Enabling SSL/TLS for OpsCenter and Agent communication - Package Installs

To enable SSL for package installations, edit the configuration file.

Enable SSL between OpsCenter and DataStax Agents by editing the opscenterd.conf configuration file.

Note: The SSL key generation process is done automatically at package install time. Unless you need to regenerate SSL key files, skip to editing the proper configuration files to enable SSL.

address.yaml

The location of the address.yaml file depends on the type of installation:

Package installations: /var/lib/datastax-agent/conf/address.yaml
Tarball installations: install_location/conf/address.yaml

opscenterd.conf

The location of the opscenterd.conf file depends on the type of installation:

Package installations: /etc/opscenter/opscenterd.conf
Tarball installations: install_location/conf/opscenterd.conf

Prerequisites

OpsCenter requires the .der file format for SSL. If the existing [agents] ssl_certfile in is in a .pem format, run the following command to convert the format:

openssl x509 -outform der -in /var/lib/opscenter/ssl/opscenter.pem -out /var/lib/opscenter/ssl/opscenter.der

For more information about SSL cert file formats, see converting SSL certificates.

The setup.py uses /usr/share/opscenter/conf/ssl.conf, which dictates the certificate common name. Modify the ssl.conf values before using setup.py.

Example ssl.conf

[ req ]
prompt=no
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
C = country_name
ST = state_abbreviation
L = city_name
O = company_name
OU = division_name
CN = common_certificate_name
emailAddress = opscenter.admin@email.com

Procedure

If the SSL files already exist in the /usr/share/opscenter/ssl directory, they are not automatically recreated. Before running setup.py in 3, remove the old SSL files from that directory.
Make sure that the /tmp directory does not have the noexec flag set.

The setup.py script requires the /tmp directory to have exec permissions. See Setting and securing the tmp directory for the DataStax Agent.
Run the OpsCenter setup.py script:
```
sudo /usr/share/opscenter/bin/setup.py
```
The script generates the SSL keys and certificates used by the OpsCenter daemon and the DataStax Agents to communicate with one another in the following directory: /usr/share/opscenter/ssl.
Copy the following files to /var/lib/opscenter/ssl:
- opscenter.key: OpsCenter SSL private key
- opscenter.der: OpsCenter SSL certificate
- agentKeyStore: DataStax Agent keystore
- agentKeyStore.der: DataStax Agent SSL certificate
- agentKeyStore.key: DataStax Agent keyfile
  Note: The agentKeyStore.key keyfile is necessary only when configuring high availability (HA), so that the secondary OpsCenter instance can communicate with the primary OpsCenter instance. The failover opscenterd processes on the secondary OpsCenter instance use this key to establish a STOMP connection to the primary opscenterd instance.
```
sudo cp /usr/share/opscenter/ssl/opscenter.key /var/lib/opscenter/ssl
```
```
sudo cp /usr/share/opscenter/ssl/opscenter.der /var/lib/opscenter/ssl
```
```
sudo cp /usr/share/opscenter/ssl/agentKeyStore /var/lib/opscenter/ssl
```
```
sudo cp /usr/share/opscenter/ssl/agentKeyStore.der /var/lib/opscenter/ssl
```
```
sudo cp /usr/share/opscenter/ssl/agentKeyStore.key /var/lib/opscenter/ssl
```

Change ownership of the files copied in the previous step to the opscenter user and the opscenter group:

sudo chown opscenter:opscenter /var/lib/opscenter/ssl/opscenter.key

sudo chown opscenter:opscenter /var/lib/opscenter/ssl/opscenter.der

sudo chown opscenter:opscenter /var/lib/opscenter/ssl/agentKeyStore

sudo chown opscenter:opscenter /var/lib/opscenter/ssl/agentKeyStore.der

If configuring HA, change the ownership for the agentKeyStore.key keyfile as well.
```
sudo chown opscenter:opscenter /var/lib/opscenter/ssl/agentKeyStore.key
```

Open opscenterd.conf in an editor and add an [agents] section with the use_ssl option set to true.

sudo vi /etc/opscenter/opscenterd.conf

[agents]
use_ssl = true
ssl_keyfile =  /var/lib/opscenter/ssl/opscenter.key
ssl_certfile = /var/lib/opscenter/ssl/opscenter.der
agent_keyfile = /var/lib/opscenter/ssl/agentKeyStore
agent_keyfile_raw = /var/lib/opscenter/ssl/agentKeyStore.key
agent_certfile = /var/lib/opscenter/ssl/agentKeyStore.der

Note: The agent_keyfile_raw file is used only HA configurations.

Restart the OpsCenter daemon.
If you need to connect to a cluster in which DataStax Agents have already been deployed, log in to each of the nodes and reconfigure the address.yaml file.

Tip: If you do not want to manually edit all of the node configuration files, follow the procedure to install DataStax Agents automatically.
1. Copy /var/lib/opscenter/ssl/agentKeyStore from the OpsCenter machine to /var/lib/datastax-agent/ssl/agentKeyStore on each node in the cluster.
```
scp /var/lib/opscenter/ssl/agentKeyStore user@node:/var/lib/datastax-agent/ssl/
```
  Where user is the user ID on the node, and node is either the host name of the node or its IP address.
2. Log in to each node in the cluster using ssh.
```
ssh user@node
```
  Where user is the user ID on the node, and node is either the host name of the node or its IP address.
3. Edit the address.yaml file, changing the value of use_ssl to 1.
```
sudo vi /var/lib/datastax-agent/conf/address.yaml
```
```
use_ssl: 1
```
  If your keystore and truststore files reside in a different location from the default, define the following parameters to indicate the location of the keystore and truststore, plus the password for each:
```
opscenter_ssl_truststore: /etc/datastax-agent/key/dse-truststore.jks
opscenter_ssl_truststore_password: truststore_password
opscenter_ssl_keystore: /etc/datastax-agent/key/keystore.jks
opscenter_ssl_keystore_password: keystore_password
```
4. Restart the DataStax Agent.
```
sudo install_location/bin/datastax-agent
```
After opscenterd and all DataStax Agents have been configured and restarted, verify proper connection through the Agent Status tab.