VSD Cluster SSL Cert

SSL is the backbone of our secure Internet and it protects your sensitive information as it travels across the world’s computer networks. It provides privacy, critical security and data integrity for both your websites and your users’ personal information. By inserting an SSL Cert into your nuage VSD cluster it will provide for both security and protection from prying eyes. Big shout out to Erwan for providing this how-to information.
Note: this is assuming a PKC12 Cert is being used.

Outline of nuage VSD SSL Certificate installation

  • Stop all VSD Services
  • Backup keystore
  • Import pkc12 certificate
  • Edit Settings
  • Restart all VSD Services
  • Test SSL Certificate

Installation of SSL Certificate

Stop all VSD Services on ALL VSDs

monit -g vsd-core stop

Backup keystore

1. On each VSD individually, copy vsd.keystore to vsd-orig.keystore and set the ownership of the file correctly
cp /opt/vsd/jboss/standalone/configuration/vsd.keystore /opt/vsd/jboss/standalone/configuration/vsd-orig.keystore
chown vsd:hadoopusers /opt/vsd/jboss/standalone/configuration/vsd-orig.keystore

Import pkc12 certificate

1. import pkcs12 into java keytool
/usr/java/latest/bin/keytool -importkeystore -deststorepass <add a password> -destkeypass <add a password> -destkeystore vsd.keystore -srckeystore <p12 file> -srcstoretype PKCS12 -srcstorepass <password used during p12 file creation> -alias <name used when creating pkcs12>

Edit settings

1. Copy new vsd.keystore file to /opt/vsd/jboss/standalone/configuration/ override the existing file, copy it to ALL VSDs
cp vsd.keystore /opt/vsd/jboss/standalone/configuration/
chown vsd:hadoopusers /opt/vsd/jboss/standalone/configuration/vsd.keystore

2. verify the vsd.keystore file, when prompted for the password use the keytool password you entered above for the keystore
/usr/java/latest/bin/keytool -keystore /opt/vsd/jboss/standalone/configuration/vsd.keystore -list

3. On all VSD, edit /opt/vsd/jboss/standalone/configuration/standalone-full-ha.xml as follows
Note: Replace vsd.keystore with vsd-orig.keystore in the httpspriv section
vi /opt/vsd/jboss/standalone/configuration/standalone-full-ha.xml

&lt;connector name="httpspriv" protocol="HTTP/1.1" scheme="https" socket-binding="httpspriv" secure="true"&gt;
&lt;ssl key-alias="vsd-1.mvdcvtb14.us.alcatel-lucent.com" password="Alcateldc" certificate-key-file="${jboss.home.dir}/standalone/configuration/vsd-orig.keystore" protocol="TLSv1" verify-client="true" ca-certificate-file="${jboss.home.dir}/standalone/configuration/vsd.truststore" ca-certificate-password="Alcateldc"/&gt;
&lt;/connector&gt;

4. Replace key-alias with the alias name used during the generation of your Java keystore and password with the password used during generation of your Java keystore in the https section
vi /opt/vsd/jboss/standalone/configuration/standalone-full-ha.xml

&lt;connector name="https" protocol="HTTP/1.1" scheme="https"socket-binding="https" secure="true" max-post-size="2048" executor="https-executor" max-connections="1000"&gt;
&lt;ssl protocol="TLSv1" key-alias="vsdha" password="tigris" certificate-key-file="${jboss.home.dir}/standalone/configuration/vsd.keystore" verify-client="false" session-cache-size="200"/&gt;
&lt;/connector&gt;

5. On all VSD edit /dev/shm/ksmon.monit as follows:
serverKeystorePath = /opt/vsd/jboss/standalone/configuration/vsd-orig.keystore

6 On All VSD edit /opt/vsd/jboss/standalone/configuration/keyserver.properties as follows:
keystore.path = /opt/vsd/jboss/standalone/configuration/vsd-orig.keystore

Restart all VSD Services

On all VSDs restart the vsd-core services
Note: Wait for Monit to stop the services
monit -g vsd-core sart
watch monit summary

Test SSL Certificate

Test browser with https://fqdn:8443 once everything is back up and running.



Categories: nuage

Tags: , , ,

2 replies

  1. I didn’t know how to install the certs.Thanks buddy 🙂

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: