Replacing certificates for Netezza Performance Server Replication Services 3.0.X.X

Learn how to switch Netezza Performance Server certificates or renew certificates that are about to expire.

About this task

If you want to replace certificates, note that downtime is necessary. Plan the procedure accordingly.

Procedure

On Cloud Pak for Data System, turn off NRS monitoring by Platform Manager.
```
ap apps disable NRS
```
Stop replication as described in Starting and stopping replication on a given node and return to this procedure.

Stop all of the replication systems on all nodes.

docker stop nrs_replmgmt nrs_broker nrs_mirrormaker nrs_zookeeper

Prepare your certificates.
- Generating self-signed certificates
  1. Select a Cloud Pak for Data System from which you want to generate the certificate authority (CA) files.
  2. To generate new certificates, make a password file for each node.
    For example:
    echo -n PASSWORD > NODE PASSWORD FILE PATH
  3. Create a password for the certificate authority's key (cacert.pem) and save it in password_file.
```
echo -n PASSWORD > CAKEY PASSWORD FILE PATH
```
    The password must not have any leading or trailing whitespace charatcers. Passwords with leading or trailing whitespace character are rejected by the nrscertmgr script.
    
    Ensure that the file and related certificates are placed in a known directory on all systems, for example /root/mycerts.
    
    Tip:
    Make sure that you include -n in the command. With this parameter, the password file does not have a terminating new line. With a new line at the end of the password file, the setup might fail.
  4. Run the nrscertmgr script.
```
nrscertmgr generate-cacert --passfile /path/to/cakey_password_file
```
    Example:
    nrscertmgr generate-cacert --passfile /path/to/cakey_password_file Running command: 'openssl req -new -subj /C=US/ST=CA/CN=localhost -newkey rsa:4096 -nodes -sha256 -x509 -days 3650 -keyout cakey.pem -out cacert.pem -passin pass:***'
  5. Copy cakey.pem, cacert.pem, and cakey_password_file that you generated in substeps b and c to the other Cloud Pak for Data System.
    Ensure that the files are placed in a known directory on all systems, for example /root/mycerts.
- Generating custom certificates:
  1. Select a Cloud Pak for Data System from which you want to generate the certificate authority (CA) files.
  2. Create a index.yaml file.
    Populate the file as in the example index.yaml:
    certs: cacert: cert: /path/to/cacert.pem nodes: replication-node-1.fqdn: cert: /path/to/rn1-ccertfile.pem key: /path/to/rn1-ckeyfile.pem password: /path/to/rn1-cpassword replication-node-2.fqdn: cert: /path/to/rn2-certfile.pem key: /path/to/rn2-ckeyfile.pem password: /path/to/rn2-cpassword
    The passwords must not have any trailing whitespace characters. Use absolute paths.
  3. Copy index.yaml that you generated in substeps b to the other Cloud Pak for Data System.
    Ensure that the files are placed in a known directory on all systems, for example /root/mycerts.

Deploy the certificates.

For self-signed certificates, run:

./nrscertmgr add-node host_fqdn /path/to/cacert.pem /path/to/cakey.pem /path/to/password --cakey-passfile /path/to/cakey_password_file --out /tmp/certs --deploy

For custom certificates, run:

./nrscertmgr package-certs host_fqdn /path/to/index.yaml --out /tmp/certs --deploy

On each node, restart all of the containers.

docker restart nrs_replmgmt nrs_broker nrs_mirrormaker nrs_zookeeper

Make sure that nrs_broker is running as sometimes it might not come online.

docker ps

Example:

[root@exegeses1 certs]# docker ps

CONTAINER ID   IMAGE                 COMMAND                  CREATED          STATUS          PORTS     NAMES
9ce2b4fb8622   replmgmt:3.0.1.0      "/usr/bin/python3 /o…"   12 minutes ago   Up 12 minutes             nrs_replmgmt
ea7a1492d199   mirrormaker:3.0.1.0   "/bin/sh -c $IBM_INS…"   12 minutes ago   Up 12 minutes             nrs_mirrormaker
6214f5f44404   broker:3.0.1.0        "/bin/sh -c $IBM_INS…"   12 minutes ago   Up 12 minutes             nrs_broker
d1ba0fbc54db   zookeeper:3.0.1.0     "/bin/sh -c $IBM_INS…"   12 minutes ago   Up 12 minutes             nrs_zookeeper

If nrs_broker is not running, restart it again:

docker restart nrs_broker

If nrs_broker does not come up after these attempts, make sure the certificates are correct.

Replace the nzdr certificates with your new certificates.
- If you are using self-signed certificates, replace the cacert certification key in /opt/ibm/appliance/storage/nrs/nps/cert/cacert with your new cacert. It is the same file that you used in step 3 for /path/to/cacert.pem.
```
cp /path/to/cacert /opt/ibm/appliance/storage/nrs/nps/cert/cacert
```
  The certificate and key must use the generated cert / key for this particular system which is saved in /tmp/certs/.
  Example:
  cp /tmp/cert/hostname for this system.pem /opt/ibm/appliance/storage/nrs/nps/cert/cert cp /tmp/cert/hostname for this system_key.pem /opt/ibm/appliance/storage/nrs/nps/cert/key
- If you are using custom certificates, replace the cacert information in index.yaml in /opt/ibm/appliance/storage/nrs/nps/cert/cacert with the information from the index.yaml file that you used in step 3 for /path/to/index.yaml.
```
cp /path/to/cacert /opt/ibm/appliance/storage/nrs/nps/cert/cacert
```
  Example:
  cp /path/to/cert for this system /opt/ibm/appliance/storage/nrs/nps/cert/cert cp /path/to/key for this system_key.pem /opt/ibm/appliance/storage/nrs/nps/cert/key
Start replication as described in Starting and stopping replication on a given node and return to this procedure.
On Cloud Pak for Data System, enable monitoring by Platform Manager.
```
ap apps enable NRS
```