Internal Errigal Collaboration Wiki

User Tools

Site Tools

Trace: docker_rdf-agent_deployment customer_idms_qa_environments applications user_profile_roles_permissions build_execution_testing_deployment
databaseandnetworkmanagement:ssl_configuration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
databaseandnetworkmanagement:ssl_configuration [2021/06/25 10:09] – external edit 127.0.0.1databaseandnetworkmanagement:ssl_configuration [2022/06/14 10:56] (current) 10.91.110.100
Line 15: Line 15:
 <code> <code>
   * openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr -config san.conf   * openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr -config san.conf
 +</code>
 +
 +This will generate a new key so should only be performed on a new server that doesn't have a private key. If you have access to a current private key, you can generate a CSR from that key using:
 +
 +<code>
 +  * $ openssl req -out yourdomain.csr -key private.key -new
 </code> </code>
  
Line 35: Line 41:
   - **Server Private key** - The private key is generated simultaneously with the CSR (certificate signing request), containing the domain name, public key and additional contact information. The CSR is to be sent to the certificate authority for validation and signing immediately after the certificate activation typically. The private key must be kept secret, ideally on the same server the certificate will be installed on. (This is generated on the server)   - **Server Private key** - The private key is generated simultaneously with the CSR (certificate signing request), containing the domain name, public key and additional contact information. The CSR is to be sent to the certificate authority for validation and signing immediately after the certificate activation typically. The private key must be kept secret, ideally on the same server the certificate will be installed on. (This is generated on the server)
  
-===== Loading the cert into Java =====+===== Update SSL Certs ===== 
 + 
 +Pull the master branch of the [[https://bitbucket.org/errigal/server-configuration/src/master/|server configuration repo]]. Run the deploy playbook to reconfigure the SSL cert for a given environment. The playbook will do all the below steps: 
 + 
 + * Load the cert into Java 
 + * Load the cert into Apache 
 + * Restart Apache 
 + 
 +<code>ansible-playbook -i ../env-configuration/$ENV/hosts.ini reconfigure-ssl.yml --vault-id @prompt --diff </code> 
 + 
 +There is no need to shut down all applications anymore. 
 + 
 +For AWS based environments, an extra step is required. The cert will need to be updated on the loadbalancer instance. This is the case for ATC, QAATC, SCO etc. 
 + 
 + * Sign into AWS console  
 + * Navigate to Home Page  
 + * Load Balancers -> Listeners -> View/Edit certificates ACM  
 + * https://console.aws.amazon.com/acm/home?region=us-east-1#/  
 + * Selecting certiciate relevant to environment -> Actions -> Reimport Certificate 
 + * Paste in the contents of the three certificate files from env-configuration (already PEM encoded) into the corresponding fields. 
 + * Certificate private key  
 + * Certificate body  
 + * Certificate chain 
 + 
 + 
 +===== Loading the cert into Java (Handled by Playbook) =====
  
 In order for the applications to obtain the certificate it must be loaded into javas list of certs via keytool. The bundle and sub cert files should both be loaded at this point. This step needs to be done on each server that is running any applications using java. The cert files should be transferred to all application servers. In order for the applications to obtain the certificate it must be loaded into javas list of certs via keytool. The bundle and sub cert files should both be loaded at this point. This step needs to be done on each server that is running any applications using java. The cert files should be transferred to all application servers.
Line 70: Line 101:
  
  
-===== Load the cert into Apache (load balancer) =====+===== Load the cert into Apache (Handled by Playbook) =====
  
 **Transfer the cert files(bundle file, cert and server key) to the load balancer into the following directory:** **Transfer the cert files(bundle file, cert and server key) to the load balancer into the following directory:**
Line 96: Line 127:
  
  
-===== Restart Applications and Apache =====+===== Restart Applications and Apache (Handled by Playbook) ===== 
 +**Applications do not need a restart anymore when using the reconfigure_ssl playbook, only the httpd service needs a restart**
   - Shutdown all applications   - Shutdown all applications
   - Restart apache service on the load balancer:   - Restart apache service on the load balancer:
databaseandnetworkmanagement/ssl_configuration.1624612196.txt.gz · Last modified: 2021/06/25 10:09 by 127.0.0.1

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki