Readme File for IBM® Spectrum Conductor 2.3.0
Readme file for: IBM Spectrum Conductor
Product/Component Release: 2.3.0
Fix ID: sc-2.3-build515893-wellsfargo
Publication date: March 29, 2019
This
enhancement details manual steps to regenerate the default certificates and keystores with wildcards in the subject alternative name
(SAN) for your IBM Spectrum Conductor 2.3.0 cluster after installation. All
browsers support SAN host name in the format *.subdomain (for example, *.sub1.example.com *.sub2.example.com).
1.
Scope
3.
Copyright
and trademark information
|
Product version |
IBM Spectrum
Conductor 2.3.0 |
|
Prerequisite |
A fresh installation
of IBM Spectrum Conductor 2.3.0 or an earlier version of IBM Spectrum
Conductor that was upgraded to IBM Spectrum Conductor 2.3.0. |
|
Package |
sc-2.3.0-build515893-wellsfargo.tar.gz |
a.
Log in to the cluster
management console as the cluster administrator and stop all Spark instance
groups.
b. Leave all master and management nodes with their
current host names.
c. Update the host names of compute hosts in your
cluster:
a) Remove all compute hosts from the cluster:
egosh resource close -reclaim <hostname>
egosh resource remove <hostname>
b) Update the name of each compute host and confirm the
new name:
hostname -f
d. Update $EGO_CONFDIR/../../ascd/conf/ascd.conf to turn off auto-deployment on new hosts:
ASC_AUTO_DEPLOY_ON_NEW_HOST=OFF
e. Stop all services and shut down the cluster:
egosh service stop all
egosh ego shutdown all
f. Download the sc-2.3.0-build515893-wellsfargo.tar.gz package and extract its contents it to any directory:
tar zxof
sc-2.3.0-build515893-wellsfargo.tar.gz
g. Look for the endpoint.cnf file and update the subjectAltName field in the file to include hostnames with or without wildcards, for example, *.sub1.example.com *.sub2.example.com.
h.
Create
tier 1 certificates and keystore:
a)
Change to the security directory:
cd $EGO_TOP/wlp/usr/shared/resources/security
b)
Back up $EGO_TOP/wlp/usr/shared/resources/security, then remove its
contents.
c)
Copy rootCA.cnf, request.cnf, and endPoint.cnf extracted
from the sc-2.3.0-build515893-wellsfargo.tar.gz package to the $EGO_TOP/wlp/usr/shared/resources/security directory.
d)
Use openssl and keytool utilities
to regenerate the default certificate and keystore.
The following commands are sample commands for your reference:
openssl genpkey -algorithm RSA -out cacert.key
-pkeyopt rsa_keygen_bits:2048
openssl req -new -key cacert.key -days
5480 -extensions v3_ca -batch -out cacert.csr -utf8
-subj '/C=CA/O=IBM/CN=IBM Spectrum Computing' -config request.cnf
openssl x509 -req -sha256 -days 3650 -in cacert.csr
-signkey cacert.key -set_serial 100001 -extfile rootCA.cnf -out cacert.pem
openssl pkcs12 -export
-in cacert.pem -inkey cacert.key -passin pass:Liberty -password pass:Liberty
-out caKeyStore.p12 -name caalias
keytool -importkeystore -srckeystore
caKeyStore.p12 -destkeystore caKeyStore.jks
-srcstoretype pkcs12 -deststoretype
jks -srcstorepass Liberty -deststorepass Liberty
openssl genpkey -algorithm RSA -out srvcertreq.key
-pkeyopt rsa_keygen_bits:2048
openssl req -new -key srvcertreq.key
-days 1096 -extensions v3_ca -batch -out srvcertreq.csr
-utf8 -subj '/C=CA/O=IBM/CN=dv10018.eng.platformlab.ibm.com' -config request.cnf
openssl x509 -req -sha256 -days 1096 -in srvcertreq.csr
-CAkey cacert.key -CA cacert.pem -set_serial 200001
-out servercertcasigned.pem -extfile
endPoint.cnf
cat servercertcasigned.pem
cacert.pem >> user.pem
cat srvcertreq.key
>> user.key
cat srvcertreq.key
cacert.key >> chain.key
openssl pkcs12 -export
-in user.pem -inkey chain.key -passin pass:Liberty -password pass:Liberty
-out serverKeyStore.p12 -name srvalias
keytool -importcert -noprompt -alias caalias -file cacert.pem -keystore serverKeyStore.jks -storepass Liberty
keytool -importkeystore -srckeystore
serverKeyStore.p12 -destkeystore serverKeyStore.jks
-srcstoretype pkcs12 -deststoretype
jks -srcstorepass Liberty -deststorepass Liberty
keytool -importcert -noprompt -alias srvalias -file cacert.pem -keystore serverTrustStore.jks -storepass Liberty
Ensure that
the generated files have the same owner, group, and permission as the original
files.
i.
