NATS Certificate Rotation Check Script for VMware Tanzu Application Service (TAS) for VMs
search cancel

NATS Certificate Rotation Check Script for VMware Tanzu Application Service (TAS) for VMs

book

Article ID: 297976

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

Performing a Root Certificate rotation can be summarized into 3 steps:

1. Create a new Root CA / NATS CA pair. Recreate all VMs to populate certs outwards.

2. Mark the new Root CA / NATS CA pair as active and regenerate all non-configurable leaf certs off the new pair. Recreate all VMs to populate the certs outwards.

3. Delete the old Root CA / NATS CA pair. Recreate all VMs to populate the certs outward.

 
Note: Step 3 can cause complications if the new NATS pair is not present.

The script explained in the next section should be used in between steps 2 and 3 to verify the presence of the NATS cert on your VMs. 



Environment

Product Version: 2.6

Resolution

This following script will work on most VM types. Please enable debug in the script to verify if any VM does not have the JSON file you are using to verify the presence of the NATS cert.

Most affected VM types have the "recreate all vms" errand available and should be run through the Apply Changes method. This script was created for the purpose of a sanity check:

#!/bin/bash

## Use set for debug of commands
## set -x

## bosh Command-line Credentials for your environment found at https://<OPSMAN_FQDN>/api/v0/deployed/director/credentials/bosh_commandline_credentials or Opsman -> Bosh tile -> Commandline Creds

## This section can be commented out, just make sure the credentials have been exported once during this session to allow for bosh commands to be run. 
## eg 
##export BOSH_CLIENT=ops_manager 
##BOSH_CLIENT_SECRET=#######-xmin####LwOL1FWR######## 
##BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate 
##BOSH_ENVIRONMENT=10.###.###.### bosh 

export BOSH_CLIENT=ops_manager 
export BOSH_CLIENT_SECRET=####_e4hEoBZo####rg3OvrK########
export BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate 
export BOSH_ENVIRONMENT=10.###.###.### 

## Set a custom bosh deployment environment name proceeded by "-e"
## eg: bosh_environment="-e <ENV_NAME>"
bosh_environment=""

## A snippet of the nats cert found under the active Root CA found on this page: https://<OPSMAN_FQDN>/api/v0/certificate_authorities . Must be at least 40 characters to guarauntee unique error. 
#eg: nats_cert="0jLVQ5dHr4t5rFVdKRZZ5bS+########lVZJMm9egnB7O3QsqK7CV\########"

nats_cert="MIIDfjCCAmagAwIBAgIUJ1QJ########JVUoD97PMt3D8IwDQYJK########"

## The directory to write to. This can be /tmp/ or any other directory. Must have write permission in said directory. Currently set to directory script is being run in. 
write_dir=`pwd`

## Making the VM directory and jumping into it. 
mkdir $write_dir/vms
cd $write_dir/vms


## Moving of settings.json to  our local box for ability to check on
for i in `bosh $boshenvironment deps --column=name` 
do 
bosh $bosh_environment -d $i ssh -c "sudo cp /var/vcap/bosh/settings.json /tmp/settings.json" 
bosh $bosh_environment -d $i scp :/tmp/settings.json  "./((instance_id))"
done 

#This will show the filename (which is also the instance id) of any vm that does not feature the nats cert
echo "VMS without Nats Cert:"
grep -lv $nats_cert * 
echo "End of VMS List "



Powered by Wolken Software