Change Certificates used by Trilio
The following Trilio services are providing certificates for secured access to the Trilio solution.
Service | Port used | Description |
---|---|---|
TVault-Config | 443 | Webservice providing the TrilIoVault Dashboard |
Nginx (wlm-api) | 8780 | provides the VIP for wlm-api service |
Nginx (Grafana) | 3001 | VIP for the dashboard of Grafana service running on TrilIioVault VM |
Changing the certificate of TVault-Config and Nginx for Grafana Service
The TVault-Config service and the Nginx Resource for the Grafana Dashboard are using the same certificate.
The certificate used is a symlink to a host-specific certificate. Each Trilio VM has its own self-signed certificate by default which is getting recreated every time the TVault-Config service is restarted.
When the certificate for the TVault-Config and Nginx (Grafana) is to be changed to a customer chosen certificate it is required to deactivate the recreation of the certificates upon service restart.
Trilio is planning to change this behavior to make it easier for customers to change the certificate in the future.
Login into the Trilio VM via SSH
Edit the following file:
/home/stack/myansible/lib/python3.6/site-packages/tvault_configurator/tvault_config_bottle.py
Look for create_ssl_certificates() in the main function
Comment out create_ssl_certificates()
Repeat for all nodes of the Trilio cluster
The resulting main function will look like this:
Afterward, the certificates can be replaced manually by overwriting the files.
Once the certificates have been replaced by the desired ones restart the TVault-Config service and the Nginx pcs resource.
Changing the certificate used by Nginx for wlm-api service
The certificate provided by the Nginx for the wlm-api service is set during configuration when HTTPS endpoints are configured for the Trilio appliance. This certificate is provided to the end-user or Openstack every time an API call to the Trilio solution is sent.
The certificate and its related private key can be changed through the OS API certificate tab.
In this tab is the section to Upload Server certificate | Private key. Use this section to update the wlm-api certificate as required.
The certificate and it's private key can also be changed through reconfiguration.
Last updated