Replacing default SSL certificates for the Data server and Storage Resource agents with custom SSL certificates
IBM Spectrum Control provides default SSL certificates for communication between the Data server and Storage Resource agent. You can replace the default SSL certificates. You must use the script that is provided by IBM Spectrum Control to generate new SSL certificates. You cannot use any third-party tools to generate the custom SSL certificates.
Overview of replacing default SSL certificates for the Data server and Storage Resource agents
IBM Spectrum Control uses SSL certificates for communication between the Data server and Storage Resource agents. IBM Spectrum Control provides default SSL certificates for this communication. If you want to generate new certificates, you can replace the default SSL certificates with updated SSL certificates.
- Data server certificate
- The IBM
Spectrum Control Data server uses the
TPCDataServer.jks
andserver.pwd
files for communication with the Storage Resource agents. If you use custom SSL certificates, you must replace these files. - Storage Resource agent certificate
- The Storage Resource agent uses the
sra.pem
andsra.pwd
files for communication with the Data server. These two files are compressed into thecerts.zip
file on the IBM Spectrum Control server system for Storage Resource agent deployment purposes. If you use custom SSL certificates, you must replace these files.
- Generate the custom SSL certificates.
- Stop the Data server and all Storage Resource agents, including the one on the IBM Spectrum Control server.
- Replace the default SSL certificate for the Data server and all Storage Resource agents. Also, replace the default SSL certificate for the Storage Resource agents in the IBM Spectrum Control installation image or in the Storage Resource agent installation image.
- Start the Data server and all Storage Resource agents, including the one on the IBM Spectrum Control server.
For example, if the server system is 8:00 PM, the agent system must also be 8:00 PM. If the agent system is set at a different time (for example, 6:00 PM) at the time the SSL custom certificates are generated on the server system with a time of 8:00 PM, the deployment of the Storage Resource agent fails.
How to generate custom SSL certificates
ThecreateSRACerts.sh
script (for Linux® or UNIX) or the createSRACerts.bat
file (for Windows) is located in the following
directory:installation_dir/data/sra/tools/certs
Where
installation_dir is the directory where the IBM Spectrum
Control servers are installed. The default directory is
/opt/IBM/TPC
for Linux or UNIX or C:\Program Files\IBM\TPC
for Windows.To replace the default SSL certificates, follow these steps:
- Create the custom SSL certificates.
The
createSRACerts
script creates the custom SSL certificates.- output_directory
- Directory where the certificates are created. You must provide a valid directory. The script creates the sra_certs_out subdirectory and places the certificate files in that subdirectory.
- rootCAPassword
- Root CA password (root certificate authority password). You can enter a new root certificate
authority password or you can enter the default root certificate authority password:
s5umEvApR6cafruhustu
. - server_key_password
- Server key password. You can enter a new server key password or you can enter the default server
key password:
drUtaxahaswefraf9uth
. - server_store_password
- Server store password. You can enter a new server store password or you can enter the default
server store password:
wr4d5Xekaqafehet5u2a
. - agent_password
- Agent password. You can enter a new agent password or you can enter the default agent password:
jawUchezuthew6azEjef
.
Important: ThecreateSRACerts
script strictly assumes the order of the command line parameters output_directory, rootCAPassword, server_key_password, server_store_password, and agent_password. For example, if you want to pass the rootCAPassword parameter to the script, the rootCAPassword parameter must be the second argument to the script and you must also pass the output_directory parameter as the first argument to the script.Another example: If you want to pass the server_store_password parameter to the script, the server_store_password parameter must be the fourth argument to the script and you must also pass the server_key_password parameter as the third argument, the rootCAPassword parameter as the second argument, and the output_directory parameter as the first argument to the script.
Important: During the script generation, the script prompts you twice for the pass phrase forThe following example creates the SSL certificates by using the default passwords and placing the certificate files in the sra_certs_out subdirectory of the current working directory:tpcrootca.key
. If you enter a new root certificate authority password on the command line when you run the script, enter that same new root certificate authority password at each prompt. If you enter the default root certificate authority password on the command line when you run the script or you do not enter the root certificate authority password on the command line at all when you run the script, enter the default root certificate authority password at each prompt.createSRACerts .
