New tool for automated SSL configuration for IBM Spectrum Conductor 2.3.0
Steve Haertel 0600018H3R Visits (10826)
Security is an integral part of enterprise software. Whil
The tool introduces a set of scripts and other files (owned by the cluster administrator user) that live in the $EGO
1. Automatic generation of self-signed certificates, associated keystores and other files.
2. Verification of configuration parameters as defined in the configuration file to help identify the most common problems with SSL configuration parameters.
3. Automatic configuration of IBM Spectrum Conductor 2.3.0 components.
1. Automatic generation of self-signed certificates, associated keystores, and other associated files
From the ssltool directory, running the command python ./ssltool.py genss generates all the certificates, keystores, and associated files in the same way that they are generated at installation time; using parameters that are specified in the ssltool.conf configuration file. The ssltool.conf configuration file is customizable but has default values that are pre-set so that just running the command completes the file generation in the same way that the installation process generates the files.
If you want to regenerate files like a new installation, then you do not have to do anything else. It is only if you want to run a non-default situation that you need to know what your options are. Based on whether certain configuration parameter values point to existing or not-yet-existing files determines how the resulting certificates and keystores are created.
A. When the CA (certificate authority) certificate and CA keystore parameters do not point to existing files. (Default)
The tool generates a new CA certificate and keystore at the locations that are specified, and then creates subsequent server certificates, keystores, and other files based on those CA files.
B. When the CA certificate and private key parameters point to existing files, but they CA keystore parameter does not point to an existing file.
The tool assumes that you want to use the existing CA certificate and private key and generates the CA keystore in the path that is specified, and then creates subsequent server certificates, keystores, and other files based on those CA files.
C. When the CA certificate and CA keystore parameters point to existing files.
The tool assumes that you want to use the existing CA certificate and CA keystore, and creates server certificates, keystores, and other files based on those CA files.
As you can see, depending on what you already bring for the tool to use, it accommodates the configuration method that you want. If you want to generate files for multiple hosts from scratch, you would use method A only on the first host on which you run the tool. After the CA certificate and CA keystore exist, you must copy and use those same files on every host, so subsequent tool runs on other hosts must use method C. Each host must use copies of the same CA files. Do NOT generate new CA files for each host!
2. Verification of configuration parameters as defined in the configuration file
From the ssltool directory, running the command python ./ssltool.py verify checks for common problems that you might encounter when you try to do your own SSL configuration based on the parameters in ssltool.conf. The tool automatically verifies the configuration parameters when it tires to do an automated configuration, but the verification itself can be manually run too. The verification includes checking that the keystore and certificate files exists, and that the aliases and passwords match.
Note about passwords: Password parameters exist in the ssltool.conf file, and by default they are set to default values, but they are commented out. If the tool needs to use a password parameter, which is not set in the configuration file, it prompts the user to enter it at run time. Passwords are scrubbed from logging by default.
3. Automated configuration of IBM Spectrum Conductor 2.3.0 components
From the ssltool directory, running the command python ./ssltool.py config backup [component1] [component2] [etc] followed by python ./ssltool.py config [component1] [component2] [etc] results in the tool running verification. If everything looks okay, the tool automatically updates the relevant SSL configuration files in the same way that the documentation in the IBM Knowledge Center (see component links below) instructs users to do. To roll back to a previous configuration of components that are backed up, run python ./ssltool.py rollback [component1] [component2] [etc].
One or more components can be configured at the same time, but there exists a super component called conductor that runs the configuration of a subset of components all at once.