The Fabric Manager user interface needs a valid certificate in order to start. You must complete the entire procedure before restarting the Fabric Manager. |
CautionThe Fabric Management Platform is shipped with a default RSA keypair and self-signed certificate in order for initial operations to be secured by Secure Sockets Layer (SSL)/Transport Layer Security (TLS). As a security best practice, Unisys recommends that you generate a new RSA keypair and request and install a Certificate Authority (CA) signed certificate to replace the defaults that are shipped with the platform.
Note: In the following procedures, # represents a command prompt. You do not need to type it.
Generating a New RSA Keypair and Certificate Authority Signed Certificate
To update Fabric Manager with a new RSA keypair and Certificate Authority (CA) signed certificate, do the following:
Launch a virtual console from the Fabric Management Platform console and log in as root.
Navigate to the “ssl” directory by entering the following command:
# cd /etc/ssl/certs
Enter the following command to set the environment variable to set the Domain Name System (DNS) name in the certificate.
Note: Angular brackets (< >) are used to represent variable data. Do not include them in the following command.
# export ALTNAME=DNS:<hostname>,IP:<FMP_IP>,DNS:localhost,IP:127.0.0.1
Where......
Represents......
hostname
The fully qualified host name of the Fabric Management Platform.
Note: You can enter the hostname -f command to view the host name.
FMP_IP
The IP address of the Fabric Management Platform.
The IP address of the Fabric Management Platform depends on what IP address is used to access the Fabric Management Platform remotely. See Fabric Management Platform IP Addresses for the available options.
Table 1. Fabric Management Platform IP Addresses
Component IP Address Customer corporate LAN (public LAN)
Static:
For FMP1 and FMP2, the two IP addresses you previously chose for connection to your management network environment.
Note: In a high-availability (HA) environment, both FMPs have respective unique static IP addresses.
Floating:
For FMP1 and FMP2, the single IP address you previously chose for when a high-availability (HA) cluster is created.
ClearPath Forward Management LAN (FM LAN)
Static:
FMP1: 172.29.254.252
FMP2: 172.29.253.252
Floating:
FMP1 and FMP2: 172.29.254.60
Note: The FM LAN IP address subnet (172.29) can be modified by the Fabric Manager administrator, however, the second octet (254.252, 253.252 and 254.60) remains constant. For example, if the FM LAN IP address subnet would change from 172.29 to 172.80, then the static and floating FM LAN IP addresses would change to 172.80.254.252, 172.80.253.252 and 172.80.254.60.
Enter the following command to create the key (localhost.key) and a certificate signing request (localhost.csr).
Note: Angular brackets (< >) are used to represent variable data. Do not include them in the following command.
# openssl req -new -nodes -newkey rsa:4096 -sha512 -subj "/C=<CC>/ST=<State>/L=<Location>/O=<Company>/OU=<OrgUnit>/CN=<Hostname>" -keyout localhost.key -out localhost.csr -extensions v3_req
Where......
Represents......
CC
The two letter country code (for example, US or UK).
State
The name of the state.
Location
The name of the location (for example, London).
Company
The name of the company.
OrgUnit
The name of the organization unit.
Hostname
The output of the hostname -f command.
The two files “localhost.key” and “localhost.csr” are created.
Submit the localhost.csr file to an appropriate Certificate Authority (CA), which will then return a “localhost.crt” file (that is, a certificate).
Note: The certificate must be in PEM format in order for step 7 to work. If the certificate is not in PEM format, use the openssl x509 command to convert the certificate to PEM format.
Copy the “localhost.crt” certificate file to /etc/ssl/certs folder.
Before you configure Fabric Manager with the new certificate, Unisys recommends that you change the default password for the Fabric Manager keystore. If you have not yet changed the default password, do the following:
Delete the following default Fabric Manager keystore file that was created during the initial installation and configuration of your fabric:
rm /usr/local/ffm/jetty/etc/ffm_fmws_keystore.jks
Run the following script and create a new Fabric Manager keystore file and password:
sh /usr/local/ffm/script/generate-ffm-certs.sh newpassword
Enter the following command to configure Fabric Manager with the new certificate:
# sh /usr/local/ffm/scripts/generate-ffm-certs.sh password CA [/path/to/CARootOrIntermediate/CertFile.crt]
Where......
Represents......
password
The password for the Fabric Manager keystore.
CA
The localhost.crt Certificate Authority (CA) file.
/path/to/CARootOrIntermediate/CertFile.crt
(Optional) The path to the CA Root or Intermediate certificate file if it is not part of localhost.crt.
If you are configuring mutual authentication for web services at this time, do not restart Fabric Manager services yet—proceed to the “Adding Certificate Authorities for Mutual Authentication” subsection, and then restart Fabric Manager services at the end of that subsection.
Enter the following commands to restart the Fabric Manager services:
# rcffmservices stop # rcffmservices start
The Fabric Manager services are restarted.
Generating a New RSA Keypair and Self-Signed Certificate for Internal Deployment and Testing
The Fabric Manager user interface needs a valid certificate in order to start. You must complete the entire procedure before restarting the Fabric Manager. |
As a security best practice, Unisys recommends that you generate a new RSA keypair and request and install a Certificate Authority (CA) signed certificate to replace the defaults that are shipped with the platform. You can request and install a self-signed certificate for internal deployment and testing, however, the self-signed certificate should be replaced with a CA-signed certificate before any production deployment occurs (see “Generating a New RSA Keypair and Certificate Authority Signed Certificate”).
To update Fabric Manager with a new RSA keypair and self-signed certificate, do the following:
Launch a virtual console from the Fabric Management Platform console and log in as root.
Navigate to the “ssl” directory by entering the following command:
# cd /etc/ssl/certs
Before you configure Fabric Manager with the new certificate, Unisys recommends that you change the default password for the Fabric Manager keystore. If you have not yet changed the default password, do the following:
Delete the following default Fabric Manager keystore file that was created during the initial installation and configuration of your fabric:
rm /usr/local/ffm/jetty/etc/ffm_fmws_keystore.jks
Run the following script and create a new Fabric Manager keystore file and password:
sh /usr/local/ffm/script/generate-ffm-certs.sh newpassword
Enter the following command to configure Fabric Manager with the new certificate:
# sh /usr/local/ffm/scripts/generate-ffm-certs.sh password
Where password is the password for the Fabric Manager keystore.
If you are configuring mutual authentication for web services at this time, do not restart Fabric Manager services yet—proceed to “Adding Certificate Authorities for Mutual Authentication”, and then restart Fabric Manager services.
Enter the following commands to restart the Fabric Manager services:
# rcffmservices stop # rcffmservices start
The Fabric Manager services are restarted.