The following examples create the SSL certificates by using the default passwords and placing the certificate files inC:\Temp\sra_certs_out\
on Windows and in/tmp/sra_certs_out/
or UNIX or Linux.- Windows
-
createSRACerts C:\temp
- UNIX or Linux
-
./createSRACerts.sh /tmp
The following examples create the SSL certificates by using new passwords for the root certificate authority password and the server key password and placing the certificate files in theC:\Temp\sra_certs_out\
directory on Windows and in the/tmp/sra_certs_out/
directory on UNIX or Linux:- Windows
-
createSRACerts C:\temp newpasswordforrootCA newpasswordforserver
- UNIX or Linux
-
./createSRACerts.sh /tmp newpasswordforrootCA newpasswordforserver
- Generate the certificates again if you have a failure. Delete the files in the output directory
before you rerun the
createSRACerts
script. - Stop all Storage Resource agents and the Data server.
For more information about starting or stopping IBM Spectrum Control services, see Starting and stopping the IBM Spectrum Control servers.
- Replace the certificate files:
- Replace the certificate files for the Data server.
- Replace the certificate files for the local Storage Resource agent that runs on the IBM Spectrum Control server.
- Replace the certificate files for the remote Storage Resource agents that run on computers other than the IBM Spectrum Control server.
- Replace the certificate files in the locations used for future installations of the remote Storage Resource agents.
- Replace the certificate files for the Data server.
-
The new Data server certificate files are created in the following directory:
output_directory/sra_certs_out/server
By default, theoutput_directory
is the directory where thecreateSRACerts
script is run:installation_dir/data/sra/tools/certs
These files are the Data server certificate files:TPCDataServer.jks server.pwd
Copy the Data server certificate files to the following directory:installation_dir/data/sra/certs
- Replace the certificate files for the local Storage Resource agent that runs on the IBM Spectrum Control server.
- The new Storage Resource agent certificates are created on the IBM
Spectrum Control server in the following
directory:
output_directory/sra_certs_out/agent
By default, theoutput_directory
is the directory where thecreateSRACerts
script is run:installation_dir/data/sra/tools/certs
The Storage Resource agent certificate file is:certs.zip
Copy the Storage Resource agent certificate file to the following directory on the IBM Spectrum Control server:installation_dir/data/sra/server_operating_system
Where server_operating_system is the operating system on which the IBM Spectrum Control Data server is installed.
Extract the Storage Resource agent certificate file in the following directory on the IBM Spectrum Control server:installation_dir/agent
- Replace the certificate files for the remote Storage Resource agents that run on computers other than the IBM Spectrum® Control server
- The new Storage Resource agent certificates are created on the IBM
Spectrum Control server in the following
directory:
By default, theoutput_directory/sra_certs_out/agent
output_directory
is the directory where thecreateSRACerts
script is run:
The Storage Resource agent certificate file is:installation_dir/data/sra/tools/certs
Copy the Storage Resource agent certificate file to the following directories on the IBM Spectrum Control server:certs.zip
Where remote_agent_operating_system is an operating system on which a remote Storage Resource agent is installed.installation_dir/data/sra/remote_agent_operating_system
Extract the Storage Resource agent certificate file in the following directory on the computer where the remote Storage Resource agent is installed:installation_dir/agent
- Replace the certificate files in the locations used for future installations of remote Storage Resource agents.
- The new Storage Resource agent certificates are created on the IBM
Spectrum Control server in the following
directory:
By default, theoutput_directory/sra_certs_out/agent
output_directory
is the directory where thecreateSRACerts
script is run::
The Storage Resource agent certificate file is:installation_dir/data/sra/tools/certs
Copy the Storage Resource agent certificate file to the following directories on the IBM Spectrum Control server:certs.zip
Where future_remote_agent_operating_system is an operating system on which you install a Storage Resource agent some time in the future.installation_dir/data/sra/future_remote_agent_operating_system
Restriction: This process assumes that the Storage Resource agent disk image can be modified. You must copy the installation files to a writable location before proceeding.Before the Storage Resource agent can be installed locally, the new certificate must be copied to the agent system. Copy the new
certs.zip
Storage Resource agent certificate file from theoutput_directory/sra_certs_out/agent
directory on the IBM Spectrum Control server to the agent system.- On the agent system, extract the Storage Resource agent installation image in the
SRA_image_install_directory
. - Copy the new certs.zip file into the following
directory:
SRA_image_install_directory/sra/agent_operating_system
- Extract the new
certs.zip
file in the following directory:SRA_image_install_directory/sra/agent_operating_system
Note: The SRA_image_install_directory value is the directory where the Storage Resource agent image was extracted and agent_operating_system is the directory that is named for the operating system that is running on the computer where you intend to install the Storage Resource agent. - Install the Storage Resource agent with the wanted options.
- On the agent system, extract the Storage Resource agent installation image in the
- Start the Data server and Storage Resource agents.
For more information about starting or stopping IBM Spectrum Control services, see Starting and stopping the IBM Spectrum Control servers.