Steps to renew invalid or expired CIS server certificates

  • Document ID:7025193
  • Creation Date:12-Jul-2021
  • Modified Date:12-Jul-2021
    • Micro Focus Products:
      Open Enterprise Server

Environment

Open Enterprise Server 2018 (OES 2018) Linux

Situation

How to renew expired eDirectory server certificates.

Server certificates are invalid or expired.

Update Kafka keystore with renewed certificates.

Resolution

1. Ensure EDirectory Certificates are valid and renew if necessary.

   

    run

    # ls -al /etc/ssl/servercerts

 

    this lists the certificate files, make sure the output is similar to this and contains the servercert.pem and serverkey.pem files.

 

    total 24

    drwxr-xr-x 3 root root 4096 Mar  5 14:40 ./

    drwxr-xr-x 5 root root 4096 Feb  4 17:21 ../

    -rw------- 1 root root 4317 Mar  5 14:40 servercert.pem

    -rw------- 1 root root 1679 Mar  5 14:40 serverkey.pem

 

    then, run

    # openssl x509 -in /etc/ssl/servercerts/servercert.pem -noout -text

 

    to check the validity, from the output, in the "Validity" section of the output.

 

    Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            66:f1:88:59:00:41:ae:a3:c1:9b:5f:cb:a7:89:af:49:2e:e7:7c:90

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: OU=Organizational CA, O=CISMEDIASP2

        Validity

            Not Before: Mar  5 05:00:00 2019 GMT

            Not After : Mar  5 05:00:00 2021 GMT

    ...

 

    If the certificates have expired, please follow the steps in the link provided below to renew the edirectory certificates

        https://support.microfocus.com/kb/doc.php?id=7013080

 

    Confirm again that the certificates are now valid,

 

    # ls -al /etc/ssl/servercerts

 

    total 24

    drwxr-xr-x 3 root root 4096 Mar  5 14:40 ./

    drwxr-xr-x 5 root root 4096 Feb  4 17:21 ../

    drwx------ 2 root root 4096 Jul 19  2020 backup/

    -rw------- 1 root root 4317 Mar  5 14:40 servercert.pem

    -rw------- 1 root root 1679 Mar  5 14:40 serverkey.pem

 

    # openssl x509 -in /etc/ssl/servercerts/servercert.pem -noout -text

 

    Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            66:f1:88:59:00:41:ae:a3:c1:9b:5f:cb:a7:89:af:49:2e:e7:7c:90

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: OU=Organizational CA, O=CISMEDIASP2

        Validity

            Not Before: Mar  5 07:06:55 2021 GMT

            Not After : Mar  5 07:06:55 2023 GMT

    ...

 

2. Replacing CIS Certificates:

   

    CIS certificates are at "/etc/opt/novell/cis/certs"

 

    # ls -lh /etc/opt/novell/cis/certs

 

    total 20

    drwxrwxrwx+ 1 root root 4096 Mar  5 14:50 ./

    drwxrwxrwx  1 root root 4096 Feb  4 17:37 ../

    -rw-rw-rw-  1 root root 1675 Jul 20  2020 eprivatekey.pem

    -rw-rw-rw-  1 root root  426 Jul 20  2020 epublickey.pem

    drwxrwxrwx+ 1 root root 4096 Jan 18 15:01 rootCAs/

    -rw-rw-rw-  1 root root 4317 Mar  5 14:50 servercert.pem

    -rw-rw-rw-  1 root root 1679 Mar  5 14:50 serverkey.pem

 

    Copy and replace the NEW servercert.pem, serverkey.pem and the SSCert.pem from the edirectory locations to their corresponding CIS locations.

 

    # cp /etc/ssl/servercerts/servercert.pem /etc/opt/novell/cis/certs/servercert.pem

    # cp /etc/ssl/servercerts/serverkey.pem /etc/opt/novell/cis/certs/serverkey.pem

    # cp /etc/opt/novell/certs/SSCert.pem /etc/opt/novell/cis/certs/rootCAs/SSCert.pem

 

    # ls -lh /etc/opt/novell/cis/certs

 

    -rw-rw-rw-  1 root root 1675 Jul 20  2020 eprivatekey.pem

    -rw-rw-rw-  1 root root  426 Jul 20  2020 epublickey.pem

    drwxrwxrwx+ 1 root root 4096 Jan 18 15:01 rootCAs/

    -rw-rw-rw-  1 root root 4317 Apr 27 18:45 servercert.pem

    -rw-rw-rw-  1 root root 1679 Apr 27 18:45 serverkey.pem

 

3. Recreate Kafka keystore for the new certificates.

    Run the kafka_keystore_update.sh script present in the Additional Information section.
    Make sure the file has execute permissions and is run through dos2unix to correct the line endings if it is being downloaded to a windows system.

