Rotating client key or revoking old certificate
Once the client key is rotated, you must use the new certificate and private key to be able to create locked vaults. You can perform this procedure by using the following steps or by using this script: /opt/ibm/MCStore/scripts/mcstore_lockedvaultrotateclientkey.sh.
Note: Before you perform this procedure, ensure that no active migration is currently taking place.
After you perform this procedure, the old keys will not work.
-
Generate a new CSR using a new alias:
keytool -certreq -alias mydomainnew -keyalg RSA -file mydomainnew.csr -keystore mydomain2.jks -
Get the CSR signed by sending it to the IBM Cloud® Object
Storage Manager:
curl --cacert {path to ca certificate} --key {path to RSA private key} --cert {path to old certificate} 'https://<COS Manager IP>/manager/api/json/1.0/rotateClientKey.adm' -d ‘expirationDate=1508869800000' --data-urlencode 'csr= -----BEGIN NEW CERTIFICATE REQUEST----- MIICzjCCAbYCAQAwWTELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAktBMRIwEAYDVQQHEwlCYW5nYWxv cmUxDDAKBgNVBAoTA1NEUzENMAsGA1UECxMESVNETDEMMAoGA1UEAxMDSUJNMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEApfVgjnp9vBwGA6Y/g54DBr1wWtWeSAwm680M42O1PUuRwV92 9UDBK9XEkY2Zb+o08Hvspd5VMU97bV7cnN8Fi8WuujHCdgAVuezTT0ZCHjVHl2L6CYql7hmWIazk TOaROoYlhzZCgQrDyVNIw6XuvkWo3eUIRyi1r6nafUFiqUtMEerEhEYa6cmm5qpeb2GKYJdeN53W SF0yrUCi9gRgPJiAq6lVSl+wWekbI6lwIAtJVyojx93lRl/KdxfFmh/sriUx//a6+I0OBli6EmEV BsHeG2HccS1diJ4+eUetXvfkYMjO6kRvYraSVKX022a4Jqki8iYDNf4XvRzOz5YbLQIDAQABoDAw LgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQUrgpT7F8Z+bA9qDxqU8PDg70zFj4wDQYJKoZIhvcN AQELBQADggEBADW4xuxBaaH9/ZBLOll0tXveSHF8Q4oZo2MhSWf34Shu/ZxC17H8NqCCMyxqVdXI 6kbdg1se5WLCq/JJA7TBcgCyJJqVjADt+RC+TGNc0NlsC7XpeRYLJtxqlKilsWnKJf5oRvA1Vg5P nkTjCE9XvUzhJ/tTQjNBJSh8nN7Tbu/q5mTIGG9imARPro2xQpvwiFMHrq/f1uNeZ3SeuLxwQtkK 4zge7XwyY63lrKsN0z2a4CPNzU0q68TGL1aE93QDpJYusSeTB0m2om4iTSNgsQKRmYqGDSXM3no/ 90UeTAgHjhJ82bGEOfP9FVm+6FnYydr1Endg1aEizC+sArk4e8E= -----END NEW CERTIFICATE REQUEST-----' -v -
Curl command provides a new certificate, as follows:
"-----BEGIN CERTIFICATE----- \nMIIEczCCAlugAwIBAgIQeijQBskfm0v3kYQcBOBmxTANBgkqhkiG9w0BAQ0FADCB \nkTELMAkGA1UEBhMCVVMxETAPBgNVBAgMCElsbGlub2lzMRAwDgYDVQQHDAdDaGlj \nYWdvMRMwEQYDVQQKDApDbGV2ZXJzYWZlMRkwFwYDVQQDDBBkc05ldCBNYW5hZ2Vy \nIENBMS0wKwYDVQQFEyQwMmQxMjk5ZS05Nzc3LTRlNmItODg3Yy0wYmMzNzJkODU1 \nMzcwHhcNMTYxMDI0MTMxNTE2WhcNMTcxMDI0MTgzMDAwWjBZMQswCQYDVQQGEwJJ \nTjELMAkGA1UECBMCS0ExEjAQBgNVBAcTCUJhbmdhbG9yZTEMMAoGA1UEChMDU0RT \nMQ0wCwYDVQQLEwRJU0RMMQwwCgYDVQQDEwNJQk0wggEiMA0GCSqGSIb3DQEBAQUA \nA4IBDwAwggEKAoIBAQCl9WCOen28HAYDpj+DngMGvXBa1Z5IDCbrzQzjY7U9S5HB \nX3b1QMEr1cSRjZlv6jTwe+yl3lUxT3ttXtyc3wWLxa66McJ2ABW57NNPRkIeNUeX \nYvoJiqXuGZYhrORM5pE6hiWHNkKBCsPJU0jDpe6+Rajd5QhHKLWvqdp9QWKpS0wR \n6sSERhrpyabmql5vYYpgl143ndZIXTKtQKL2BGA8mICrqVVKX7BZ6RsjqXAgC0lX \nKiPH3eVGX8p3F8WaH+yuJTH/9rr4jQ4GWLoSYRUGwd4bYdxxLV2Inj55R61e9+Rg \nyM7qRG9itpJUpfTbZrgmqSLyJgM1/he9HM7PlhstAgMBAAEwDQYJKoZIh*vcNAQEN \nBQADggIBAJmCnhIN/nhp2VIgqA7td3EBD8xrejF0bT5mSUgx8flFmCKCJh6/Oyn9 \nl1PUp3SzSu734GdTDZiUtTXax7PYZlB3STlY0sZE7yU6zal0lIoUZEzXoohIEPVU \nW4X3j9HF3hWDwNsuqZfQDRmndaz6NG2EPDxiWgTYXPLdYaZyTQFFe6A4tbT9gSHu \n9UD1woFwjrSAfg03zwR7wSRSwcALsVs1BK96TYufZf+E2eFg+QBGAC5YWrZi3g4Q \n1Xqxj5W5TwujLxSJ+8zxf6P9f0T96vGICH8Yy9AIWzUa3fXLh6tc1Pw+LbuIjEWr \nK2TS+DLTmBAo8pQ5GsR8rShKFcPYOho2mbskAKgt4n+s63Jhu5qALS4Lw7eEQ7W7 \nqGffZ2JttNHwePAAqvx33xf+Y2SWn0fbOAlwT9BQ6ySn/qZR3e3Xl0rVqqukgCqO \nBnQhI5WN4HkONkyaquJruTLHUlWX5T01q/yLnrRt8TCBA4qnX7HMlEmQkXiF5Poj \nBcyCTctYu1HlijHjsWO9kztUfljI5OkVyS1q1FqcZQiziHHRiAEWbnrYn6Fgq13g \nIws7Lw9Utogj54tPCwJ8gEkoW4eTO4tnZmPTTdWlmVhTdEjVRxE8fotztHJuVisP \nmFCxBPWJZ8IP9t2C/4Zi1PuqXI/8YZx8LPIcQUcRxeLURIgQrpb7 \n-----END CERTIFICATE-----\n" - Remove the '\n' character from the certificate (from BEGIN to END CERTIFICATE) and store the certificate in a file.
