Generating the client key and certificates manually on the client nodes

The client node that wants to connect to a CP server using HTTPS must have a private key and certificates signed by the Certificate Authority (CA) on the CP server

The client uses its private key and certificates to establish connection with the CP server. The key and the certificate must be present on the node at a predefined location. Each client has one client certificate and one CA certificate for every CP server, so, the certificate files must follow a specific naming convention. Distinct certificate names help the cpsadm command to identify which certificates have to be used when a client node connects to a specific CP server.

The certificate names must be as follows: ca_cps-vip.crt and client _cps-vip.crt

Where, cps-vip is the VIP or FQHN of the CP server listed in the /etc/vxfenmode file. For example, for a sample VIP, 192.168.1.201, the corresponding certificate name is ca_192.168.1.201.

To manually set up certificates on the client node

  1. Create the directory to store certificates.

    # mkdir -p /var/VRTSvxfen/security/keys /var/VRTSvxfen/security/certs

    Note:

    Since the openssl utility might not be available on client nodes, Symantec recommends that you access the CP server using SSH to generate the client keys or certificates on the CP server and copy the certificates to each of the nodes.

  2. Generate the private key for the client node.

    # /usr/bin/openssl genrsa -out client_private.key 2048

  3. Generate the client CSR for the cluster. CN is the UUID of the client's cluster.

    # /usr/bin/openssl req -new -key client_private.key\

    -subj '/C=countryname/L=localityname/OU=COMPANY/CN=CLUS_UUID'\

    -out client_192.168.1.201.csr

    Where, countryname is the country code, localityname is the city, COMPANY is the name of the company, and CLUS_UUID is the certificate name.

  4. Generate the client certificate by using the CA key and the CA certificate. Run this command from the CP server.

    # /usr/bin/openssl x509 -req -days days -in client_192.168.1.201.csr\

    -CA /var/VRTScps/security/certs/ca.crt -CAkey\

    /var/VRTScps/security/keys/ca.key -set_serial 01 -out client_192.168.10.1.crt

    Where, days is the days you want the certificate to remain valid, 192.168.1.201 is the VIP or FQHN of the CP server.

  5. Copy the client key, client certificate, and CA certificate to each of the client nodes at the following location.

    Copy the client key at /var/VRTSvxfen/security/keys/client_private.key. The client is common for all the client nodes and hence you need to generate it only once.

    Copy the client certificate at /var/VRTSvxfen/security/certs/client_192.168.1.201.crt.

    Copy the CA certificate at /var/VRTSvxfen/security/certs/ca_192.168.1.201.crt

    Note:

    Copy the certificates and the key to all the nodes at the locations that are listed in this step.

  6. If the client nodes need to access the CP server using the FQHN and or the host name, make a copy of the certificates you generated and replace the VIP with the FQHN or host name. Make sure that you copy these certificates to all the nodes.
  7. Repeat the procedure for every CP server.
  8. After you copy the key and certificates to each client node, delete the client keys and client certificates on the CP server.