How do I update the NSP issuer TLS artifacts?

Purpose
CAUTION 

CAUTION

Potential Service Disruption

Updating the TLS artifacts requires that you stop and restart each NSP cluster, which is potentially service-affecting.

Ensure that you perform the procedure only during a scheduled maintenance window under the guidance of technical support.

Perform this procedure to replace the internal or external TLS keys or certificates, as may be required when a certificate nears or reaches expiry, or as required by your company security policy.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps
 

Perform Step 6 to Step 11 in the standalone or primary data center.


If the NSP deployment is DR, perform Step 6 to Step 11 in the standby data center.


Perform Step 12 to Step 14 in the standalone or primary data center.


If the NSP deployment is DR, perform Step 12 to Step 14 in the standby data center.


Go to Step 15.


Log in as the root or NSP admin user on the NSP deployer host.


Open a console window.


Stop the NSP cluster.

Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member:

nspdeployerctl --ask-pass uninstall --undeploy

  1. Open the following file using a plain-text editor such as vi:

    /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

  2. Edit the following line in the platform section, kubernetes subsection to read as shown below:

      deleteOnUndeploy:false

  3. Save and close the file.

  4. Enter the following:

    cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵

  5. Enter the following:

    ./nspdeployerctl uninstall –-undeploy ↵

    The NSP cluster stops.


To replace the internal NSP issuer CA certificate/key pair, enter the following:

./nspdeployerctl secret -s ca-key-pair-internal-nspdeployer -n "*" -f tls.key=key_file -f tls.crt=cert_file update ↵

where

key_file is the full path and name of the TLS key file

cert_file is the full path and name of the TLS certificate file

Messages like the following are displayed:

tls.crt=key_file update

secret/ca-key-pair-internal-nspdeployer patched

secret/ca-key-pair-internal-nspdeployer patched

secret/ca-key-pair-internal-nspdeployer patched

The following files may contain sensitive information. They are no longer required by NSP and may be removed.

  key_file

  cert_file


10 

To replace the external NSP issuer CA certificate/key pair, enter the following:

./nspdeployerctl secret -s ca-key-pair-external-nspdeployer -n "*" -f tls.key=key_file -f tls.crt=cert_file update ↵

where

key_file is the full path and name of the TLS CA private key file

cert_file is the full path and name of the TLS CA certificate file

Messages like the following are displayed:

tls.crt=key_file update

secret/ca-key-pair-external-nspdeployer patched

secret/ca-key-pair-external-nspdeployer patched

secret/ca-key-pair-external-nspdeployer patched

The following files may contain sensitive information. They are no longer required by NSP and may be removed.

  key_file

  cert_file


11 

Back up the Kubernetes secrets.

  1. Enter the following:

    ./nspdeployerctl secret -o backup_file backup ↵

    where backup_file is the full path and name of the backup file to create

    As the secrets are backed up, messages like the following are displayed for each Kubernetes namespace:

    Backing up secrets to /opt/backupfile...

      Including secret namespace:ca-key-pair-external

      Including secret namespace:ca-key-pair-internal

      Including secret namespace:nsp-tls-store-pass

    When the backup is complete, the following prompt is displayed:

    Please provide an encryption password for backup_file

    enter aes-256-ctr encryption password:

  2. Enter a password.

    The following prompt is displayed:

    Verifying - enter aes-256-ctr encryption password:

  3. Re-enter the password.

    The backup file is encrypted using the password.

  4. Record the password for use when restoring the backup.

  5. Record the name of the data center associated with the backup.

  6. Transfer the backup file to a secure location in a separate facility for safekeeping.


12 

Enter the following to start the NSP cluster:

Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member:

nspdeployerctl --ask-pass install --config –-deploy

./nspdeployerctl install --config –-deploy ↵

The NSP cluster starts, and the configuration update is put into effect.


13 

To delete the local certificate and key files on an NSP deployer host, enter the following for each file identified for removal in Step 9 and Step 10:

rm file

where file is one of the following:

  •   cert_file

  •   key_file


14 

Perform the following as required to update the TLS artifacts on each NSP component deployed outside the NSP cluster:


15 

Close the console window.

End of steps