Enabling SSL/TLS for OpsCenter and Agent communication - Package Installs

To enable SSL for package installations, edit the configuration file.

The SSL key generation process is done automatically at package install time. Unless you need to regenerate SSL key files, skip to 4 to edit the proper configuration files to enable SSL.

Prerequisites

OpsCenter requires the .der file format for SSL. If your existing [agents] ssl_certfile in is in a .pem format, run the following command to convert the format:

$ openssl x509 openssl x509 -outform der -in /var/lib/opscenter/ssl/opscenter.pem -out /var/lib/opscenter/ssl/opscenter.der

[agents] ssl_certfile: The location of the SSL certificate used for SSL traffic between OpsCenter and the agents. The default location is /var/lib/opscenter/ssl/opscenter.der for package installations and install_location/ssl/opscenter.der for tarball installations.

For more information about SSL cert file formats, see converting SSL certificates.

Prerequisites

opscenterd.conf

The location of the opscenterd.conf file depends on the type of installation:

Package installations: /etc/opscenter/opscenterd.conf
Tarball installations: install_location/conf/opscenterd.conf

address.yaml

The location of the address.yaml file depends on the type of installation:

Package installations: /var/lib/datastax-agent/conf/address.yaml
Tarball installations: install_location/conf/address.yaml

Procedure

Optional:
Warning: If the SSL files already exist in the /usr/share/opscenter/ssl directory, they are not automatically recreated. Before running setup.py, remove the old SSL files from that directory.

Note: The setup.py script requires the /tmp directory to have exec permissions. Make sure that the /tmp directory does not have the noexec flag set. See Setting and securing the tmp directory for the agent.
Run the OpsCenter setup.py script:
```
$ sudo /usr/share/opscenter/bin/jython /usr/share/opscenter/bin/setup.py
```
The script generates the SSL keys and certificates used by the OpsCenter daemon and the agents to communicate with one another in the following directory: /usr/share/opscenter/ssl.
Optional: Copy the OpsCenter SSL private key opscenter.key and the OpsCenter SSL certificate opscenter.der to /var/lib/opscenter/ssl:
```
$ sudo cp /usr/share/opscenter/ssl/opscenter.key /var/lib/opscenter/ssl
```
```
$ sudo cp /usr/share/opscenter/ssl/opscenter.pem /var/lib/opscenter/ssl
```
The OpsCenter SSL private key and certificate are located in the following directory: /var/lib/opscenter/ssl
Optional: Change ownership of the OpsCenter SSL private key opscenter.key and the OpsCenter SSL certificate opscenter.der to the opscenter user and the opscenter group:
```
$ sudo chown opscenter:opscenter /var/lib/opscenter/ssl/opscenter.key
```
```
$ sudo chown opscenter:opscenter /var/lib/opscenter/ssl/opscenter.der
```
The OpsCenter SSL private key and certificate are readable by the OpsCenter daemon process.

Required: Open opscenterd.conf in an editor and add an [agents] section with the use_ssl option set to enable SSL. See configuring the agent for ssl for more details on the use_ssl option.

$ sudo vi /etc/opscenter/opscenterd.conf


[agents]
use_ssl = true
ssl_keyfile =  /var/lib/opscenter/ssl/opscenter.key
ssl_certfile = /var/lib/opscenter/ssl/opscenter.der
agent_keyfile = /var/lib/opscenter/ssl/agentKeyStore
agent_keyfile_raw = /var/lib/opscenter/ssl/agentKeyStore.key # for non-Java clients
agent_certfile = /var/lib/opscenter/ssl/agentKeyStore.der

Restart the OpsCenter daemon.
If you need to connect to a cluster in which agents have already been deployed, log in to each of the nodes and reconfigure the address.yaml file. Reconfigure the agents on all nodes.

Tip: If you do not want to manually edit all of the node configuration files, follow the installing DataStax agents automatically procedure.
1. Copy /var/lib/opscenter/ssl/agentKeyStore from the OpsCenter machine to /var/lib/datastax-agent/ssl/agentKeyStore on each node in the cluster.
```
$ scp /var/lib/opscenter/ssl/agentKeyStore user@node:/var/lib/datastax-agent/ssl/
```
  Where node is either the host name of the node or its IP address and user is the user ID on the node.
2. Log into each node in the cluster using ssh.
```
$ ssh user@node
```
  Where node is either the host name of the node or its IP address and user is the user ID on the node.
3. Edit the address.yaml file, changing the value of use_ssl to 1.
```
$ sudo vi /var/lib/datastax-agent/conf/address.yaml
```
```
use_ssl: 1
```
4. Restart the agent.
```
$ sudo service datastax-agent restart
```
After opscenterd and all agents have been configured and restarted, verify proper agent connection through the Agent Status tab.