Update Groundplex certificate
Update the Groundplex certificate
Groundplexes have self-signed CA certificates. This certificate works for client validation if the client is configured to accept all certificates or if the load balancer distributing requests to Groundplex nodes:
- Has a CA certificate
- Is configured to terminate connections
If your clients or load balancer can't be configured in this way, you need to use your own CA certificate on your Groundplexes. Use either a wildcard certificate or a unique certificate per node, update the keystore on each Snaplex node, and restart it.
Update the certificate on a Linux machine
- Create a backup copy of the /etc/snaplogic/jcc-serverkeys.jks file.
Linux default: /etc/snaplogic/jcc-serverkeys.jks
- Concatenate your signed, intermediate, and root certificate PEM files into a single file:
$ cat <CA-SIGNED-PEM> <CA-INTERMEDIATE-PEM> <CA-ROOT-PEM> sl-ca-chain.pem
- Use the following
openssl
command to generate a key_no_pass.pem. If there is a password associated with the private key, you must provide it to generate key_no_pass.pem where<PRIVATE_KEY>
is the private key used to create the CSR (PEM encoded).$ openssl rsa -in <PRIVATE_KEY> -out key_no_pass.pem
- Use the following
openssl
command to generate the PFX file. The PFX (PKCS#12) file is the container format for storing the private key and certificate chain.$ openssl pkcs12 -inkey key_no_pass.pem -in sl-ca-chain.pem -export -out sl-ca-chain.p12 -name jetty -password $(cat /etc/snaplogic/jcc-serverkeys.pass)
- Use the keytool command to import the PFX file into
jcc-serverkeys.jks
:$ keytool -importkeystore -srckeystore <PATH-TO-SL-CA-CHAIN-P12> -srcstoretype PKCS12 -srcstorepass $(cat /etc/snaplogic/jcc-serverkeys.pass) -destkeystore /etc/snaplogic/jcc-serverkeys.jks -deststoretype JCEKS -deststorepass $(cat /etc/snaplogic/jcc-serverkeys.pass)
where
<PATH-TO-SL-CA-CHAIN-P12>
is the absolute path to thesl-ca-chain.p12
file created earlier. -
Use the SnapLogic Dashboard to restart the Groundplex node. Check to make sure that the node enters a steady state and allow time for running pipelines to complete.
-
(Optional) Use the
openssl
command to verify that the TLS (SSL) certificate served by the node matches the CA-signed TLS (SSL) certificate.$ openssl s_client -connect localhost:<SECURE-PORT>
where
<SECURE-PORT>
is 8081 (default) for a Groundplex or 8084 (default) for a FeedMaster node. - Repeat the required steps for all nodes.
Update the certificate on a Windows machine
- OpenSSL.
- The
.pass
keys generated by the JCC on a Linux machine in the /etc/snaplogic folder.
- Copy the
.pass
keys onto your Windows machine. - Create a backup copy of the /etc/snaplogic/jcc-serverkeys.jks file.
Default location: C:\opt\snaplogic\etc\jcc-serverkeys.jks
-
Concatenate your signed, intermediate, and root certificate PEM files into a single file:
$ cat <CA-SIGNED-PEM> <CA-INTERMEDIATE-PEM> <CA-ROOT-PEM> > sl-ca-chain.pem
- Use the following
openssl
command to generate a key_no_pass.pem If there is a password associated with the private key, you must provide it to generate key_no_pass.pem where<PRIVATE_KEY>
is the private key used to create the CSR (PEM encoded).$ openssl rsa -in <PRIVATE_KEY> -out key_no_pass.pem
- Use the following
openssl
command to generate the PFX file.$ openssl pkcs12 -inkey key_no_pass.pem -in sl-ca-chain.pem -export -out sl-ca-chain.p12 -name jetty -password $(cat \opt\etc\snaplogic\jcc-serverkeys.pass)
- Use the keytool command to import the PFX file into
jcc-serverkeys.jks
.$ keytool -importkeystore -srckeystore <PATH-TO-SL-CA-CHAIN-P12> -srcstoretype PKCS12 -srcstorepass $(cat /etc/snaplogic/jcc-serverkeys.pass) -destkeystore /etc/snaplogic/jcc-serverkeys.jks -deststoretype JCEKS -deststorepass $(cat /etc/snaplogic/jcc-serverkeys.pass)
where
<PATH-TO-SL-CA-CHAIN-P12>
is the absolute path to thesl-ca-chain.p12
file created earlier. -
Use the SnapLogic Dashboard to restart the Groundplex node to ensure that the node enters a steady state and allow time for running pipelines to complete.
-
(Optional) Use the
openssl
command to verify that the TLS (SSL) certificate served by the node matches the CA-signed TLS (SSL) certificate.$ openssl s_client -connect localhost:<SECURE-PORT>
where
<SECURE-PORT>
is 8081 (default) for a Groundplex or 8084 (default) for a FeedMaster node. -
Repeat the above steps for all applicable nodes.