Generate SSL certificates for TAS servers

On the TAS Management server, generate SSL certificates for the TAS services that require service-to-service authentication for all the TAS servers in your deployment. Text Indexing Service, and Secure Gateway services are examples of TAS services that require authentication.

The procedure uses keytool provided by JDK in the RPM packages.

If you do not want JDK to be permanently installed on the Management server, install JDK temporarily on the Management server, and remove it after completing the procedure. Alternatively, perform the procedure on any server with JDK.

Before you begin 

Copy CA certificates for TAS servers

Procedure 

  1. On the TAS Management server, go to the folder with the FQDN of the target TAS server for which to generate the certificates.

  2. Define the required permission for the TAS server for which to generate the certificate: 

    Copy
    chmod -v 0444 <fqdn_tas_server>.p12

    where:

    • <fqdn_tas_server> is the folder with the FQDN of the TAS server for which you are generating the certificate. Use this name when generating other certificates for the same server.

  3. Run keytool to generate solr_ssl.jks:

    1. Generate solr_ssl.jks:

      Copy 
      keytool -importkeystore -srckeystore "<fqdn_tas_server>.p12" \
      -srcstorepass <certificate_password> -srcstoretype pkcs12 \
      -destkeystore solr_ssl.jks -deststoretype jks -deststorepass <keystore_password>

      where:

      • <fqdn_tas_server> is the folder with the FQDN of the TAS server for which you are generating the certificate, identical to the one defined in step 2.

      • <certificate_password> is the password you define for the certificate, and must be identical for all certificates you define.

      • <keystore_password> is the password you define for the keystore.

    2. Set permissions for solr_ssl.jks:

      Copy
      chmod 770 solr_ssl.jks

    3. Generate solr_rootca.crt:

      Copy 
      openssl pkcs12 -in "<fqdn_tas_server>.p12" -nokeys -out solr_rootca.crt \
      -passin pass:<certificate_password>

      where:

      • <fqdn_tas_server> is the folder with the FQDN of the TAS server for which you are generating the certificate, identical to the one defined in step 2.

      • <certificate_password> is the password you define for the certificate, and must be identical to the one you defined in step 3.

    4. Set permissions for solr_rootca.crt:

      Copy
      chmod 770 solr_rootca.crt

    5. Generate client_store_ssl:

      Copy 
      keytool -import -trustcacerts -noprompt -file solr_rootca.crt \
      -keystore client_store_ssl.jks -storepass <keystore_password>

      where:

      • <keystore_password> is the password you define for the keystore.

    6. Set permissions for client_store_ssl:

      Copy
      chmod 770 client_store_ssl.jks

    7. Add ca.pem to trust key store for the Text Indexing Service:

      Copy 
      keytool -import -alias solr -keystore client_store_ssl.jks \
      -trustcacerts -file ../ca.pem

  4. Generate temporary key for Secure Gateway:

    Copy 
    openssl pkcs12 -in "<fqdn_tas_server>.p12" \
    -nocerts -out secure_gateway_tmp.key \
    -passin pass:<certificate_password> -passout pass:temppass

    where:

    • <fqdn_tas_server> is the folder with the FQDN of the TAS server for which you are generating the certificate, identical to the one defined in step 2.

    • <certificate_password> is the password you define for the certificate, and must be identical to the one you defined in step 3.

  5. Generate Secure Gateway key and assign permissions:

    1. Generate secure_gateway.key:

      Copy 
      openssl rsa -in secure_gateway_tmp.key -passin pass:temppass \
      -out secure_gateway.key

    2. Set permissions:

      Copy
      chmod 770 secure_gateway.key

  6. Generate the certificate for Secure Gateway:

    1. Generate the secure_gateway.key certificate:

      Copy 
      openssl pkcs12 -nokeys -clcerts -in "<fqdn_tas_server>.p12" \
      -out secure_gateway.crt -passin pass:<certificate_password>

      where:

      • <fqdn_tas_server> is the folder with the FQDN of the TAS server for which you are generating the certificate, identical to the one defined in step 2.

      • <certificate_password> is the password you define for the certificate, and must be identical to the one you defined in step 3.

    2. Set permissions:

      Copy
      chmod 770 secure_gateway.crt

  7. Generate the Root CA certificate for the Secure Gateway:

    1. Generate secure_gateway_rootca.crt:

      Copy 
      openssl pkcs12 -nokeys -cacerts -in "<fqdn_tas_server>.p12" \
      -out secure_gateway_rootca.crt -passin pass:<certificate_password>

      where:

      • <fqdn_tas_server> is the folder with the FQDN of the TAS server for which you are generating the certificate, identical to the one defined in step 2.

      • <certificate_password> is the password you define for the certificate, and must be identical to the one you defined in step 3.

    2. Set permissions:

      Copy
      chmod 770 secure_gateway_rootca.crt

  8. Repeat step 1 to step 7 for every TAS server in your deployment, including the Management server, changing the folder name, as appropriate.

  9. Define owner and permissions for /home/tas_inst/.docker:

    1. Change owner to tas_inst user:

      Copy
      chown -R tas_inst:tas /home/tas_inst/.docker

    2. Set permissions:

      Copy
      chmod -R 770 /home/tas_inst/.docker
     

What to do next 

Copy PEM and generated SSL certificates to TAS servers