11 Internal Web Services
DSR uses many internal web services in support of centralized configuration and management. These web services use the SOAP protocols and implement WS-Security profiles to authenticate internal clients. These services ship with self-signed certificates and default passwords. You must plan to update the default passwords during installation. You can also replace the self-signed certificates with certificates signed by a trusted authority. The following sections provide procedures to perform these actions.
11.1 Changing Internal Web Service Passwords
In general, after the initial configuration is complete and before deploying or turning up services, you must update the internal web service passwords.
11.2 Changing TPD Web Service Password
Perform the following procedures to change the OS-level provisioning web service password.
Updating TPD Web Service Password on Active NO
- Log in as
admusron the source server.login: admusr Password: <current admin user password> - Run the following command to reset the TPD web service
password:
$ /usr/TKLC/appworks/bin/resetTpdPassword - You are prompted to provide a
password:
password: <enter the new password>Step result: The command copies and installs the new password to each reachable server in the topology, and flushes client password caches.
- Run the following command to verify that the web service is still
functional:
$ AppWorks Network interfacesStep result: You can see a list of network interfaces reported by the Web Service backend:{ “element”:[ “eth0”, “eth1” ] }
This update command synchronizes the TPD web service (tpdprovd)
password on all reachable servers in the topology. Any servers added to the topology
after running this command are automatically configured to use the new password. If
any servers were not reachable when this command is run, run the command again later
when those servers are reachable.
Updating TPD Web Service Password on PMAC
- Log in as
admusron the PMAC server.login: admusr Password: <current admin user password> - Run the following command to reset the TPD web service
password:
$ sudo /usr/TKLC/smac/bin/updateCredentials –type=tpdPlatCfg - You are prompted to provide a
password:
password: <enter the same password used in the procedure above>Step result: The command adds the password to the credential cache on the PMAC server.
11.3 Changing Internal Web Service Certificates and Key Material
In general, the TPD and web services are configured to work with self-signed certificates. You can replace the appworks certificates using the procedures described in this section.
Assumptions
The following procedure assumes that you have already obtained a signed certificate
or key file from the customer’s certificate authority and that these files are in
the .pem format.
<hostname>_crt.pem– a PEM encoded X.509 certificate for the host<hostname><hostname>_priv.pem– a PEM encoded private key for the host<hostname>
Ensure that the private key file is not protected with a passphrase.
Create and Distribute a separate Certificate and Key PEM File
- Log in as
admusron the active NOA server.Login: admusr Password: <current admin user password> - Copy all of the
<hostname>_crt.pemand<hostname>_priv.pemfiles to the home directory foradmusron the active NOA using a utility such asscporrsync. - Run the following steps to confirm and verify the certificate or
key pairs:
- Confirm each of the certificate or key pairs are
compatible (assume
<hostname>is noa):$ openssl rsa -noout -modulus -in noa_priv.pem | openssl md5 (stdin)= eef417fb3f018862034ae8e9f3a0b56e$ openssl x509 -noout -modulus -in noa_crt.pem | openssl md5 (stdin)= eef417fb3f018862034ae8e9f3a0b56e - Verify the md5 output matches for each
<hostname>certificate or private key pair. Additionally, the md5 should be different for different<hostnames>.
- Confirm each of the certificate or key pairs are
compatible (assume
- Copy the private key and certificate to the server (again, assume
<hostname> is
noa):
$ scp noa_priv.pem admusr@noa: $ scp noa_crt.pem admusr@noa:Note:
Repeat the above procedure for each<hostname>.
Install a separate PEM and CERT File on Each Distinct <hostname>
- Log in as
admusron the<hostname>(assume<hostname>is noa):$ ssh admusr@noa - Run the following commands to copy your new certificate/private
key pair PEM file into place (assume
<hostname>is noa):$ sudo cp noa_priv.pem /usr/TKLC/appworks/etc/ssl $ sudo chown awadmin:awadm /usr/TKLC/appworks/etc/ssl/noa_priv.pem $ sudo chmod 640 /usr/TKLC/appworks/etc/ssl/noa_priv.pem $ sudo cp noa_crt.pem /usr/TKLC/appworks/etc/ssl/ $ sudo chown awadmin:awadm /usr/TKLC/appworks/etc/ssl/noa_crt.pem $ sudo chmod 640 /usr/TKLC/appworks/etc/ssl/noa_crt.pem - Run the following commands to replace the existing combined
certificate or private key file with the new
file:
$ sudo mv /usr/TKLC/appworks/etc/ssl/server.crt /usr/TKLC/appworks/etc/ssl/old_server.crt $ sudo ln -s /usr/TKLC/appworks/etc/ssl/noa_crt.pem /usr/TKLC/appworks/etc/ssl/server.crt $ sudo mv /usr/TKLC/appworks/etc/ssl/server.pem /usr/TKLC/appworks/etc/ssl/old_server.pem $ sudo ln -s /usr/TKLC/appworks/etc/ssl/noa_priv.pem /usr/TKLC/appworks/etc/ssl/server.pem - Run the following commands to restart the configuration web
services and
exit:
$ sudo pm.kill apwSoapServer $ sudo pm.kill cmsoapa $ exitNote:
Repeat the above procedure for each and every distinct<hostname>.