Deploying CA certificates, custom X509 certificates, and private keys - Adaptive Applications - BlueCat Gateway - 21.3

BlueCat Distributed DDNS Administration Guide
Locale
English
Product name
BlueCat Gateway
Version
21.3

Once you have generated the CA certificates, custom X509 certificates, and private keys for each Distributed DDNS component, you must associate the certificates and keys with the corresponding components.

You can create custom certificates and keys using the following command:
python3 /opt/bluecat/common/generate_certificates/gen_cert.py \
<dir_containing_ca_key_pair> \
<dir_containing_custom_cert_and_key> \
<key_name> \
<cert_name>

Distributed DDNS Data Nodes

  1. Ensure that the ca_key.pem (CA Key) and ca_cert.pem (CA Certificate) have read permissions set for all users using the following command:
    chmod a+r ca_key.pem
chmod a+r ca_cert.pem
  2. Copy the ca_cert.pemand ca_key.pem files to each BDDS running the Distributed DDNS Data Node component using the following command:
    docker cp ca_key.pem <docker-container-name>:/etc/ddns_ssl/ca/
docker cp ca_cert.pem <docker-container-name>:/etc/ddns_ssl/ca/
  3. On each BDDS running the Distributed DDNS Data Node, log in to the container and run the following commands to create custom certificates:
    docker exec -it <container-name> bash
python3 /opt/bluecat/common/generate_certificates/gen_cert.py /etc/ddns_ssl/ca/ /etc/ddns_ssl/mysql/ mariadb_server_key.pem mariadb_server_cert.pem
python3 /opt/bluecat/common/generate_certificates/gen_cert.py /etc/ddns_ssl/ca/ /etc/ddns_ssl/app_db/ app_db_key.pem app_db_cert.pem
  4. Verify that the custom certificates have been successfully created by checking the /var/log/gen_ssl.log file.
  5. Shut down the cluster by stopping each node, one at a time, using the following command:
    docker stop <node_name>
  6. Once you have shut down all nodes, remove all IP addresses of cluster nodes in the cluster configuration file (my.conf) located under /var/lib/docker/volumes/mariadb-config/_data/my.cnf.
    Note: The IP addresses of cluster nodes is located within the wsrep_cluster_address setting. Remove the addresses so that the setting looks similar to the following:
    wsrep_cluster_address=gcomm://
  7. Restart the one node where the cluster configuration file was edited using the following command:
    docker start <node_name>
  8. Once the first node has successfully started and services have restarted, restart the other nodes.
  9. On the initial node where the cluster configuration file was edited, add the IP addresses of all cluster nodes. The wsrep_cluster_address setting of the /var/lib/docker/bolumes/mariadb-config/_data/my.cnf file should look similar to the following:
    wsrep_cluster_address=gcomm://<node1_ip>,<node2_ip>,<node3_ip>
  10. Restart the last shutdown node.

Distributed DDNS Application Node

  1. Ensure that the ca_key.pem (CA Key) and ca_cert.pem (CA Certificate) have read permissions set for all users using the following command:
    chmod a+r ca_key.pem
chmod a+r ca_cert.pem
  2. Copy the ca_cert.pemand ca_key.pem files to the host machine running the Distributed DDNS Application Node component using the following command:
    docker cp ca_key.pem <docker-container-name>:/portal/bluecat_portal/app/certificates/
docker cp ca_cert.pem <docker-container-name>:/portal/bluecat_portal/app/certificates/
  3. On the BDDS running the Distributed DDNS Application Node, log in to the container and run the following commands to create custom certificates:
    docker exec -it <container-name> bash
python3 /opt/bluecat/common/generate_certificates/gen_cert.py /portal/bluecat_portal/app/certificates/ /portal/bluecat_portal/app/certificates/ workflow_key.pem workflow_cert.pem
  4. Verify that the custom certificate has been successfully created by checking the /var/log/gen_ssl.log file.
  5. Restart the container using the following command:
    docker restart <container_name>

Distributed DDNS Service Node

  1. Ensure that the ca_key.pem (CA Key) and ca_cert.pem (CA Certificate) have read permissions set for all users using the following command:
    chmod a+r ca_key.pem
chmod a+r ca_cert.pem
  2. Copy the ca_cert.pemand ca_key.pem files to each BDDS running the Distributed DDNS Data Node component using the following command:
    docker cp ca_key.pem <docker-container-name>:/etc/ddns_ssl/ca
docker cp ca_cert.pem <docker-container-name>:/etc/ddns_ssl/ca
  3. On the BDDS running the Distributed DDNS Application Node, log in to the container and run the following commands to create custom certificates:
    docker exec -it <container-name> bash
python3 /opt/bluecat/common/generate_certificates/gen_cert.py /etc/ddns_ssl/ca/ /etc/ddns_ssl/app_cs/ api_server_key.pem api_server_cert.pem
  4. Verify that the custom certificate has been successfully created by checking the /var/log/gen_ssl.log file.
  5. Restart the container using the following command:
    docker restart <container_name>