 

    # dos2unix ./kafka_keystore_update.sh

    # chmod +x ./kafka_keystore_update.sh

 

    # sh ./kafka_keystore_update.sh

 

    Verify that the jks files in "/etc/opt/novell/cis/kafka/certs/" have been updated and their modification time is recent...

 

    # ls -lh /etc/opt/novell/cis/kafka/certs/

 

    -rw-r--r-- 1 root root 4.4K Apr 27 18:45 server.keystore.jks

    -rw-r--r-- 1 root root 4.8K Apr 27 18:45 server.p12

    -rw-r--r-- 1 root root 1.4K Apr 27 18:45 server.truststore.jks

 

4. Restart CIS services for them to pick up the new certificates...

 

    # systemctl restart oes-cis-fluentbit.service

    # systemctl restart oes-cis-configuration.service

    # systemctl restart docker.service

 

It is preferable to restart the whole server if possible since the edirectory certificates have changed and this might be consumed by other services apart from CIS.

Cause

Server certificates are invalid and/or expired and need to be re-created and the corresponding CIS certificate copies and Kafka keystores should be updated.

Additional Information

kafka_keystore_update.sh:

#!/bin/bash
# © Copyright [2020] Micro Focus or one of its affiliates.
#
# The only warranties for products and services of Micro Focus and its affiliates and licensors
# (“Micro Focus”) are as may be set forth in the express warranty statements accompanying such
# products and services. Nothing herein should be construed as constituting an additional
# warranty. Micro Focus shall not be liable for technical or editorial errors or omissions
# contained herein. The information contained herein is subject to change without notice.
#
# Except as specifically indicated otherwise, this document contains confidential information
# and a valid license is required for possession, use or copying. If this work is provided to the
# U.S. Government, consistent with FAR 12.211 and 12.212, Commercial Computer Software,
# Computer Software Documentation, and Technical Data for Commercial Items are licensed
# to the U.S. Government under vendor's standard commercial license.

systemctl stop oes-cis-kafka
TMP_LOG_FILE="/tmp/cis_upgrade.log"
if ! { [ -e /etc/opt/novell/cis/certs/servercert.pem ] && [ -e /etc/opt/novell/cis/certs/serverkey.pem ] && [ -e /etc/opt/novell/cis/certs/rootCAs/SSCert.pem ]; }; then
    echo "Server certificates not found"
fi

config_file=/etc/opt/novell/cis/kafka/config
password=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 ; echo ''`
rm -f /etc/opt/novell/cis/kafka/certs/*

openssl pkcs12 -export -in /etc/opt/novell/cis/certs/servercert.pem -inkey /etc/opt/novell/cis/certs/serverkey.pem -out /etc/opt/novell/cis/kafka/certs/server.p12 -name localhost -CAfile /etc/opt/novell/cis/certs/rootCAs/SSCert.pem -caname rootca -password pass:"$password";  >> "$TMP_LOG_FILE" 2>&1
if [ $? -ne 0 ]; then
    echo "Failed to import the server certificate, private key and CA certificate into PKCS12 keystore"
fi

keytool -importkeystore -deststorepass "$password" -destkeypass "$password" -destkeystore /etc/opt/novell/cis/kafka/certs/server.keystore.jks -srckeystore /etc/opt/novell/cis/kafka/certs/server.p12 -srcstoretype PKCS12 -srcstorepass "$password" -alias localhost; >> "$TMP_LOG_FILE" 2>&1
if [ $? -ne 0 ]; then
    echo "Failed to Covert the PKCS12 type keystore to JKS type keystore"
fi

keytool -keystore /etc/opt/novell/cis/kafka/certs/server.truststore.jks -storepass "$password" -alias CARoot -import -file /etc/opt/novell/cis/certs/rootCAs/SSCert.pem -noprompt >> "$TMP_LOG_FILE" 2>&1
if [ $? -ne 0 ]; then
        echo "Failed to write MQ_KEYSTORE_PLAINTEXT_PASSWORD in kafka config file"
fi

sed -i -e"s/^MQ_KEYSTORE_PLAINTEXT_PASSWORD=.*/MQ_KEYSTORE_PLAINTEXT_PASSWORD=\"$password\"/" "$config_file"
sed -i -e"s/^MQ_KEY_PLAINTEXT_PASSWORD=.*/MQ_KEY_PLAINTEXT_PASSWORD=\"$password\"/" "$config_file"
sed -i -e"s/^MQ_TRUSTSTORE_PLAINTEXT_PASSWORD=.*/MQ_TRUSTSTORE_PLAINTEXT_PASSWORD=\"$password\"/" "$config_file"
systemctl restart oes-cis-kafka