The client node that wants to connect to a CP server using HTTPS must have a private key and certificates signed by the Certificate Authority (CA) on the CP server
The client uses its private key and certificates to establish connection with the CP server. The key and the certificate must be present on the node at a predefined location. Each client has one client certificate and one CA certificate for every CP server, so, the certificate files must follow a specific naming convention. Distinct certificate names help the cpsadm command to identify which certificates have to be used when a client node connects to a specific CP server.
The certificate names must be as follows: ca_cps-vip.crt and client _cps-vip.crt
Where, cps-vip is the VIP or FQHN of the CP server listed in the /etc/vxfenmode
file. For example, for a sample VIP, 192.168.1.201, the corresponding certificate name is ca_192.168.1.201.
To manually set up certificates on the client node
# mkdir -p /var/VRTSvxfen/security/keys /var/VRTSvxfen/security/certs
# /usr/bin/openssl genrsa -out client_private.key 2048
# /usr/bin/openssl req -new -key client_private.key\
-subj '/C=countryname/L=localityname/OU=COMPANY/CN=CLUS_UUID'\
-out client_192.168.1.201.csr
Where, countryname is the country code, localityname is the city, COMPANY is the name of the company, and CLUS_UUID is the certificate name.
# /usr/bin/openssl x509 -req -days days -in client_192.168.1.201.csr\
-CA /var/VRTScps/security/certs/ca.crt -CAkey\
/var/VRTScps/security/keys/ca.key -set_serial 01 -out client_192.168.10.1.crt
Where, days is the days you want the certificate to remain valid, 192.168.1.201 is the VIP or FQHN of the CP server.
Copy the client key at /var/VRTSvxfen/security/keys/client_private.key
. The client is common for all the client nodes and hence you need to generate it only once.
Copy the client certificate at /var/VRTSvxfen/security/certs/client_192.168.1.201.crt
.
Copy the CA certificate at /var/VRTSvxfen/security/certs/ca_192.168.1.201.crt