Scribd
Upload
52 views6 pages

Certificates How To Install SSL Certificate On MX-HA Knowledge - Base - 5-3-2024

Uploaded by

vijay konduru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
52 views6 pages

Certificates How To Install SSL Certificate On MX-HA Knowledge - Base - 5-3-2024

Uploaded by

vijay konduru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Knowledge Base

Knowledge Base

Knowledge Base 1
Contents

Contents
Certificates -- How to install SSL certificate on MX-HA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Knowledge Base 2
Knowledge Base

Introduction

This article describes how to create and install a custom self-signed or CA-signed certificate on the MX-HA.

Process is much the same as single-MX configuration, with the specific stop/start order for MX-HA provided in main
steps.

Overview

You may refer to KB: Certificates-- How to install SSL certificate on MX and SOM GUI to generate the certificate.

Below steps are specific to MX-HA only.

Pre-Check:
All these have to be verified before proceeding further

• Please ensure both MX-HA are up and synchronized:


impctl server ha status

Primary MX:

server-ha started,ip-on-i-07499ab19bae364db,db-on-i-07499ab19bae364db(secondary-
synchronized),server-on-i-07499ab19bae364db,running

watchdog running

Secondary MX:

server-ha started,ip-on-i-07499ab19bae364db,db-on-i-07499ab19bae364db(secondary-
synchronized),server-on-i-07499ab19bae364db,running

watchdog running

• Please ensure both MX-HA have same size of kst file in


/opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/conf/securesphe
re.kst

Primary MX:

-rw-r--r--. 1 mxserver mxserver 30813 Jun 21 14:13 /opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/


conf/securesphere.kst

Secondary MX:

-rw-r--r--. 1 mxserver mxserver 30813 Jun 21 15:00 /opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/


conf/securesphere.kst

Knowledge Base 3
Knowledge Base

Once Pre-Check verified, please proceed with the next steps:

• Generate the required certificate as per above KB


• Take backup of current certificate in both MX. The backup will be found in /root directory

cp /opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/conf/securesphere
.kst "/root/securesphere.kst_$(date +"%m_%d_%y")"

• Copy 'key' and 'cert' files to bin directory

cp /var/tmp/cert /var/tmp/key /opt/SecureSphere/server/bin

• Go to bin directory

cd /opt/SecureSphere/server/bin

• Convert the key and certificate format from PEM to DER. At this point we have both 'key.der' and 'cert.der' files
stored under bin directory

openssl x509 -in cert -out cert.der -outform der && openssl pkcs8 -topk8 -nocryp
t -in key -out key.der -outform der

• Copy 'key.der' and 'cert.der' files to secondary MX bin directory as well


• Give execute permission to the importer script in both MX

chmod +x importSSLKeys.sh

• Stop the HA on the Secondary MX and then the Primary MX:


impctl server ha stop
• Check HA status and ensure both HA stopped:
impctl server ha status
• Import the keys on both MX:

./importSSLKeys.sh cert.der key.der

• Start the HA on the Primary and after it is completely up, start it the Secondary:
impctl server ha start
• Check HA status and ensure both HA started and synchronized (take some time):
impctl server ha status

Primary MX:

server-ha started,ip-on-i-07499ab19bae364db,db-on-i-07499ab19bae364db(secondary-
synchronized),server-on-i-07499ab19bae364db,running

watchdog running

Secondary MX:

Knowledge Base 4
Knowledge Base

server-ha started,ip-on-i-07499ab19bae364db,db-on-i-07499ab19bae364db(secondary-
synchronized),server-on-i-07499ab19bae364db,running

watchdog running

• Check both MX-HA have same size of kst file

Primary MX:

-rw-r--r--. 1 mxserver mxserver 31040 Jun 21 15:09 /opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/


conf/securesphere.kst

Secondary MX:

-rw-r--r--. 1 mxserver mxserver 31040 Jun 21 15:09 /opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/


conf/securesphere.kst

For AWS only:

• Go to AWS MX-HA ELB -> Listener and update the certificate using the details from 'key' and 'cert' files and name
the certificate accordingly

• For a Self-Signed certificate, there is a need to add an MX cert under Trusted Root. Please refer to the same KB
above. Once done, please proceed with next step
• If you are using a CA-Signed certificate, please proceed to access the MX GUI using ELB DNS at port 8083. You
should be seeing “Connection is secure”

Knowledge Base 5
Knowledge Base

Knowledge Base 6

You might also like