How do I update the NSP issuer TLS artifacts?
Purpose
CAUTION Potential Service Disruption |
Updating the TLS artifacts requires that you stop and restart each NSP cluster, which is potentially service-affecting.
Ensure that you perform the procedure only during a scheduled maintenance window under the guidance of technical support.
Perform this procedure to replace the internal or external TLS keys or certificates, as may be required when a certificate nears or reaches expiry, or as required by your company security policy.
Note: release-ID in a file path has the following format:
R.r.p-rel.version
where
R.r.p is the NSP release, in the form MAJOR.minor.patch
version is a numeric value
Steps
1 |
Perform Step 6 to Step 11 in the standalone or primary data center. |
2 |
If the NSP deployment is DR, perform Step 6 to Step 11 in the standby data center. |
3 |
Perform Step 12 to Step 14 in the standalone or primary data center. |
4 |
If the NSP deployment is DR, perform Step 12 to Step 14 in the standby data center. |
5 |
Go to Step 15. |
6 |
Log in as the root or NSP admin user on the NSP deployer host. |
7 |
Open a console window. |
8 |
Stop the NSP cluster. Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member: nspdeployerctl --ask-pass uninstall --undeploy
|
9 |
To replace the internal NSP issuer CA certificate/key pair, enter the following: # ./nspdeployerctl secret -s ca-key-pair-internal-nspdeployer -n "*" -f tls.key=key_file -f tls.crt=cert_file update ↵ where key_file is the full path and name of the TLS key file cert_file is the full path and name of the TLS certificate file Messages like the following are displayed: tls.crt=key_file update secret/ca-key-pair-internal-nspdeployer patched secret/ca-key-pair-internal-nspdeployer patched secret/ca-key-pair-internal-nspdeployer patched The following files may contain sensitive information. They are no longer required by NSP and may be removed. key_file cert_file |
10 |
To replace the external NSP issuer CA certificate/key pair, enter the following: # ./nspdeployerctl secret -s ca-key-pair-external-nspdeployer -n "*" -f tls.key=key_file -f tls.crt=cert_file update ↵ where key_file is the full path and name of the TLS CA private key file cert_file is the full path and name of the TLS CA certificate file Messages like the following are displayed: tls.crt=key_file update secret/ca-key-pair-external-nspdeployer patched secret/ca-key-pair-external-nspdeployer patched secret/ca-key-pair-external-nspdeployer patched The following files may contain sensitive information. They are no longer required by NSP and may be removed. key_file cert_file |
11 |
Back up the Kubernetes secrets.
|
12 |
Enter the following to start the NSP cluster: Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member: nspdeployerctl --ask-pass install --config –-deploy # ./nspdeployerctl install --config –-deploy ↵ The NSP cluster starts, and the configuration update is put into effect. |
13 |
To delete the local certificate and key files on an NSP deployer host, enter the following for each file identified for removal in Step 9 and Step 10: # rm file ↵ where file is one of the following: |
14 |
Perform the following as required to update the TLS artifacts on each NSP component deployed outside the NSP cluster:
|
15 |
Close the console window. End of steps |