2.2.5 Manage Certificates for Exascale Control Services

Exascale control services, also known as Exascale RESTful Services (ERS), provide a management endpoint for Exascale management operations. Certificates enable secure communications for ERS processes over HTTPS.

ERS service instances are deployed using front-end and back-end server processes:

• The front-end ERS processes provide a highly available client endpoint with load-balancing capabilities. A corresponding front-end ERS certificate enables secure communications between ERS and external clients, such as the Exascale command line interface (ESCLI).

• The back-end ERS processes work with other software services to process requests and reply back to the client. To provide high-availability and share the workload, multiple back-end ERS instances are distributed across the Exadata storage servers.

By default, ERS uses self-signed security certificates. Optionally, you can specify the certificates, either your own self-signed certificates or trusted certificates issued by a Certificate Authority (CA). Trusted certificates are generally recommended for front-end ERS servers because they are directly visible to external clients.

To specify the ERS certificates, you must use the ExaCLI utility. For information about configuring and using the ExaCLI utility, see Using the ExaCLI utility.

• The front-end ERS processes use a certificate that is bound to the virtual IP (VIP) address and hostname associated with the ERS endpoint. To specify a front-end ERS security certificate, you must use ExaCLI to modify the storage server ESNODE object and set the following attributes:

  • securityPubKey - Specifies a URL for the certificate public key file.

  • securityPrivKey - Specifies a URL for the certificate private key file.

  • securityPrivKeyPW - Specifies the password to use if the private key file is encrypted.

    If you specify securityPrivKeyPW=*, the user is prompted for the password.

  The keys must be supplied as PEM-encoded files. Each URL can use the http, https, or file access scheme.

  For example:

  $ exacli -l celladministrator -c cellhost  -
           -e 'ALTER ESNODE securityPubKey="file:///root/security/newkey.pem.crt", -
               securityPrivKey="file:///root/security/newkey-private.pem", -
               securityPrivKeyPW=*'
  
  Password: *********
  ...

  The same certificate must be deployed to all storage servers capable of hosting front-end ERS processes.

• The back-end ERS processes use the same certificates as the Exadata Management Server (MS). For details about how to specify a certificate for MS and back-end ERS processes, see Specifying a Security Certificate.