10.5.2 Specifying a Security Certificate

The Oracle Exadata administrator can specify new security certificates as required.

Each certificate consists of a key pair, which includes a public key and matching private key. You can specify either a user-generated self-signed certificate or a CA-Certified security certificate.

ExaCLI accepts valid CA-Certified security certificates without any prompts and without requiring you to accept the certificates.

To use a specific security certificate:

1. Modify security attributes for the storage server or compute node.

   To upload a security certificate, modify the securityPubKey and the securityPrivKey attributes on the storage server (cell) or compute node (dbserver):

   • securityPubKey specifies a URL for the certificate public key file.

   • securityPrivKey specifies a URL for the certificate private key file.

   The keys must be supplied as PEM-encoded files. Each URL can use the http, https, or file access scheme.

   If the private key is encrypted, you can provide the password using the securityPrivKeyPW attribute.

   The following examples show commands for uploading a security certificate:

   • Example for a storage server (cell) using http URLs to access the key files. In this example, the password prompt requests the password for the celladministrator user on cellhost.

     $ exacli -l celladministrator -c cellhost  -
              -e 'alter cell securityPubKey="http://www.example.com/security/newkey1.pem.crt", -
                  securityPrivKey="http://www.example.com/security/newkey1-private.pem", -
                  securityPrivKeyPW="welcome1"'
     
     Password: *********
     ...

   • Example for a compute node (dbserver) using local file URLs to access the key files. In this example, the password prompt requests the password for the dbadministrator user on dbhost.

     $ exacli -l dbadministrator -c dbhost  -
              -e 'alter dbserver securityPubKey="file:///root/security/newkey2.pem.crt", -
                  securityPrivKey="file:///root/security/newkey2-private.pem", -
                  securityPrivKeyPW="welcome2"'
     
     Password: *********
     ...

2. Restart the Management Server (MS) on the storage server or compute node.

   After you upload the security certificate individually to every server in the cluster, you must restart MS before the new security certificate is visible.

   For example:

   • Restart MS on a storage server (cell).

     CellCLI> alter cell restart services ms
     
     Restarting MS services... 
     The RESTART of MS services was successful.

   • Restart MS on a compute node (dbserver).

     DBMCLI> alter dbserver restart services ms
     
     Restarting MS services... 
     The RESTART of MS services was successful.