To enable SSL for package installations, edit the configuration file.
The SSL key generation process is done automatically at package install time.
Unless you need to regenerate SSL key files, skip to 4 to edit the
proper configuration files to enable SSL.
Prerequisites
OpsCenter requires the
.der file format for SSL. If your
existing
[agents] ssl_certfile
in
is in a
.pem
format, run the following command to convert the format:
$ openssl x509 openssl x509 -outform der -in /var/lib/opscenter/ssl/opscenter.pem -out /var/lib/opscenter/ssl/opscenter.der
- [agents] ssl_certfile
- The location of the SSL certificate used for SSL traffic between OpsCenter and the agents. The default location is /var/lib/opscenter/ssl/opscenter.der for package installations and install_location/ssl/opscenter.der for tarball installations.
For more information about SSL cert file formats, see converting SSL certificates.
opscenterd.conf
The location of the opscenterd.conf file
depends on the type of installation:
- Package installations: /etc/opscenter/opscenterd.conf
- Tarball installations:
install_location/conf/opscenterd.conf
address.yaml
The location of the address.yaml
file depends on the type of installation:
- Package installations:
/var/lib/datastax-agent/conf/address.yaml
- Tarball installations:
install_location/conf/address.yaml
Procedure
- Optional:
Warning: If the SSL files already exist in the
/usr/share/opscenter/ssl directory, they are not
automatically recreated. Before running setup.py
, remove the
old SSL files from that directory.
Run the OpsCenter setup.py script:
$ sudo /usr/share/opscenter/bin/jython /usr/share/opscenter/bin/setup.py
The script generates the SSL keys and certificates used by the OpsCenter
daemon and the agents to communicate with one another in the following
directory: /usr/share/opscenter/ssl.
- Optional:
Copy the OpsCenter SSL private key opscenter.key and the
OpsCenter SSL certificate opscenter.der to
/var/lib/opscenter/ssl:
$ sudo cp /usr/share/opscenter/ssl/opscenter.key /var/lib/opscenter/ssl
$ sudo cp /usr/share/opscenter/ssl/opscenter.pem /var/lib/opscenter/ssl
The OpsCenter SSL private key and certificate are located in the
following directory: /var/lib/opscenter/ssl
- Optional:
Change ownership of the OpsCenter SSL private key
opscenter.key and the OpsCenter SSL certificate
opscenter.der to the
opscenter
user
and the opscenter
group:
$ sudo chown opscenter:opscenter /var/lib/opscenter/ssl/opscenter.key
$ sudo chown opscenter:opscenter /var/lib/opscenter/ssl/opscenter.der
The OpsCenter SSL private key and certificate are readable by the
OpsCenter daemon process.
- Required:
Open opscenterd.conf in an editor and add an
[agents]
section with the use_ssl
option
set to enable SSL. See configuring the agent for ssl for more details on the
use_ssl
option.
$ sudo vi /etc/opscenter/opscenterd.conf
[agents]
use_ssl = true
ssl_keyfile = /var/lib/opscenter/ssl/opscenter.key
ssl_certfile = /var/lib/opscenter/ssl/opscenter.der
agent_keyfile = /var/lib/opscenter/ssl/agentKeyStore
agent_keyfile_raw = /var/lib/opscenter/ssl/agentKeyStore.key # for non-Java clients
agent_certfile = /var/lib/opscenter/ssl/agentKeyStore.der
-
Restart the OpsCenter daemon.
-
If you need to connect to a cluster in which agents have already been deployed,
log in to each of the nodes and reconfigure the
file. Reconfigure the agents on
all nodes.
-
Copy /var/lib/opscenter/ssl/agentKeyStore from the
OpsCenter machine to
/var/lib/datastax-agent/ssl/agentKeyStore on
each node in the cluster.
$ scp /var/lib/opscenter/ssl/agentKeyStore user@node:/var/lib/datastax-agent/ssl/
Where
node is either the host name of the node or its
IP address and
user is the user ID on the
node.
-
Log into each node in the cluster using ssh.
$ ssh user@node
Where
node is either the host name of the node or its
IP address and
user is the user ID on the
node.
-
Edit the address.yaml file, changing the value of
use_ssl to
1
.
$ sudo vi /var/lib/datastax-agent/conf/address.yaml
use_ssl: 1
-
Restart the agent.
$ sudo service datastax-agent restart
-
After opscenterd and all agents have been configured and
restarted, verify proper agent connection through the Agent Status
tab.