How do I replace the TLS certificates on an analytics server?

Purpose

Perform this procedure to replace the PKI-server-generated TLS certificates, custom CA TLS certificates, or both, on an NSP analytics server.

Note: You require root and nsp user privileges on the analytics server station.

Steps
Obtain required keystore and truststore files
 

If you are not using custom TLS keystore and truststore files, go to Step 9.

Generate the required custom keystore and truststore files; see “To generate custom TLS certificate files for the NSP” in the NSP Installation and Upgrade Guide for information.

Transfer the TLS keystore and truststore files to the analytics server station.

Note: The files must be located on a path that is owned by the nsp user.

Log in as the root user on the analytics server station.

Open a console window.

Enter the following:

chown nsp:nsp keystore_file

where keystore_file is the absolute path of the keystore file

Enter the following:

chown nsp:nsp truststore_file

where truststore_file is the absolute path of the truststore file

Close the console window.

Start PKI server
 

Start the NSP PKI server, if it is not running; see “To configure and enable an NSP PKI server” in the NSP Installation and Upgrade Guide for information.

Update TLS configuration
 
10 

Log in as the nsp user on the analytics server station.

11 

Open a console window.

12 

Enter the following:

bash$ cd /opt/nsp/analytics/bin ↵

13 

If the PKI server that you are using has a changed IP address or port number, update the analytics server configuration.

  1. Enter the following:

    bash$ ./AnalyticsAdmin.sh updateConfig ↵

    The script displays the following messages and prompt:

    THIS ACTION UPDATES THE CONFIG FILE 

    Please type 'YES' to continue

  2. Enter YES.

    The script displays a series of prompts.

  3. Press Enter to accept the default for each parameter until the following prompt is displayed:

    Enter PKI Server IP Address or hostname [current_value]:

  4. Enter the new PKI server address or hostname, if changed; otherwise, press Enter to retain current_value.

    The following prompt is displayed:

    Enter the PKI server port [current_value]:

  5. Enter the new PKI server port, if changed; otherwise, press Enter to retain current_value.

14 

To obtain a new internal certificate from the PKI server, perform the following steps:

  1. Enter the following:

    bash$ ./AnalyticsAdmin.sh genCertificate ↵

    The following prompt is displayed if the Use NFM-P-only mode parameter is set to false.

    Enter NSP user name:

  2. If the prompt is displayed, enter admin ↵.

    The following prompt is displayed:

    Enter NSP user password (hidden):

  3. If the prompt is displayed, enter the password of the NSP admin user.

The following message is displayed, and the internal certificate files are updated:

Internal Certificates have been generated successfully

15 

Enter the following:

bash$ ./AnalyticsAdmin.sh updateTLS ↵

The script displays the following message and prompt:

This Action requires Analytic Server Restart.

Please type 'YES' to continue

16 

Enter YES.

The script displays the following messages and prompt:

Stopping Analytics Server

Analytics Application is not running

Do you have existing TLS certificates?(yes/no)

17 

Perform one of the following.

  1. Specify your custom keystore and truststore files.

    1. Enter yes ↵.

      The following prompt is displayed:

      Enter TLS keystore Path,including filename:

    2. Enter the absolute path of the keystore file.

      The following message and prompt are displayed:

      path/keystore_file found.

      Enter TLS truststore Path,including filename:

    3. Enter the absolute path of the truststore file.

      The following message and prompt are displayed:

      path/truststore_file found.

      Enter TLS Keystore Password:

    4. Enter the keystore password.

      The following message and prompt are displayed:

      Verifying TLS Keystore...

      Certificate loading...

      Verified TLS Certificate

      Enter TLS Truststore Password:

    5. Enter the truststore password.

      The following is displayed as the configuration is updated:

      Verifying TLS Truststore...

      Certificate loading...

      Verified TLS Certificate

      TLS Config has been updated

    The analytics server starts, and the updated TLS configuration is put into effect.

  2. Obtain the keystore and truststore files from the PKI server.

    1. Enter no ↵.

      The following prompt is displayed:

      Enter the Path where the TLS Certificate should be created:

    2. Enter the absolute path of a directory that is owned by the nsp user, for example, /opt/nsp.

      The following message and prompt are displayed:

      The path that will contain the keystore and the truststore is:

      path

      Set the keystore password:

    3. Enter the keystore password.

      The following prompt is displayed:

      Set the truststore password:

    4. Enter the truststore password.

      The following messages are displayed:

      The files nsp.keystore and nsp.truststore have been created

      TLS Config has been updated

    The analytics server starts, and the updated TLS configuration is put into effect.

Stop PKI server
 
18 

Stop the NSP PKI server by entering Ctrl+C in the PKI server console window.

19 

Close the open console windows.

End of steps