LogoLogo
T4O-4.1
T4O-4.1
  • About Trilio for OpenStack
  • Trilio for OpenStack Architecture
  • Trilio 4.1 Release Notes
    • Trilio 4.1 HF1 Release Notes
    • Trilio 4.1 HF2 Release Notes
    • Trilio 4.1 HF3 Release Notes
    • Trilio 4.1 HF4 Release
    • Trilio 4.1 HF5 Release
    • Trilio 4.1 HF6 Release
    • Trilio 4.1 HF7 Release
    • Trilio 4.1 HF8 Release
    • Trilio 4.1 HF9 Release
    • Trilio 4.1 HF10 Release
    • Trilio 4.1 HF11 Release
    • Trilio 4.1 HF12 Release
    • Trilio 4.1 HF13 Release
  • Deployment Guide
    • Compatibility Matrix
    • Requirements
    • Trilio network considerations
    • Preparing the installation
    • Spinning up the Trilio VM
    • Installing Trilio Components
      • Installing on RHOSP
      • Installing on Canonical Openstack
      • Installing on Kolla Ussuri
      • Installing on Kolla Victoria
      • Installing on Ansible Openstack Ussuri
      • Installing on Ansible Openstack Victoria
      • Installing on TripleO Train
    • Configuring Trilio
    • Apply the Trilio license
    • Advanced Ceph configuration
      • Additions for multiple CEPH configurations
      • Additions for multiple Ceph users
    • Post Installation Health-Check
    • Uninstall Trilio
      • Uninstalling from RHOSP
      • Uninstalling from Canonical OpenStack
      • Uninstalling from Kolla OpenStack
      • Uninstalling from Ansible OpenStack
    • Upgrade Trilio
      • Upgrading on RHOSP
      • Upgrading on Canonical Openstack
      • Upgrading on Kolla OpenStack
      • Upgrading on Ansible OpenStack
      • Online upgrade Trilio Appliance
      • Offline upgrade Trilio Appliance
    • Install workloadmgr CLI client
    • Switch Backup Target on Kolla-ansible
    • Switch NFS Backing file
  • Trilio Appliance Administration Guide
    • Set Trilio GUI login banner
    • Trilio Appliance Dashboard
    • Set network accessibility of Trilio GUI
    • Reconfigure the Trilio Cluster
    • Change the Trilio GUI password
    • Reset the Trilio GUI password
    • Reinitialize Trilio
    • Download Trilio logs
    • Change Certificates used by Trilio
    • Restart Trilio Services
    • Shutdown/Restart the Trilio cluster
  • User Guide
    • Workloads
    • Snapshots
    • Restores
    • File Search
    • Snapshot Mount
    • Schedulers
    • E-Mail Notifications
  • Admin Guide
    • Backups-Admin Area
    • Workload Policies
    • Workload Quotas
    • Managing Trusts
    • Workload Import & Migration
    • Disaster Recovery
      • Example runbook for Disaster Recovery using NFS
  • Troubleshooting
    • General Troubleshooting Tips
    • Using the workloadmgr CLI tool on the Trilio Appliance
    • Healthcheck of Trilio
    • Important log files
  • API GUIDE
    • Workloads
    • Snapshots
    • Restores
    • File Search
    • Snapshot Mount
    • Schedulers
    • E-Mail Notification Settings
    • Workload Policies
    • Workload Quotas
    • Managing Trusts
    • Workload Import and Migration
Powered by GitBook
On this page
  • Changing the certificate of TVault-Config and Nginx for Grafana Service
  • Changing the certificate used by Nginx for wlm-api service

Was this helpful?

Export as PDF
  1. Trilio Appliance Administration Guide

Change Certificates used by Trilio

The following Trilio services are providing certificates for secured access to the Trilio solution.

Service
Port used
Description

TVault-Config

443

Webservice providing the TrilIoVault Dashboard

Nginx (wlm-api)

8780

provides the VIP for wlm-api service

Nginx (Grafana)

3001

VIP for the dashboard of Grafana service running on TrilIioVault VM

Changing the certificate of TVault-Config and Nginx for Grafana Service

The TVault-Config service and the Nginx Resource for the Grafana Dashboard are using the same certificate.

[root@TVM1 ssl]# cd /etc/tvault/ssl/
[root@TVM1 ssl]# ls -lisa server*
 577678 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 server.crt -> TVM1.crt
 577672 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 server.key -> TVM1.key
1178820 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 server.pem -> TVM1.pem

The certificate used is a symlink to a host-specific certificate. Each Trilio VM has its own self-signed certificate by default which is getting recreated every time the TVault-Config service is restarted.

When the certificate for the TVault-Config and Nginx (Grafana) is to be changed to a customer chosen certificate it is required to deactivate the recreation of the certificates upon service restart.

Trilio is planning to change this behavior to make it easier for customers to change the certificate in the future.

  1. Login into the Trilio VM via SSH

  2. Edit the following file: /home/stack/myansible/lib/python3.6/site-packages/tvault_configurator/tvault_config_bottle.py

  3. Look for create_ssl_certificates() in the main function

  4. Comment out create_ssl_certificates()

  5. Repeat for all nodes of the Trilio cluster

The resulting main function will look like this:

def main():
    # configure the networking
    #create_ssl_certificates()

    http_thread = Thread(target=main_http)
    http_thread.daemon = True  # thread dies with the program
    http_thread.start()

    bottle.debug(True)
    srv = SSLWSGIRefServer(host='::', port=443)
    bottle.run(server=srv, app=app, quiet=False, reloader=False)

Afterward, the certificates can be replaced manually by overwriting the files.

Once the certificates have been replaced by the desired ones restart the TVault-Config service and the Nginx pcs resource.

[root@TVM1 ~]# systemctl restart tvault-config
[root@TVM1 ~]# pcs resource restart lb_nginx-clone
lb_nginx-clone successfully restarted

Changing the certificate used by Nginx for wlm-api service

The certificate provided by the Nginx for the wlm-api service is set during configuration when HTTPS endpoints are configured for the Trilio appliance. This certificate is provided to the end-user or Openstack every time an API call to the Trilio solution is sent.

To change the certificate through the configurator make sure to create HTTPS endpoints and upload the certificate and key using the advanced options of the configurator.

The certificates can be changed manually if necessary.

They are located under /opt/stack/data/cert/

[root@TVM1 ~]# cd /opt/stack/data/cert/
[root@TVM1 cert]# ls -lisa workloadmgr*
 577678 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 workloadmgr.crt
 577672 0 lrwxrwxrwx 1 root root 8 Jan 21 14:36 workloadmgr.key

These certificates can be replaced manually and the Nginx resource restarted afterward.

[root@TVM1 ~]# pcs resource restart lb_nginx-clone
lb_nginx-clone successfully restarted
PreviousDownload Trilio logsNextRestart Trilio Services

Last updated 1 year ago

Was this helpful?

Setting HTTPS at the advanced options