-
Import the certificate into the keystore that was created earlier:
After rotating the client key, use the new certificate and private key to create locked vaults. On transparent cloud tiering, update the cloud account by using the mmcloudgateway account update command.keytool -importcert -trustcacerts -alias mydomainnew -file <new-certificate> -keystore mydomain2.jks -storepass <keystore-password>Rotating client key or revoking old certificate by using the automation script
- Run mcstore_lockedvaultrotateclientKey.sh <keystorenewaliasname>
<keystoreoldaliasname> <keyStorePath> <COSManagerIP> <expirationDays>
<COSCACertFile>, where the first 4 parameters are mandatory and the last two parameters
(<expirationDays> and <COSCACertFile>) are optional.
If the expiration date (expirationDays) is not specified, then the command will take the default expiration time, which is 365 days.
If the IBM Cloud Object Storage CA certificate (COSCACertFile) is not specified, then the CA file will be downloaded from the IBM Cloud Object Storage Manager.
- For the description of the parameters, see the mmcloudgateway command.
For example, run this command:
The system displays output similar to this:./mcstore_lockedvaultrotateclientkey.sh testnew5 test /root/svt/test.ssl/test.jks 9.10.0.10Enter KeyStore Password: Note: Before rotating the client key and certificate take a backup of old Key Store Validating the inputs and the configuration.... COS Manager is reachable. Proceeding with Configuration... Transparent Cloud Tiering Server RPM already installed. Proceeding with Configuration... Python libraries are already installed. Proceeding with Configuration... CURL already installed. Proceeding with Configuration... Certificate stored in file </root/svt/test.ssl/test_new.crt> MAC verified OK writing RSA key What is your first and last name? [Unknown]: demo What is the name of your organizational unit? [Unknown]: demo What is the name of your organization? [Unknown]: demo What is the name of your City or Locality? [Unknown]: demo What is the name of your State or Province? [Unknown]: demo What is the two-letter country code for this unit? [Unknown]: IN Is CN=demo, OU=demo, O=demo, L=demo, ST=demo, C=IN correct? (type "yes" or "no") [no]: yes Generating a new CSR.... Downloading COS CA Certificate.... Sending CSR to CleverSafe to be signed..... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2992 100 1777 100 1215 5758 3937 --:--:-- --:--:-- --:--:-- 5769 Retrieving Certificate from Response..... Importing New Client Certificate to Keystore..... Certificate reply was installed in keystore IMPORTANT: /root/svt/test.ssl contains private key, keystore and private certificate. You must keep a back up of /root/svt/test.ssl. Rotate Client Key Completed Successfully. Note: Please use mmcloudgateway update account command to import new certificate and private key in to TCT. New Alias Name is : testnew5 - Run mcstore_lockedvaultrotateclientKey.sh <keystorenewaliasname>
<keystoreoldaliasname> <keyStorePath> <COSManagerIP> <expirationDays>
<COSCACertFile>, where the first 4 parameters are mandatory and the last two parameters
(<expirationDays> and <COSCACertFile>) are optional.