Replacing default SSL certificates for the Data server and Storage Resource agents with custom SSL certificates

IBM Spectrum Control provides default SSL certificates for communication between the Data server and Storage Resource agent. You can replace the default SSL certificates. You must use the script that is provided by IBM Spectrum Control to generate new SSL certificates. You cannot use any third-party tools to generate the custom SSL certificates.

Overview of replacing default SSL certificates for the Data server and Storage Resource agents

IBM Spectrum Control uses SSL certificates for communication between the Data server and Storage Resource agents. IBM Spectrum Control provides default SSL certificates for this communication. If you want to generate new certificates, you can replace the default SSL certificates with updated SSL certificates.

Data server certificate
The IBM Spectrum Control Data server uses the TPCDataServer.jks and server.pwd files for communication with the Storage Resource agents. If you use custom SSL certificates, you must replace these files.
Storage Resource agent certificate
The Storage Resource agent uses the sra.pem and sra.pwd files for communication with the Data server. These two files are compressed into the certs.zip file on the IBM Spectrum Control server system for Storage Resource agent deployment purposes. If you use custom SSL certificates, you must replace these files.
These general steps are for replacing the default SSL certificates:
  1. Generate the custom SSL certificates.
  2. Stop the Data server and all Storage Resource agents, including the one on the IBM Spectrum Control server.
  3. Replace the default SSL certificate for the Data server and all Storage Resource agents. Also, replace the default SSL certificate for the Storage Resource agents in the IBM Spectrum Control installation image or in the Storage Resource agent installation image.
  4. Start the Data server and all Storage Resource agents, including the one on the IBM Spectrum Control server.
Important: When you generate custom SSL certificates, the certificates have a start date, end date, and time when they are valid. These dates and times are related to the system where these custom certificates were generated (which is usually the server system). When you install a Storage Resource agent on a remote system, you must check the date and time on the Storage Resource agent system. If the server and agent systems are in the same time zone, they must have the same date and time. Otherwise, the time zone difference must be set.

For example, if the server system is 8:00 PM, the agent system must also be 8:00 PM. If the agent system is set at a different time (for example, 6:00 PM) at the time the SSL custom certificates are generated on the server system with a time of 8:00 PM, the deployment of the Storage Resource agent fails.

How to generate custom SSL certificates

The createSRACerts.sh script (for Linux® or UNIX) or the createSRACerts.bat file (for Windows) is located in the following directory:
installation_dir/data/sra/tools/certs
Where installation_dir is the directory where the IBM Spectrum Control servers are installed. The default directory is /opt/IBM/TPC for Linux or UNIX or C:\Program Files\IBM\TPC for Windows.

To replace the default SSL certificates, follow these steps:

  1. Create the custom SSL certificates.

    The createSRACerts script creates the custom SSL certificates.

    The syntax is:
    Read syntax diagramSkip visual syntax diagramcreateSRACertsoutput_directory rootCAPasswordserver_key_password server_store_password agent_password
    output_directory
    Directory where the certificates are created. You must provide a valid directory. The script creates the sra_certs_out subdirectory and places the certificate files in that subdirectory.
    rootCAPassword
    Root CA password (root certificate authority password). You can enter a new root certificate authority password or you can enter the default root certificate authority password: s5umEvApR6cafruhustu.
    server_key_password
    Server key password. You can enter a new server key password or you can enter the default server key password: drUtaxahaswefraf9uth.
    server_store_password
    Server store password. You can enter a new server store password or you can enter the default server store password: wr4d5Xekaqafehet5u2a.
    agent_password
    Agent password. You can enter a new agent password or you can enter the default agent password: jawUchezuthew6azEjef.
    Important: The createSRACerts script strictly assumes the order of the command line parameters output_directory, rootCAPassword, server_key_password, server_store_password, and agent_password. For example, if you want to pass the rootCAPassword parameter to the script, the rootCAPassword parameter must be the second argument to the script and you must also pass the output_directory parameter as the first argument to the script.

    Another example: If you want to pass the server_store_password parameter to the script, the server_store_password parameter must be the fourth argument to the script and you must also pass the server_key_password parameter as the third argument, the rootCAPassword parameter as the second argument, and the output_directory parameter as the first argument to the script.

