How do I update the NSP issuer TLS artifacts?

Purpose

CAUTION

Potential Service Disruption

Updating the TLS artifacts requires that you stop and restart each NSP cluster, which is potentially service-affecting.

Ensure that you perform the procedure only during a scheduled maintenance window under the guidance of technical support.

Perform this procedure to replace the internal or external TLS keys or certificates, as may be required when a certificate nears or reaches expiry, or as required by your company security policy.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps


1	Perform Step 5 to Step 10 in the standalone or primary data center.
2	If the NSP deployment is DR, perform Step 5 to Step 10 in the standby data center.
3	Perform Step 11 to Step 13 in the standalone or primary data center.
4	If the NSP deployment is DR, perform Step 11 to Step 13 in the standby data center.
5	Open a terminal session to the NSP deployer VM.
6	Log in as the root or NSP admin user.
7	Stop the NSP cluster. Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member: `nspdeployerctl --ask-pass uninstall --undeploy` Open the following file using a plain-text editor such as vi: /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml Edit the following line in the platform section, kubernetes subsection to read as shown below: `deleteOnUndeploy:false` Save and close the file. Enter the following: `#` `cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵` Enter the following: `#` `./nspdeployerctl uninstall –-undeploy ↵` The NSP cluster stops.
8	To replace the internal NSP issuer CA certificate/key pair, enter the following: `#` `./nspdeployerctl secret -s ca-key-pair-internal-nspdeployer -n "" -f tls.key=key_file -f tls.crt=cert_file update ↵` where key_file* is the full path and name of the TLS key file cert_file is the full path and name of the TLS certificate file Messages like the following are displayed: `tls.crt=key_file update` `secret/ca-key-pair-internal-nspdeployer patched` `secret/ca-key-pair-internal-nspdeployer patched` `secret/ca-key-pair-internal-nspdeployer patched` `The following files may contain sensitive information. They are no longer required by NSP and may be removed.` `key_file` `cert_file`
9	To replace the external NSP issuer CA certificate/key pair, enter the following: `#` `./nspdeployerctl secret -s ca-key-pair-external-nspdeployer -n "" -f tls.key=key_file -f tls.crt=cert_file update ↵` where key_file* is the full path and name of the TLS CA private key file cert_file is the full path and name of the TLS CA certificate file Messages like the following are displayed: `tls.crt=key_file update` `secret/ca-key-pair-external-nspdeployer patched` `secret/ca-key-pair-external-nspdeployer patched` `secret/ca-key-pair-external-nspdeployer patched` `The following files may contain sensitive information. They are no longer required by NSP and may be removed.` `key_file` `cert_file`
10	Back up the Kubernetes secrets. Enter the following: `#` `./nspdeployerctl secret -o backup_file backup ↵` where backup_file is the full path and name of the backup file to create As the secrets are backed up, messages like the following are displayed for each Kubernetes namespace: `Backing up secrets to /opt/backupfile...` `Including secret namespace:ca-key-pair-external` `Including secret namespace:ca-key-pair-internal` `Including secret namespace:nsp-tls-store-pass` When the backup is complete, the following prompt is displayed: `Please provide an encryption password for backup_file` `enter aes-256-ctr encryption password:` Enter a password. The following prompt is displayed: `Verifying - enter aes-256-ctr encryption password:` Re-enter the password. The backup file is encrypted using the password. Record the password for use when restoring the backup. Record the name of the data center associated with the backup. Transfer the backup file to a secure location in a separate facility for safekeeping.
11	Enter the following to start the NSP cluster: Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member: `nspdeployerctl --ask-pass install --config –-deploy` `#` `./nspdeployerctl install --config –-deploy ↵` The NSP cluster starts, and the configuration update is put into effect.
12	To delete the local certificate and key files on an NSP deployer VM, enter the following for each file identified for removal in Step 8 and Step 9: `#` `rm file ↵` where file is one of the following: `cert_file` `key_file`
13	Perform the following as required to update the TLS artifacts on each NSP component deployed outside the NSP cluster: How do I configure an NSP auxiliary database to request the NSP TLS certificate? How do I configure an NFM-P main server to request the NSP TLS certificate? How do I configure an NFM-P auxiliary server to request the NSP TLS certificate? How do I enable TLS for NFM-P XML API clients? How do I disable TLS for NFM-P XML API clients? End of steps