1. Maintenance Guide
  2. Using the ExaCLI Utility
  3. Certificates for ExaCLI
  4. Using a CA-Certified Security Certificate

10.5.2 Using a CA-Certified Security Certificate

The Oracle Exadata Database Machine administrator can supply CA-certified security certificates, if they are needed for your environment.

ExaCLI accepts valid CA-Certified security certificates without any prompts and without requiring you to accept the certificates. Each certificate consists of a key pair, which includes a public key and matching private key.

  1. Modify security attributes for the storage server or database server.

    To upload a CA-certified security certificate, modify the securityPubKey and the securityPrivKey attributes on the storage server or database server:

    • securityPubKey specifies a URL for the certificate public key file.

    • securityPrivKey specifies a URL for the certificate private key file.

    The keys must be supplied as PEM-encoded files. Each URL can use the http, https, or file access scheme.

    If the private key is encrypted, you can provide the password using the securityPrivKeyPW attribute.

    The following examples show commands for uploading a CA-certified security certificate:

    • Example for a storage server using http URLs to access the key files. In this example, the password prompt requests the password for the celladministrator user on cellhost. 

      $ exacli -l celladministrator -c cellhost  -
         -e 'alter cell securityPubKey="http://www.example.com/security/newkey1.pem.crt", -
             securityPrivKey="http://www.example.com/security/newkey1-private.pem", -
             securityPrivKeyPW="welcome1"'

Password: *********
...

    • Example for a database server using local file URLs to access the key files. In this example, the password prompt requests the password for the dbadministrator user on dbhost. 

      $ exacli -l dbadministrator -c dbhost  -
         -e 'alter dbserver securityPubKey="file:///root/security/newkey2.pem.crt", -
             securityPrivKey="file:///root/security/newkey2-private.pem", -
             securityPrivKeyPW="welcome2"'

Password: *********
...
  2. Restart the Management Server (MS) on the storage server or database server.

    After you upload the CA-certified security certificate individually to every server in the cluster, you must restart MS before the new security certificate is visible.

    For example:

    • Restart MS on a storage server. 

      CELLCLI> alter cell restart services ms

Restarting MS services... 
The RESTART of MS services was successful.

    • Restart MS on a database server. 

      DBMCLI> alter dbserver restart services ms

Restarting MS services... 
The RESTART of MS services was successful.

Parent topic: Certificates for ExaCLI