Create
the tier 2 and tier 3 certificates and keystore:
a)
Change to the $EGO_TOP/security directory:
cd $EGO_TOP/security
b)
Back up $EGO_TOP/security, then
remove its contents.
c)
Copy rootCA.cnf, request.cnf, and endPoint.cnf extracted
from the sc-2.3.0-build515893-wellsfargo.tar.gz package to the $EGO_TOP/security directory.
d)
Copy caKeyStore.jks, cacert.pem, and cacert.key from $EGO_TOP/wlp/usr/shared/resources/security to $EGO_TOP/security.
e)
Use openssl and keytool utilities
to regenerate the default certificate and keystore.
The following commands are sample commands for your reference:
openssl genpkey -algorithm RSA -out tier2alias.key -pkeyopt rsa_keygen_bits:2048
openssl req -new -key tier2alias.key -days 1096 -extensions v3_ca
-batch -out tier2alias.csr -utf8 -subj
'/C=CA/O=IBM/CN=dv10018.eng.platformlab.ibm.com' -config request.cnf
openssl x509 -req -sha256 -days 1096 -in tier2alias.csr -CAkey cacert.key -CA cacert.pem -set_serial 300001
-out tier2aliascertcasigned.pem -extfile endPoint.cnf
cat
tier2aliascertcasigned.pem cacert.pem >>
chain2.pem
cat tier2alias.key cacert.key >> chain2.key
openssl pkcs12 -export
-in chain2.pem -inkey chain2.key -passin
pass:tier2passwd -password pass:tier2passwd -out tier2KeyStore.p12 -name
tier2alias
openssl genpkey -algorithm RSA -out tier3alias.key -pkeyopt rsa_keygen_bits:2048
openssl req -new -key tier3alias.key -days 1096 -extensions v3_ca
-batch -out tier3alias.csr -utf8 -subj
'/C=CA/O=IBM/CN=dv10018.eng.platformlab.ibm.com' -config request.cnf
openssl x509 -req -sha256 -days 1096 -in tier3alias.csr -CAkey cacert.key -CA cacert.pem -set_serial 400001
-out tier3aliascertcasigned.pem -extfile endPoint.cnf
cat
tier3aliascertcasigned.pem cacert.pem >>
chain2.pem
cat tier3alias.key cacert.key >> chain2.key
openssl pkcs12 -export
-in chain2.pem -inkey chain2.key -passin
pass:tier3passwd -password pass:tier3passwd -out tier3KeyStore.p12 -name
tier3alias
keytool -importcert -noprompt -alias caalias -file cacert.pem -keystore tier2and3ServerKeyStore.jks -storepass
SparkPassword
keytool -importkeystore -srckeystore
tier2KeyStore.p12 -destkeystore tier2and3ServerKeyStore.jks
-srcstoretype pkcs12 -deststoretype
jks -srcstorepass
tier2passwd -deststorepass SparkPassword
-destkeypass tier2passwd
keytool -importkeystore -srckeystore
tier3KeyStore.p12 -destkeystore
tier2and3ServerKeyStore.jks -srcstoretype pkcs12 -deststoretype jks -srcstorepass tier3passwd -deststorepass
SparkPassword -destkeypass
tier3passwd
openssl pkcs12 -in
tier3KeyStore.p12 -passin pass:tier3passwd -nocerts -out tier3opensslprivate.key -passout
pass:tier3passwd
openssl pkcs12 -in tier3KeyStore.p12
-passin pass:tier3passwd -clcerts
-nokeys -out tier3opensslpublic.pem
Ensure that the
generated files have the same owner, group, and permission as the original
files.
j. For a cluster with deployment set to a local file system (ASCS_SHARED_FS_DEPLOYED=OFF in $EGO_CONFDIR/../../ascd/conf/ascd.conf),
update the $EGO_CONFDIR/../../ascd/work/resourcegroups/[UUID].yml
file and replace all changed host names (from step e) to their new host names:
k. Update $EGO_CONFDIR/../../ascd/conf/ascd.conf to turn on auto-deployment on new hosts:
ASC_AUTO_DEPLOY_ON_NEW_HOST=ON
l. Install the generated cacert.pem root CA certificate to your browser.
m. Restart the cluster:
egosh ego start
NOTE: To roll back to the original default
configuration:
a. Restore your backup for the following
directories and restart the cluster:
$EGO_TOP/wlp/usr/shared/resources/security
$EGO_TOP/security
b. Restart the cluster:
egosh ego start
© Copyright IBM Corporation 2019
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.