Article Number: 000194900
The instructions are to replace the default NetWorker self-signed certificate with a CA signed certificate for authc server on NetWorker server.
The file names do not have a naming requirement, but the extensions should be referenced for the type of file. The command examples shown are for Linux after copying the files to the /tmp directory; however, the process also applies to Windows using the relevant file paths.
Keystores involved:
1) Ensure that there are no backup\restore jobs running in the environment and then shutdown the NetWorker Server services.
systemctl stop networker
2) Validate there is not a custom Java runtime environment used by the NetWorker Server Authc service. If the NetWorker Runtime Environment (NRE) is being used, then the default is /opt/nre/java/latest.
# cat /nsr/nsrrc | grep JAVA
JAVA_HOME=/opt/nre/java/latest
export JAVA_HOME
3) Make a backup copy of the keystore and configuration files that are updated.
tar -zcvf /tmp/NSR_$(hostname -s)_$(date -I).tar.gz /opt/nre/java/latest/lib/security/cacerts /nsr/nwui/monitoring/app/conf/nwui.keystore /opt/nsr/authc-server/conf/* /nsr/nwui/monitoring/nwuidb/pgdata/*
4) Use the OpenSSL command-line utility to create the NetWorker server private key file (<server>.key) and certificate signing request file (<server>.csr).
# openssl req -new -newkey rsa:2048 -nodes -out /tmp/<server>.csr -keyout /tmp/<server>.key
5) Send certificate signing request file (<server>.csr) to CA Authority to generate the CA signed certificate file (<server>.crt). The CA Authority should provide the CA signed certificate file (<server>.crt), the root certificate (<CA>.crt) and any intermediate CA certificates (<ICA>.crt).
# keytool -import -alias RCA -keystore /nsr/authc/conf/authc.keystore -file /tmp/<CA>.crt
# keytool -import -alias ICA -keystore /nsr/authc/conf/authc.keystore -file /tmp/<ICA>.crt
# openssl pkcs12 -export -in /tmp/<server>.crt -inkey /tmp/<server>.key -name emcauthctomcat -out /tmp/<server>.tomcat.p12
# openssl pkcs12 -export -in /tmp/<server>.crt -inkey /tmp/<server>.key -name emcauthcsaml -out /tmp/<server>.saml.p12
# keytool -importkeystore -destkeystore /nsr/authc/conf/authc.keystore -srckeystore /tmp/<server>.tomcat.p12 -srcstoretype PKCS12
# keytool -importkeystore -destkeystore /nsr/authc/conf/authc.keystore -srckeystore /tmp/<server>.saml.p12 -srcstoretype PKCS12
# keytool -delete -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore
# keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -file /tmp/<server>.crt
7) Edit the 'admin_service_default_url=localhost' value in the authc-cli-app.properties file to reflect the NetWorker Server name used in the CA signed certificate file:
# cat /opt/nsr/authc-server/conf/authc-cli-app.properties
admin_service_default_protocol=https
admin_service_default_url=<my-networker-server.my-domain.com>
admin_service_default_port=9090
admin_service_default_user=
admin_service_default_password=
admin_service_default_tenant=
admin_service_default_domain=
8) If the NetWorker Web User Interface (NWUI) services are running on the NetWorker Server.
systemctl stop nwui
# keytool -delete -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
# keytool -import -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -file /tmp/<server>.crt -storepass changeit
# keytool -importkeystore -destkeystore /nsr/nwui/monitoring/app/conf/nwui.keystore -srckeystore /tmp/<server>.tomcat.p12 -srcstoretype PKCS12
# cp /tmp/<server>.crt /nsr/nwui/monitoring/nwuidb/pgdata/
# cp /tmp/<server>.key /nsr/nwui/monitoring/nwuidb/pgdata/
# chmod 600 /nsr/nwui/monitoring/nwuidb/pgdata/<server>.crt
# chmod 600 /nsr/nwui/monitoring/nwuidb/pgdata/<server>.key
# cat postgresql.conf | grep -e ssl_cert_file -e ssl_key_file
ssl_cert_file = '<server>.crt' # (change requires restart)
ssl_key_file = '<server>.key' # (change requires restart)
# systemctl start networker
# systemctl start nwui
10) Establish authc trust on the NetWorker server after adding the CA signed certificates:
# nsrauthtrust -H <local host or Authentication_service_host> -P 9090
NetWorker Family, NetWorker
18 Jul 2023
10
How To