    Important: During the script generation, the script prompts you twice for the pass phrase for tpcrootca.key. If you enter a new root certificate authority password on the command line when you run the script, enter that same new root certificate authority password at each prompt. If you enter the default root certificate authority password on the command line when you run the script or you do not enter the root certificate authority password on the command line at all when you run the script, enter the default root certificate authority password at each prompt.
    The following example creates the SSL certificates by using the default passwords and placing the certificate files in the sra_certs_out subdirectory of the current working directory:
    createSRACerts . 
    The following examples create the SSL certificates by using the default passwords and placing the certificate files in C:\Temp\sra_certs_out\ on Windows and in /tmp/sra_certs_out/ or UNIX or Linux.
    Windows
    createSRACerts C:\temp
    UNIX or Linux
    ./createSRACerts.sh /tmp
    The following examples create the SSL certificates by using new passwords for the root certificate authority password and the server key password and placing the certificate files in the C:\Temp\sra_certs_out\ directory on Windows and in the /tmp/sra_certs_out/ directory on UNIX or Linux:
    Windows
    createSRACerts C:\temp newpasswordforrootCA newpasswordforserver
    UNIX or Linux
    ./createSRACerts.sh /tmp newpasswordforrootCA newpasswordforserver
  2. Generate the certificates again if you have a failure. Delete the files in the output directory before you rerun the createSRACerts script.
  3. Stop all Storage Resource agents and the Data server.

    For more information about starting or stopping IBM Spectrum Control services, see Starting and stopping the IBM Spectrum Control servers.

  4. Replace the certificate files:
    • Replace the certificate files for the Data server.
    • Replace the certificate files for the local Storage Resource agent that runs on the IBM Spectrum Control server.
    • Replace the certificate files for the remote Storage Resource agents that run on computers other than the IBM Spectrum Control server.
    • Replace the certificate files in the locations used for future installations of the remote Storage Resource agents.
    Replace the certificate files for the Data server.
    The new Data server certificate files are created in the following directory:
    output_directory/sra_certs_out/server
    By default, the output_directory is the directory where the createSRACerts script is run:
    installation_dir/data/sra/tools/certs
    These files are the Data server certificate files:
    TPCDataServer.jks
    server.pwd
    Copy the Data server certificate files to the following directory:
    installation_dir/data/sra/certs
    Replace the certificate files for the local Storage Resource agent that runs on the IBM Spectrum Control server.
    The new Storage Resource agent certificates are created on the IBM Spectrum Control server in the following directory:
    output_directory/sra_certs_out/agent
    By default, the output_directory is the directory where the createSRACerts script is run:
    installation_dir/data/sra/tools/certs
    The Storage Resource agent certificate file is:
    certs.zip
    Copy the Storage Resource agent certificate file to the following directory on the IBM Spectrum Control server:
    installation_dir/data/sra/server_operating_system

    Where server_operating_system is the operating system on which the IBM Spectrum Control Data server is installed.

    Extract the Storage Resource agent certificate file in the following directory on the IBM Spectrum Control server:
    installation_dir/agent
    Replace the certificate files for the remote Storage Resource agents that run on computers other than the IBM Spectrum® Control server
    The new Storage Resource agent certificates are created on the IBM Spectrum Control server in the following directory:
    output_directory/sra_certs_out/agent
    By default, the output_directory is the directory where the createSRACerts script is run:
    installation_dir/data/sra/tools/certs
    The Storage Resource agent certificate file is:
    certs.zip
    Copy the Storage Resource agent certificate file to the following directories on the IBM Spectrum Control server:
    installation_dir/data/sra/remote_agent_operating_system
    Where remote_agent_operating_system is an operating system on which a remote Storage Resource agent is installed.
    Extract the Storage Resource agent certificate file in the following directory on the computer where the remote Storage Resource agent is installed:
    installation_dir/agent
    Replace the certificate files in the locations used for future installations of remote Storage Resource agents.
    The new Storage Resource agent certificates are created on the IBM Spectrum Control server in the following directory:
    output_directory/sra_certs_out/agent
    By default, the output_directory is the directory where the createSRACerts script is run::
    installation_dir/data/sra/tools/certs
    The Storage Resource agent certificate file is:
    certs.zip
    Copy the Storage Resource agent certificate file to the following directories on the IBM Spectrum Control server:
    installation_dir/data/sra/future_remote_agent_operating_system
    Where future_remote_agent_operating_system is an operating system on which you install a Storage Resource agent some time in the future.
    Restriction: This process assumes that the Storage Resource agent disk image can be modified. You must copy the installation files to a writable location before proceeding.

    Before the Storage Resource agent can be installed locally, the new certificate must be copied to the agent system. Copy the new certs.zip Storage Resource agent certificate file from the output_directory/sra_certs_out/agent directory on the IBM Spectrum Control server to the agent system.

    1. On the agent system, extract the Storage Resource agent installation image in the SRA_image_install_directory.
    2. Copy the new certs.zip file into the following directory:
      SRA_image_install_directory/sra/agent_operating_system
    3. Extract the new certs.zip file in the following directory:
      SRA_image_install_directory/sra/agent_operating_system
      Note: The SRA_image_install_directory value is the directory where the Storage Resource agent image was extracted and agent_operating_system is the directory that is named for the operating system that is running on the computer where you intend to install the Storage Resource agent.
    4. Install the Storage Resource agent with the wanted options.
  5. Start the Data server and Storage Resource agents.

    For more information about starting or stopping IBM Spectrum Control services, see Starting and stopping the IBM Spectrum Control servers.