The following TrilioVault services are providing certificates for secured access to the TrilioVault solution.
Webservice providing the TrilIoVault Dashboard
provides the VIP for wlm-api service
VIP for the dashboard of Grafana service running on TrilIioVault VM
The TVault-Config service and the Nginx Resource for the Grafana Dashboard are using the same certificate.
[[email protected] ssl]# cd /etc/tvault/ssl/[[email protected] ssl]# ls -lisa server*577678 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 server.crt -> TVM1.crt577672 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 server.key -> TVM1.key1178820 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 server.pem -> TVM1.pem
The certificate used is a symlink to a host-specific certificate. Each TrilioVault VM has its own self-signed certificate by default which is getting recreated every time the TVault-Config service is restarted.
When the certificate for the TVault-Config and Nginx (Grafana) is to be changed to a customer chosen certificate it is required to deactivate the recreation of the certificates upon service restart.
Login into the TrilioVault VM via SSH
Edit the following file:
Look for create_ssl_certificates() in the main function
Comment out create_ssl_certificates()
Repeat for all nodes of the TrilioVault cluster
The resulting main function will look like this:
def main():# configure the networking#create_ssl_certificates()http_thread = Thread(target=main_http)http_thread.daemon = True # thread dies with the programhttp_thread.start()bottle.debug(True)srv = SSLWSGIRefServer(host='::', port=443)bottle.run(server=srv, app=app, quiet=False, reloader=False)
Afterward, the certificates can be replaced manually by overwriting the files.
Once the certificates have been replaced by the desired ones restart the TVault-Config service and the Nginx pcs resource.
[[email protected] ~]# systemctl restart tvault-config[[email protected] ~]# pcs resource restart lb_nginx-clonelb_nginx-clone successfully restarted
The certificate provided by the Nginx for the wlm-api service is set during configuration when HTTPS endpoints are configured for the TrilioVault appliance. This certificate is provided to the end-user or Openstack every time an API call to the TrilioVault solution is sent.
To change the certificate through the configurator make sure to create HTTPS endpoints and upload the certificate and key using the advanced options of the configurator.
The certificates can be changed manually if necessary.
They are located under
[[email protected] ~]# cd /opt/stack/data/cert/[[email protected] cert]# ls -lisa workloadmgr*577678 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 workloadmgr.crt577672 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 workloadmgr.key
These certificates can be replaced manually and the Nginx resource restarted afterward.
[[email protected] ~]# pcs resource restart lb_nginx-clonelb_nginx-clone successfully restarted