How do I replace the internal or external NSP TLS certificate?

Purpose

Perform this procedure to replace the PKI-server-generated TLS certificates, or custom CA TLS certificates, or both, in an NSP system.

Note: You must perform the procedure on each NSP cluster in a DR deployment.

Note: You require root user privileges on each NSP cluster VM in each data center.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps
 

Log in as the root user on the NSP deployer host.


Open a console window.


Configure the NSP to preserve the existing deployment.

  1. Open the following file using a plain-text editor such as vi:

    /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

  2. Edit the following line in the platform section, kubernetes subsection to read as shown below:

      deleteOnUndeploy:false

  3. Save and close the file.


Enter the following to stop the NSP cluster:

Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the command, as shown in the following example, and are subsequently prompted for the root password of each cluster member:

nspdeployerctl --ask-pass uninstall --undeploy

/opt/nsp/NSP-CN-DEP-release-ID/bin/nspdeployerctl uninstall --undeploy ↵


If you are changing the deployment, such as adding or removing a component, or changing a component address, update the NSP configuration.

  1. Open the following file with a plain-text editor such as vi:

    /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

  2. Update the configuration as required.

  3. Save and close the file.


If you are updating the PKI-server-generated TLS certificates, copy the new CA certificate files to the following directory:

/opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/tls/ca


If you are updating the custom-CA-signed TLS certificates, modify the NSP configuration to include the new certificate information.

  1. Open the following file with a plain-text editor such as vi:

    /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

  2. Edit the parameters in the tls section, as required.

  3. Save and close the file.


Enter the following to start the NSP cluster:

Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the command, as shown in the following example, and are subsequently prompted for the root password of each cluster member:

nspdeployerctl --ask-pass install --config –-deploy

/opt/nsp/NSP-CN-DEP-release-ID/bin/nspdeployerctl install --config –-deploy ↵

The NSP cluster starts, and the configuration update is put into effect.


If you need to update the TLS configuration on NSP components outside the NSP cluster, start the NSP PKI server; see the NSP Installation and Upgrade Guide for information.


10 

Configure each other NSP component to obtain the updated TLS configuration.

For information about configuring TLS for components such as the NFM-P main/auxiliary servers, NSP Flow Collectors, Flow Collector Controllers, or analytics servers, see the NSP Installation and Upgrade Guide.

For information about configuring TLS for other components and products such as the WS-NOC, see the specific component or product documentation.


11 

If the PKI server is running, enter Ctrl+C to stop the PKI server.

Note: You must not stop the PKI server until each NSP component has obtained the updated certificates from the PKI server.


12 

Close the open console windows.

End of steps