
5. Create a PKCS #12 format file
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
6. Convert it to a JKS format keystore
keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype pkcs12 -srcstorepass changeit -destkeystore server.keystore -deststoretype jks -deststorepass changeit
7. Copy the created certificates on DS_DATA/certs
cp server.crt server.key ssl.keystore server.keystore DS_DATA/certs
8. Edit the server.xml file and disable HTTP connectors and enable HTTPS connectors.
Add SSLPassword="changeit" in HTTPS connectors.
9. Set DSConfigureOnStartup to true in installation.properties file.
10.Restart the director.
Steps to create the certificates for the secondary director:
1. Create a temporary directory (such as /opt/mycerts) and execute the following commands within it.
2. Create server.key and server.crt
openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:2048 -keyout server.key -out server.crt
3. Copy the primary director's ssl.keystore into mycerts folder.
NOTE: For an existing SSL enabled Primary Director and Standalone Broker, copy Standalone Broker's ssl.keystore and not the one from Primary Director
4. Import the secondary director's server.crt into ssl.keystore.
keytool -importcert -file server.crt -keystore ssl.keystore -alias MySelfSignedDir -storepass changeit
Now ssl.keystore contains the certs of the primary and secondary director
5. Repeat the steps from 5 to 9 as mentioned in the primary director section.
6. Restart the secondary director.
Steps to create the certificates for the standalone broker:
1. Create a temporary directory (such as /opt/mycerts) and execute the following commands within it.
2. Create server.key and server.crt using below command
openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:2048 -keyout server.key -out server.crt
3. a)If you are configuring the grid on primary director and broker level then run below command
Copy the primary director's ssl.keystore into the mycerts folder.
b)If you are configuring the grid architecture like Primary Director→Secondary Director→Standalong Broker→Failover Broker then run below command
Copy the secondary director's ssl.keystore into the mycerts folder.
4. Import the broker's server.crt into ssl.keystore.
a)If you are configuring the grid on the director and broker level then run below command
keytool -importcert -file server.crt<Broker's server.certs> -keystore ssl.keystore<primary director> -alias MySelfSignedDir -storepass changeit
b)If you are configuring the grid architecture Primary Director→Secondary Director→Standalong Broker→Failover Broker then run below command
keytool -importcert -file server.crt<Broker's server.certs> -keystore ssl.keystore<secondary director key store> -alias MySelfSignedDir -storepass changeit
Now ssl.keystore contains the certs of the primary director, secondary director, and standalone broker.
5. Create a PKCS #12 format file
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
6. Convert it to a JKS format keystore
keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype pkcs12 -srcstorepass changeit -destkeystore server.keystore -deststoretype jks -deststorepass changeit
7. Copy the created certificates on DS_DATA/certs
cp server.crt server.key ssl.keystore server.keystore DS_DATA/certs
8. Create the ssl.pem using below command
a)If you are configuring the grid on the director and broker level then run below command
cat dserver.crt server.crt<Broker server.crt> > ssl.pem
b)If you are configuring the full grid-like Primary Director→Secondary Director→Standalong Broker→Failover Broker then run below command
cat dserver.crt sserver.crt server.crt > ssl.pem
here dserver.crt - Primary director's server.crt, sserver.crt - Secondary director's server.crt and server.crt - Standalone broker's server.crt
9. a) if you are configuring the grid on Director and Broker level then ssl.pem and ssl.keystore needs to copy at the primary director and Broker's DS_DATA/engineUpdate/shared folder location.
b)If you are configuring the grid architecture Primary Director→Secondary Director→Standalong Broker→Failover Broker then
copy the ssl.keystore and ssl.pem files on DS_DATA/engineUpdate/shared folders of the primary director, secondary director, and standalone broker.
10.a) if you are configuring the grid on Director and Broker level then copy the ssl.keystore on DS_DATA/certs directory of the primary director.
b) If you are configuring the full grid-like Primary Director→Secondary Director→Standalong Broker→Failover Broker then
Copy the ssl.keystore on DS_DATA/certs directory of the primary and secondary director.
12. Edit the server.xml file and disable HTTP connectors and enable HTTPS connectors.
Add SSLPassword="changeit" in HTTPS connectors.
13. Set DSConfigureOnStartup to true in installation.properties file.
14. Restart all the grid components.
Steps to create the certificates for the failover broker:
1. Repeat the steps from 1 to 2 as mentioned in the standalone broker section.
2. Copy the ssl.keystore of the standalone broker and run the below command to create the ssl.keystore for the failover broker.
keytool -importcert -file server.crt -keystore ssl.keystore -alias MySelfSignedDir -storepass changeit
Now ssl.keystore contains the certs of the primary director, secondary director, standalone broker, and failover broker.
3. Follow the 5 to 7 steps from the standalone broker's section.
4. Create ssl.pem which contains certs of all the components.
cat dserver.crt sserver.crt bserver.crt server.crt > ssl.pem
here dserver.crt - Primary director's server.crt, sserver.crt - Secondary director's server.crt, bserver.crt - Standalone Broker's server.crt and server.crt - Failover broker's server.crt
5. Copy the ssl.keystore and ssl.pem (created on failover broker) on DS_DATA/engineUpdate/shared directory of the primary director, secondary director, standalone broker, and failover broker.
6. Copy the ssl.keystore on DS_DATA/certs directory of the primary director, secondary director, standalone broker, and failover broker.
7. Repeat step 12 and 13 as per the standalone broker section.
8. Restart all the components.
Steps to configure the engine:
Note: If you have any up and running engine configure then make sure to stop it before performing the below steps.
- Untar the engine installer.
2 .a) If you are configuring the grid on Director and Broker level then copy the Broker's ssl.keystore and ssl.pem over dataysnapse/engine folder
b) If you are configuring the grid architecture like Primary Director→Secondary Director→Standalong Broker→Failover Broker then copy the ssl.keystore and ssl.pem created on the failover broker over dataysnapse/engine folder.
3. Configure the engine using below command:
./configure.sh -s director_hostname:8043-l y
4. Start the engine.
Side Note
- For the Driver side, we only need to copy the ssl.keystore and ssl.pem.
- Here DS_DATA refer to the <Installation_Dir>/datasynapse/manager-data
- Set SSL properties as true while configuring the Director and Broker.
- Engine configuration steps are the same for combo and grid architecture
- Make sure ssl.keystore under
director datasynapse/manager-data/certs/ssl.keystore
brokerdatasynapse/manager-data/certs/ssl.keystore
enginedatasynapse/engine/ssl.keystore must be the same as that containing server.crt for all the grid components. - ssl.keystore must contain certs of all the components. Use the following command to check this:-
keytool -list -v -keystore ssl.keystore -storepass changeit | grep hostname
In the above command output, you must see the searched hostname. - If the user wants to configure the SSL over 5.x series, the directory is different than the one in 6.x. In 5.x , we don't have
GS_HOMEandDS_MANAGERnamedwebapps/livecluster, and is referred to asDS_DATA. For example, on Windows systems, the default data directory isC:\tibco\datasynapse\manager\webapps\livecluster. - Certs folder location for 5.x series is $DS_Manager/webapps/livecluster/certs.