Placing Signed SSL Certificates on the Appliances

Overview

This document provides instructions on how to place signed SSL certificates on the Stratusphere Hub, Database, and Collector appliances. Apart from getting rid of the alarming warning each time the Stratusphere Hub Web UI is accessed, placing a signed SSL certificate provides verifiable identification and security compliance to administrator & users accessing the Web UI of Stratusphere.

These instructions apply to Stratusphere Hub, Database, and Collector version 5.6.0 and higher. If using an older version of Stratusphere, upgrade to the latest version or contact Support@Liquidware.com for additional information to upgrade.

Preparation

  1. Procure any change controls required to make changes to the production Stratusphere Hub & Database appliances.
  2. Acquire credentials of the friend and root users to access the console of the Stratusphere Hub, Database, and Collector appliances.
  3. Procure access to the local console of the Stratusphere Hub, Database, and Collector Appliances depending on the hypervisor on which the Hub is housed. Alternatively, PuTTY can also be used to access the console of the Hub, Database, and Collector provided SSH (TCP/22) access is allowed to the appliances.
  4. Download and install WinSCP or FileZilla or similar software to download and upload certificate request and SSL Certificate files.
  5. Be aware that you will need to start the initial steps to prepare the SSL certificate request, pause in the middle of the instructions as you submit the request to the Certifying Authority (CA), and then receive your certificate. This may take minutes, hours, or even days depending on your CA. You will then use the new certificate to complete the process.

Install an SSL Certificate on a Stratusphere Hub Appliance

To prepare the certificate request, start with these initial steps:

  1. Log in to the Stratusphere Hub appliance local console using the following credentials:
    • User ID: friend
    • Password: sspassword.
  2. Switch to the root user using the following command and enter the password when prompted. The default password is sspassword:
  3. Copy 
    su –
  4. Change to the following folder using the command:
  5. Copy 
    cd /home/friend
  6. Enter the following commands:
  7. Copy 
    openssl genrsa 2048 > /etc/lwl/ssl/ssl.key.2048
    cp /etc/lwl/ssl/ssl.key /etc/lwl/ssl/ssl.key.original
  8. Generate a certificate request on the Stratusphere Hub using the existing SSL Key.
  9. Copy 
    openssl req -key /etc/lwl/ssl/ssl.key.2048 -out hubcertrequest.csr -new -sha256
  10. When prompted for a common name, provide your Hub’s fully qualified DNS name.
  11. Copy 
    common name: <hubdnsname.domain.com>
  12. The certificate request is generated in the following location:
  13. Copy 
    /home/friend/hubcertrequest.csr
  14. Enter the following to change ownership of the file so that it is accessible using the friend user.
  15. Copy 
    chown friend:friend /home/friend/hubcertrequest.csr
  16. Use WinSCP or FileZilla or similar software to download this certificate request /home/friend/hubcertrequest.csr file to your local desktop. In WinSCP or FileZilla, use the User ID friend and the password sspassword as credentials within the program. Use the SCP protocol with WinSCP (Port 22).
  17. Provide this certificate request file to your security provider or Certifying Authority and request that they provide the SSL Certificate specifically in base64 / PEM format. For these instructions, call the SSL Certificate file hubsslcert.crt. When you see references to hubsslcert.crt in this document, you should substitute the actual name of the SSL Certificate file you received from your security provider or Certifying Authority.

  18. Important: Pause here until you receive your SSL certificate from your provider, then complete the process using the following instructions.

