Change Groundplex certificate

Groundplexes have self-signed CA certificates. This certificate works for client validation if the client is configured to accept all certificates or if the load balancer distributing requests to Groundplex nodes:

Has a CA certificate
Is configured to terminate connections

If your clients or load balancer can't be configured in this way, you need to use your own CA certificate on your Groundplexes. Use either a wildcard certificate or a unique certificate per node, update the keystore on each Snaplex node, and restart it.

To update the certificate on a node:

Create a backup copy of the /etc/snaplogic/jcc-serverkeys.jks file.
Concatenate your certificate's PEM-encoded files into a single file:
$ cat CA-SIGNED-PEM CA-INTERMEDIATE-PEM CA-ROOT-PEM > sl-ca-chain.pem
Where:

CA-SIGNED-PEM is the CA-signed TLS (SSL) certificate (PEM encoded).

CA-INTERMEDIATE-PEM is the CA intermediate certificate (PEM encoded).

CA-ROOT-PEM is the CA root certificate (PEM encoded).
Use the following openssl command to generate a key_no_pass.pem. If there is a password associated with the private key, you must provide it to generate key_no_pass.pem:
$ openssl rsa -in PRIVATE_KEY -out key_no_pass.pem
Where:
PRIVATE_KEY is the private key used to create the CSR (PEM encoded).

$ cat `CA-SIGNED-PEM` `CA-INTERMEDIATE-PEM` `CA-ROOT-PEM` > sl-ca-chain.pem

$ openssl rsa -in `PRIVATE_KEY` -out key_no_pass.pem

Use the following openssl command to generate the PFX file:


$ openssl pkcs12 -inkey key_no_pass.pem -in sl-ca-chain.pem -export -out sl-ca-chain.p12 -name jetty -password $(cat /etc/snaplogic/jcc-serverkeys.pass)

Use the keytool command to import the PFX file into jcc-serverkeys.jks:

$ keytool -importkeystore -srckeystore `PATH-TO-SL-CA-CHAIN-P12` -srcstoretype PKCS12 -srcstorepass $(cat /etc/snaplogic/jcc-serverkeys.pass) -destkeystore /etc/snaplogic/jcc-serverkeys.jks -deststoretype JCEKS -deststorepass $(cat /etc/snaplogic/jcc-serverkeys.pass)

$ keytool -importkeystore -srckeystore PATH-TO-SL-CA-CHAIN-P12 -srcstoretype PKCS12 -srcstorepass $(cat /etc/snaplogic/jcc-serverkeys.pass) -destkeystore /etc/snaplogic/jcc-serverkeys.jks -deststoretype JCEKS -deststorepass $(cat /etc/snaplogic/jcc-serverkeys.pass)

Where:

PATH-TO-SL-CA-CHAIN-P12 is the absolute path to the sl-ca-chain.p12 file created earlier.

Use the SnapLogic Dashboard to restart the Groundplex node. Check to make sure that the node enters a steady state and allow time for running Pipelines to complete.
(Optional) Use the openssl command to verify that the TLS (SSL) certificate served by the node matches the CA-signed TLS (SSL) certificate.
$ openssl s_client -connect localhost:SECURE-PORT
Where:

SECURE-PORT is 8081 (default) for a Groundplex or 8084 (default) for a FeedMaster node.

$ openssl s_client -connect localhost:`SECURE-PORT`

Repeat the required steps for all nodes.