Log in as the root or NSP admin user on the standalone or primary NSP deployer host.

Open a console window.

Enter the following:

# cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵

If you are providing a new CA certificate, stop the NSP cluster.

Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member:

nspdeployerctl --ask-pass uninstall --undeploy

1. Open the following file using a plain-text editor such as vi:

   /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

2. Edit the following line in the platform section, kubernetes subsection to read as shown below:

     deleteOnUndeploy:false

3. Save and close the file.

4. Enter the following:

   # cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵

5. Enter the following:

   # ./nspdeployerctl uninstall –-undeploy ↵

   The NSP cluster stops.

Perform one of the following.

1. If you are providing a new client certificate and key, but the CA certificate is unchanged, perform the following steps:

   1. Enter the following:

      # ./nspdeployerctl secret -s nginx-nb-tls-nsp -n psaRestricted -f tls.key=customKey -f tls.crt=customCert update ↵

      where

      customKey is the full path of the private server key file

      customCert is the full path of the server public certificate file

2. If you are providing a new CA certificate with the new client certificate and key, enter the following:

   # ./nspdeployerctl secret -s nginx-nb-tls-nsp -n psaRestricted -f tls.key=customKey -f tls.crt=customCert -f ca.crt=customCaCert update ↵

   where

   customKey is the full path of the private server key file

   customCert is the full path of the server public certificate file

   customCaCert is the full path of the CA public certificate file

   Messages like the following are displayed as the server secret is updated:

   secret/nginx-nb-tls-nsp patched

   The following files may contain sensitive information. They are no longer required by NSP and may be removed.

     customKey

     customCert

     customCaCert

If you are providing a new CA certificate that is not in the same location as the previous certificate, update the NSP configuration.

Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member:

nspdeployerctl --ask-pass install --config --deploy

1. Open the following file with a plain-text editor such as vi:

   /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

2. Configure the following tls parameter in the deployment section:

      tls:                     

        customCaCert: certificate_path

   where certificate_path is the full path and name of the CA certificate file

3. Save and close the file.

Enter the following to start the NSP cluster:

# ./nspdeployerctl install --config –-deploy ↵

The NSP cluster starts, and the configuration update is put into effect.

To delete the local certificate and key files on an NSP deployer host, enter the following for each file identified for removal in Step 5:

# rm file ↵

where file is one of the following:

•   cert_file

•   key_file

•   CA_cert_file

Configure each other NSP component to obtain the updated TLS configuration.

Close the open console window.

End of steps