How do I update the custom NSP server TLS artifacts?

Purpose
CAUTION 

CAUTION

Potential Service Disruption

If you are providing a new CA certificate, you must stop and restart each NSP cluster, which is potentially service-affecting.

Ensure that you perform the procedure only during a scheduled maintenance window under the guidance of technical support.

Perform this procedure to update the custom TLS artifacts for NSP client access.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps
 

Log in as the root or NSP admin user on the standalone or primary NSP deployer host.


Open a console window.


Enter the following:

cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵


If you are providing a new CA certificate, stop the NSP cluster.

Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member:

nspdeployerctl --ask-pass uninstall --undeploy

  1. Open the following file using a plain-text editor such as vi:

    /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

  2. Edit the following line in the platform section, kubernetes subsection to read as shown below:

      deleteOnUndeploy:false

  3. Save and close the file.

  4. Enter the following:

    cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵

  5. Enter the following:

    ./nspdeployerctl uninstall –-undeploy ↵

    The NSP cluster stops.


Perform one of the following.

  1. If you are providing a new client certificate and key, but the CA certificate is unchanged, perform the following steps:

    1. Enter the following:

      ./nspdeployerctl secret -s nginx-nb-tls-nsp -n psaRestricted -f tls.key=customKey -f tls.crt=customCert update ↵

      where

      customKey is the full path of the private server key file

      customCert is the full path of the server public certificate file

  2. If you are providing a new CA certificate with the new client certificate and key, enter the following:

    ./nspdeployerctl secret -s nginx-nb-tls-nsp -n psaRestricted -f tls.key=customKey -f tls.crt=customCert -f ca.crt=customCaCert update ↵

    where

    customKey is the full path of the private server key file

    customCert is the full path of the server public certificate file

    customCaCert is the full path of the CA public certificate file

    Messages like the following are displayed as the server secret is updated:

    secret/nginx-nb-tls-nsp patched

    The following files may contain sensitive information. They are no longer required by NSP and may be removed.

      customKey

      customCert

      customCaCert


If you are providing a new CA certificate that is not in the same location as the previous certificate, update the NSP configuration.

Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member:

nspdeployerctl --ask-pass install --config --deploy

  1. Open the following file with a plain-text editor such as vi:

    /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

  2. Configure the following tls parameter in the deployment section:

       tls:                     

         customCaCert: certificate_path

    where certificate_path is the full path and name of the CA certificate file

  3. Save and close the file.


Enter the following to start the NSP cluster:

./nspdeployerctl install --config –-deploy ↵

The NSP cluster starts, and the configuration update is put into effect.


To delete the local certificate and key files on an NSP deployer host, enter the following for each file identified for removal in Step 5:

rm file

where file is one of the following:

  •   cert_file

  •   key_file

  •   CA_cert_file


Configure each other NSP component to obtain the updated TLS configuration.


10 

Close the open console window.

End of steps