Update Groundplex certificate

Update the Groundplex certificate

Groundplexes have self-signed CA certificates. This certificate works for client validation if the client is configured to accept all certificates or if the load balancer distributing requests to Groundplex nodes:

  • Has a CA certificate
  • Is configured to terminate connections

If your clients or load balancer can't be configured in this way, you need to use your own CA certificate on your Groundplexes. Use either a wildcard certificate or a unique certificate per node, update the keystore on each Snaplex node, and restart it.

Update the certificate on a Linux machine

  1. Create a backup copy of the /etc/snaplogic/jcc-serverkeys.jks file.

    Linux default: /etc/snaplogic/jcc-serverkeys.jks

  2. Concatenate your signed, intermediate, and root certificate PEM files into a single file:
    $ cat <CA-SIGNED-PEM> <CA-INTERMEDIATE-PEM> <CA-ROOT-PEM> sl-ca-chain.pem
  3. Use the following openssl command to generate a key_no_pass.pem. If there is a password associated with the private key, you must provide it to generate key_no_pass.pem where <PRIVATE_KEY> is the private key used to create the CSR (PEM encoded).
    $ openssl rsa -in <PRIVATE_KEY> -out key_no_pass.pem
  4. Use the following openssl command to generate the PFX file. The PFX (PKCS#12) file is the container format for storing the private key and certificate chain.
    $ openssl pkcs12 -inkey key_no_pass.pem -in sl-ca-chain.pem -export -out sl-ca-chain.p12 -name jetty -password $(cat /etc/snaplogic/jcc-serverkeys.pass)
  5. Use the keytool command to import the PFX file into jcc-serverkeys.jks:
    $ keytool -importkeystore -srckeystore <PATH-TO-SL-CA-CHAIN-P12> -srcstoretype PKCS12 -srcstorepass $(cat /etc/snaplogic/jcc-serverkeys.pass) -destkeystore /etc/snaplogic/jcc-serverkeys.jks -deststoretype JCEKS -deststorepass $(cat /etc/snaplogic/jcc-serverkeys.pass)

    where <PATH-TO-SL-CA-CHAIN-P12> is the absolute path to the sl-ca-chain.p12 file created earlier.

  6. Use the SnapLogic Dashboard to restart the Groundplex node. Check to make sure that the node enters a steady state and allow time for running pipelines to complete.

  7. (Optional) Use the openssl command to verify that the TLS (SSL) certificate served by the node matches the CA-signed TLS (SSL) certificate.

    $ openssl s_client -connect localhost:<SECURE-PORT>

    where <SECURE-PORT> is 8081 (default) for a Groundplex or 8084 (default) for a FeedMaster node.

  8. Repeat the required steps for all nodes.

Update the certificate on a Windows machine

Prerequisites
  • OpenSSL.
  • The .pass keys generated by the JCC on a Linux machine in the /etc/snaplogic folder.
  1. Copy the .pass keys onto your Windows machine.
  2. Create a backup copy of the /etc/snaplogic/jcc-serverkeys.jks file.

    Default location: C:\opt\snaplogic\etc\jcc-serverkeys.jks

  3. Concatenate your signed, intermediate, and root certificate PEM files into a single file:

    $ cat <CA-SIGNED-PEM> <CA-INTERMEDIATE-PEM> <CA-ROOT-PEM> > sl-ca-chain.pem
  4. Use the following openssl command to generate a key_no_pass.pem If there is a password associated with the private key, you must provide it to generate key_no_pass.pem where <PRIVATE_KEY> is the private key used to create the CSR (PEM encoded).
    $ openssl rsa -in <PRIVATE_KEY> -out key_no_pass.pem
  5. Use the following openssl command to generate the PFX file.
    $ openssl pkcs12 -inkey key_no_pass.pem -in sl-ca-chain.pem -export -out sl-ca-chain.p12 -name jetty -password $(cat \opt\etc\snaplogic\jcc-serverkeys.pass)
  6. Use the keytool command to import the PFX file into jcc-serverkeys.jks.
    $ keytool -importkeystore -srckeystore <PATH-TO-SL-CA-CHAIN-P12> -srcstoretype PKCS12 -srcstorepass $(cat /etc/snaplogic/jcc-serverkeys.pass) -destkeystore /etc/snaplogic/jcc-serverkeys.jks -deststoretype JCEKS -deststorepass $(cat /etc/snaplogic/jcc-serverkeys.pass)

    where <PATH-TO-SL-CA-CHAIN-P12> is the absolute path to the sl-ca-chain.p12 file created earlier.

  7. Use the SnapLogic Dashboard to restart the Groundplex node to ensure that the node enters a steady state and allow time for running pipelines to complete.

  8. (Optional) Use the openssl command to verify that the TLS (SSL) certificate served by the node matches the CA-signed TLS (SSL) certificate.

    $ openssl s_client -connect localhost:<SECURE-PORT>

    where <SECURE-PORT> is 8081 (default) for a Groundplex or 8084 (default) for a FeedMaster node.

  9. Repeat the above steps for all applicable nodes.