Search…
TVO-4.2
About TrilioVault for OpenStack
TrilioVault for OpenStack Architecture
TrilioVault 4.2 Release Notes
Deployment Guide
Support Matrix
Requirements
TrilioVault network considerations
Preparing the installation
Spinning up the TrilioVault VM
Installing TrilioVault Components
Configuring TrilioVault
Apply the TrilioVault license
Advanced Ceph configurations
Post Installation Health-Check
Uninstall TrilioVault
Upgrade TrilioVault
Multi-IP NFS Backup target mapping file configuration
Enabling TVO 4.1 or older backups when using NFS backup target
Install workloadmgr CLI client
Switch Backup Target on Kolla-ansible
Switch NFS Backing file
TrilioVault Appliance Administration Guide
Set TrilioVault GUI login banner
TrilioVault Appliance Dashboard
Set network accessibility of TrilioVault GUI
Reconfigure the TrilioVault Cluster
Change the TrilioVault GUI password
Reset the TrilioVault GUI password
Reinitialize TrilioVault
Download TrilioVault logs
Change Certificates used by TrilioVault
Restart TrilioVault Services
Shutdown/Restart the TrilioVault cluster
Clean up TrilioVault database
User Guide
Workloads
Snapshots
Restores
File Search
Snapshot Mount
Schedulers
E-Mail Notifications
Admin Guide
Backups-Admin Area
Workload Policies
Workload Quotas
Managing Trusts
Workload Import & Migration
Disaster Recovery
Migrating encrypted Workloads
Rebasing existing workloads
Troubleshooting
General Troubleshooting Tips
Using the workloadmgr CLI tool on the Triliovault Appliance
Healthcheck of TrilioVault
Important log files
API GUIDE
Workloads
Snapshots
Restores
File Search
Snapshot Mount
Schedulers
E-Mail Notification Settings
Workload Policies
Workload Quotas
Managing Trusts
Workload Import and Migration
Powered By GitBook
Change Certificates used by TrilioVault
The following TrilioVault services are providing certificates for secured access to the TrilioVault solution.
Service
Port used
Description
TVault-Config
443
Webservice providing the TrilIoVault Dashboard
Nginx (wlm-api)
8780
provides the VIP for wlm-api service
Nginx (Grafana)
3001
VIP for the dashboard of Grafana service running on TrilIioVault VM

Changing the certificate of TVault-Config and Nginx for Grafana Service

The TVault-Config service and the Nginx Resource for the Grafana Dashboard are using the same certificate.
[[email protected] ssl]# cd /etc/tvault/ssl/
[[email protected] ssl]# ls -lisa server*
577678 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 server.crt -> TVM1.crt
577672 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 server.key -> TVM1.key
1178820 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 server.pem -> TVM1.pem
The certificate used is a symlink to a host-specific certificate. Each TrilioVault VM has its own self-signed certificate by default which is getting recreated every time the TVault-Config service is restarted.
When the certificate for the TVault-Config and Nginx (Grafana) is to be changed to a customer chosen certificate it is required to deactivate the recreation of the certificates upon service restart.
Trilio is planning to change this behavior to make it easier for customers to change the certificate in the future.
  1. 1.
    Login into the TrilioVault VM via SSH
  2. 2.
    Edit the following file: /home/stack/myansible/lib/python3.6/site-packages/tvault_configurator/tvault_config_bottle.py
  3. 3.
    Look for create_ssl_certificates() in the main function
  4. 4.
    Comment out create_ssl_certificates()
  5. 5.
    Repeat for all nodes of the TrilioVault cluster
The resulting main function will look like this:
def main():
# configure the networking
#create_ssl_certificates()
​
http_thread = Thread(target=main_http)
http_thread.daemon = True # thread dies with the program
http_thread.start()
​
bottle.debug(True)
srv = SSLWSGIRefServer(host='::', port=443)
bottle.run(server=srv, app=app, quiet=False, reloader=False)
Afterward, the certificates can be replaced manually by overwriting the files.
Once the certificates have been replaced by the desired ones restart the TVault-Config service and the Nginx pcs resource.
[[email protected] ~]# systemctl restart tvault-config
[[email protected] ~]# pcs resource restart lb_nginx-clone
lb_nginx-clone successfully restarted

Changing the certificate used by Nginx for wlm-api service

The certificate provided by the Nginx for the wlm-api service is set during configuration when HTTPS endpoints are configured for the TrilioVault appliance. This certificate is provided to the end-user or Openstack every time an API call to the TrilioVault solution is sent.
The certificate and its related private key can be changed through the OS API certificate tab.
In this tab is the section to Upload Server certificate | Private key. Use this section to update the wlm-api certificate as required.
Upload Server certificate | Private key block
The certificate and it's private key can also be changed through reconfiguration.
TrilioVault Appliance Administration Guide - Previous
Download TrilioVault logs
Next - TrilioVault Appliance Administration Guide
Restart TrilioVault Services
Last modified 5mo ago
Export as PDF
Copy link
Outline
Changing the certificate of TVault-Config and Nginx for Grafana Service
Changing the certificate used by Nginx for wlm-api service