How to only rotate the Tanzu GemFire for VMs certificates without rotating services/tls_ca
search cancel

How to only rotate the Tanzu GemFire for VMs certificates without rotating services/tls_ca

book

Article ID: 294375

calendar_today

Updated On:

Products

VMware Tanzu Gemfire

Issue/Introduction

This article covers how to only rotate the gemfire-server and gemfire-locator certificates in Tanzu GemFire for VMs when you do not want to rotate services/tls_ca certificate.

Environment

Product Version: 1.11

Resolution

In order to rotate only the Tanzu GemFire for VMs certificates when you do not want to or should not rotate the services/tls_ca certificate, follow these steps:


1. SSH to your Ops Manager VM: 
sh ubuntu@<opsman-url-or-IP>

2. Login to Credhub. 
  • Export "BOSH Commandline Credentials" from (Ops Manager UI > Ops Manager/Director tile > Credentials tab > BOSH Commandline Credentials)
  • Open the BOSH Commandline Credentials, copy the value of key "credential"
  • Paste that in a Notepad and remove "bosh" from that value.
  • From the Ops Manager VM terminal session, run the following command:  
    export BOSH_CLIENT=ops_manager BOSH_CLIENT_SECRET=<redacted> BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate BOSH_ENVIRONMENT=<redacted>
  • Export environment variables required to access Credhub: 
    export CREDHUB_CLIENT=$BOSH_CLIENT CREDHUB_SECRET=$BOSH_CLIENT_SECRET

  • Target the Credhub API and log in:

    credhub api -s $BOSH_ENVIRONMENT:8844 --ca-cert $BOSH_CA_CERT
credhub login

3. Ensure that the Services TLS CA Certificate, services/tls_ca, is not expired.  
credhub get -n /services/tls_ca -j | jq -r .value.ca \
 | openssl x509 -text -noout | grep -A 2 "Validity"

4. Check which certificates for Tanzu GemFire for VMs which needs to be rotated.  
credhub curl -p /api/v1/certificates | jq -r ‘.certificates[] | select(.signed_by==“/services/tls_ca”) | .name’ to check the certs generated by service/tls_ca

5. Regenerate the certificates using credhub. 
credhub regenerate -n /p-bosh/service-instance_guid/gemfire-(locator/server)-certificate 

6. Once regenerated, check for the expiry date using the following command:  
credhub curl -p 'api/v1/data?path=/p-bosh&expires-within-days=number_of_days'

This step is a check if the certificate is regenerated successfully. 

7. Once the desired certificates are rotated, exit out of the Ops Manager and run the upgrade-all-service-instance errand with this command: 
bosh -d <pcc deployment> run-errand upgrade-all-service-instance errand


Powered by Wolken Software