  19. Use WinSCP or FileZilla or similar software to upload the hubsslcert.crt SSL Certificate file to your Stratusphere Hub in the /home/friend/hubsslcert.crt location. In WinSCP or FileZilla, use the User ID friend and the password sspassword as credentials within the program. Use the SCP protocol with WinSCP (Port 22).
  20. On the Stratusphere Hub local console, while still logged in as the root user, make a copy the original SSL certificate as a backup:
  21. Copy 
    cp /etc/lwl/ssl/ssl.crt /etc/lwl/ssl/ssl.crt.orig
  22. Place the new key and certificate in place of the original and modify the file permissions as follows:
  23. Copy 
    cp /etc/lwl/ssl/ssl.key.2048 /etc/lwl/ssl/ssl.key
    mv /home/friend/hubsslcert.crt /etc/lwl/ssl/ssl.crt
    chown root:root /etc/lwl/ssl/ssl.crt
    chmod 644 /etc/lwl/ssl/ssl.crt
    chmod 640 /etc/lwl/ssl/ssl.key
    restorecon -RF /etc/lwl/ssl
  24. Restart the Web Server to load the newly added SSL Certificate.
  25. On versions up to 6.1.1, use the following command:
  26. Copy 
    /etc/init.d/httpd restart
  27. On versions 6.1.3 to 6.1.5, use the following command:
  28. Copy 
    /etc/init.d/lwl-httpd24 restart
  29. On versions 6.5.0 and higher, use the following command:
  30. Copy 
    systemctl restart httpd
  31. Using your browser of choice, log into the Stratusphere Hub Web UI. Ensure that the UI Login page shows with no certificate related warning. Also verify the information within the certificate provided by the browser address bar.

Instructions for the Stratusphere Database Appliance

To prepare the certificate request, complete the following initial steps:

  1. On the Stratusphere Database appliance local console, log in using the following credentials:
    • User ID: friend
    • Password: sspassword.
  2. Switch to the root user using the following command and enter the password when prompted. The default password is sspassword.
  3. Copy 
    su –
  4. Change to the following folder using the command:
  5. Copy 
    cd /home/friend
  6. Enter the following commands:
  7. Copy 
    openssl genrsa 2048 > /var/lib/pgsql/current/data/server.key.2048
    cp /var/lib/pgsql/current/data/server.key /var/lib/pgsql/current/data/server.key.original
  8. Generate a certificate request on the Stratusphere Database using the existing SSL Key.
  9. Copy 
    openssl req -key /var/lib/pgsql/current/data/server.key.2048 -out dbcertrequest.csr -new -sha256
  10. When prompted for common name, make sure you provide your database’s fully qualified DNS name.
  11. Copy 
    common name: <dbdnsname.domain.com>
  12. The certificate request is generated in the following location:
  13. Copy 
    /home/friend/dbcertrequest.csr 
  14. Change ownership of the file so that it accessible using the friend user.
  15. Copy 
    chown friend:friend /home/friend/dbcertrequest.csr
  16. Use WinSCP or FileZilla or similar software to download this certificate request /home/friend/dbcertrequest.csr file to your local desktop. In WinSCP or FileZilla, use the User ID friend and the password sspassword as credentials within the program. Use the SCP protocol with WinSCP (Port 22).
  17. Provide this certificate request file to your security provider or Certifying Authority and request that they provide the SSL Certificate specifically in base64 / PEM format. For these instructions, call the SSL Certificate file server.crt. When you see references to server.crt in this document, you should substitute the actual name of the SSL Certificate file you received from your security provider or Certifying Authority.

  18. Important: Pause here until you receive your SSL certificate from your provider, then complete the process using the following instructions.

  19. Use WinSCP or FileZilla or similar software to upload the server.crt SSL Certificate file to your Stratusphere database in the /home/friend/server.crt location. In WinSCP or FileZilla, use the User ID friend and the password sspassword as credentials within the program. Use the SCP protocol with WinSCP (Port 22).
  20. On the Stratusphere Database local console, while still logged in as the root user, make a copy the original SSL certificate as a backup:
  21. Copy 
    cp /var/lib/pgsql/current/data/server.crt /var/lib/pgsql/current/data/server.crt.orig
  22. Place the new key and certificate in place of the original and modify the file permissions as follows: 
  23. Copy 
    cp /var/lib/pgsql/current/data/server.key.2048 /var/lib/pgsql/current/data/server.key
    mv /home/friend/server.crt /var/lib/pgsql/current/data/server.crt
    chown postgres:postgres /var/lib/pgsql/current/data/server.crt
    chmod 400 /var/lib/pgsql/current/data/server.crt
    chown postgres:postgres /var/lib/pgsql/current/data/server.key
    chmod 400 /var/lib/pgsql/current/data/server.key
  24. Restart the database server to load the newly added SQL Certificate:
  25. On versions prior to 6.5.0, use the following command:
  26. Copy 
    /etc/init.d/postgresql<PRESS-TAB-KEY> restart
  27. On versions 6.5.0 and higher, use the following command:
  28. Copy 
    systemctl restart postgresql-12

