Secured communication is mandatory when installing an IFS Home which requires
certificates. Usually it is the HTTP Server certificate that is of most interest
since that is what clients are seeing when connecting to the system, but all the
internal servers are also configured with certificates so that secured communication
is possible internally.
Certificates might need to be changed or updated in
the IFS Home either because they are about to expire or because their trust has
been compromised (to name a few).
During installation, the HTTP Server certificate is either imported (third party certificate) or generated (self-signed certificate).
During installation, a root certificate is created and each machine in the cluster then creates a certificate signing request (CSR) which is signed by this root certificate. A server on a machine uses the machine specific certificate for secured communication and as long as the root certificate is trusted, any server in the cluster is trusted (regardless of which machine it runs on). If the root certificate is changed (and consequently no longer trusted) any server in the cluster is no longer trusted and must get a new certificate.
To change the certificates run the script <ifs_home>/instance/<instance>/bin/update_http_certificates.<suffix>
The script takes zero or more arguments. The script will prompt for arguments.
>update_http_certificates SILENT=true/false ACTION=update_certs/get_cert_details CERTTYPE=ohs_cert/mws_certs/all_certs SELFSIGNED=true/false Generate a self-signed certificate or import third party certificate ADMINPASSWORD= Password for IFS MWS OHSCERT= Path to third party certificate. Applicable only when SELFSIGNED=false OHSCERTPASSWORD= Password for third party certificate. Applicable only when SELFSIGNED=false COUNTRY= Self-signed certificate property. Applicable only when SELFSIGNED=true STATE= Self-signed certificate property. Applicable only when SELFSIGNED=true LOCALITY= Self-signed certificate property. Applicable only when SELFSIGNED=true ORGANIZATION= Self-signed certificate property. Applicable only when SELFSIGNED=true ORGANIZATIONUNIT= Self-signed certificate property. Applicable only when SELFSIGNED=true COMMONNAME= Self-signed certificate property. Applicable only when SELFSIGNED=true
Choose CERTYPE=ohs_cert.
Choose to import a third party certificate or to
generate a self-signed certificate.
Choose CERTYPE=mws_certs.
Change the certificates for IFS MWS.
Choose CERTYPE=all_certs.
Change certificate for the HTTP Server and IFS MWS.
When a horizontal cluster is configured, a zip file called <node_name>_cluster_certificates.zip will be created for each node in the cluster containing the neccessary files that need to be updated on the nodes. Extract the archive on the corresponding node to update the certificates.
Example:
If the horizonal cluster contains three machines, NodeA, NodeB
and NodeC the script will update the certificates on NodeA (assuming NodeA is master
and where the script is executed) and create two archives named NodeB_cluster_certificates.zip
and NodeC_cluster_certificates.zip in <ifs_home>/instance/<instance>
After executing the script and extracted the archives on every node, restart the nodemanagers on all nodes and then restart all servers.
Shows the certificate details for all certificates used by IFS MWS.
>update_http_certificates get_cert_details Lists certificates.