Instructions for the Stratusphere Collector Appliance

To prepare the certificate request, complete the following initial steps:

  1. On the Stratusphere Collector appliance local console, log in using the following credentials:
    • User ID: friend
    • Password: sspassword.
  2. Switch to the root user using the following command and enter the password when prompted. The default password is sspassword.
  3. Copy 
    su –
  4. Change to the following folder using the command:
  5. Copy 
    cd /home/friend
  6. Enter the following commands:
  7. Copy 
    openssl genrsa 2048 > /etc/lwl/ssl/ssl.key.2048
    cp /etc/lwl/ssl/ssl.key /etc/lwl/ssl/ssl.key.original
  8. Generate a certificate request on the Stratusphere Collector using the existing SSL Key.
  9. Copy 
    openssl req -key /etc/lwl/ssl/ssl.key.2048 -out colcertrequest.csr -new -sha256
  10. When prompted for common name, provide your Collector’s fully qualified DNS name.
  11. Copy 
    common name: <coldnsname.domain.com>
  12. The certificate request is generated in the following location:
  13. Copy 
    /home/friend/colcertrequest.csr
  14. Change ownership of the file so that it accessible using the friend user.
  15. Copy 
    chown friend:friend /home/friend/colcertrequest.csr
  16. Use WinSCP or FileZilla or similar software download this certificate request /home/friend/colcertrequest.csr fileto your local desktop. In WinSCP or FileZilla, use the User ID friend and password sspassword as credentials within the program. Use the SCP protocol with WinSCP (Port 22).
  17. Provide this certificate request file to your security provider or Certifying Authority and request that they provide the SSL Certificate specifically in base64 / PEM format. 
  18. For these instructions, call the SSL Certificate file colsslcert.crt. When you see references to colsslcert.crt in this document, you should substitute the actual name of the SSL Certificate file you received from your security provider or Certifying Authority.

  19. Important: Pause here until you receive your SSL certificate from your provider, then complete the process using the following instructions.

  20. Use WinSCP or FileZilla or similar software to upload the colsslcert.crt SSL Certificate file to your Stratusphere Hub in the /home/friend/colsslcert.crt location. In WinSCP or FileZilla, use the User ID friend and the password sspassword as credentials within the program. Use the SCP protocol with WinSCP (Port 22).
  21. On the Stratusphere Collector local console, while still logged in as the root user, make a copy the original SSL certificate as a backup:
  22. Copy 
    cp /etc/lwl/ssl/ssl.crt /etc/lwl/ssl/ssl.crt.orig
  23. Place the new key and certificate in place of the original and modify the file permissions as follows: 
  24. Copy 
    cp /etc/lwl/ssl/ssl.key.2048 /etc/lwl/ssl/ssl.key
    mv /home/friend/colsslcert.crt /etc/lwl/ssl/ssl.crt
    chown root:root /etc/lwl/ssl/ssl.crt
    chmod 644 /etc/lwl/ssl/ssl.crt
    chmod 640 /etc/lwl/ssl/ssl.key
    restorecon -RF /etc/lwl/ssl
  25. Restart the Collector to load the newly added SSL Certificate.
  26. On versions up to 6.1.1, use the following command:
  27. Copy 
    /etc/init.d/httpd restart
  28. On versions 6.1.3 to 6.1.5, use the following command:
  29. Copy 
    /etc/init.d/lwl-httpd24 restart
  30. On versions 6.5.0 and higher, use the following command:
  31. Copy 
    systemctl restart httpd