Bug 707764
| Summary: | RHUI Installer: QPID SSL Certificate Generation | |||
|---|---|---|---|---|
| Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | Jay Dobies <jason.dobies> | |
| Component: | Documentation | Assignee: | Lana Brindley <lbrindle> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | wes hayutin <whayutin> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 2.0 | CC: | mhideo, sghai, tsanders | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 713316 (view as bug list) | Environment: | ||
| Last Closed: | 2011-07-29 04:49:11 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 711223, 713316 | |||
|
Description
Jay Dobies
2011-05-25 21:00:37 UTC
Sample output from running the script: Working in: /tmp/tmp24055 Please specify a directory into which the created NSS database and associated certificates will be installed. Enter a directory [/tmp/rhua/qpid]: /tmp/rhua/qpid Enter NSS database password: Password file created. Database created. Creating CA certificate: Generating key. This may take a few moments... CA created Creating BROKER certificate: Generating key. This may take a few moments... Broker certificate created. Creating CLIENT certificate: Generating key. This may take a few moments... Client certificate created. Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL Enter Import Password: MAC verified OK Client key & certficate exported Artifacts copied to: /tmp/rhua/qpid. Same sample output as above, but with commentary before each place they have to input a password. It's your call how much of this you want to document, I just figured Working in: /tmp/tmp24055 Please specify a directory into which the created NSS database and associated certificates will be installed. Enter a directory [/tmp/rhua/qpid]: /tmp/rhua/qpid ---- Note: Password used by QPID to access the NSS database itself. Enter NSS database password: Password file created. Database created. Creating CA certificate: Generating key. This may take a few moments... CA created Creating BROKER certificate: Generating key. This may take a few moments... Broker certificate created. Creating CLIENT certificate: Generating key. This may take a few moments... Client certificate created. ----- Note: Same password as above, specified again here because we're attempting to access the DB we just created in the previous step. Enter Password or Pin for "NSS Certificate DB": ----- Note: Password for the pkcs12 files used to get the private key out of the NSS DB. Enter password for PKCS12 file: ----- Note: Just a confirmation of the above password. Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL ----- Note: Same password as the previous two; now we're accessing the certificate we just created/secured in the previous step so we can get the client certificate and private key from it. Enter Import Password: MAC verified OK Client key & certficate exported Artifacts copied to: /tmp/rhua/qpid. added to rhui-20 tracker <procedure id="proc-Installation_Guide-Installation_Requirements-Generating_a_Qpid_SSL_Certificate"> <title>Generating a Qpid SSL Certificate</title> <indexterm> <primary>installation</primary> <secondary>qpid SSL</secondary> </indexterm> <para> &RHUI; uses a qpid message broker for internal comunications. These communication processes are secured by SSL, which is set up using a script called <filename>nss-db-gen</filename>. When the script is run, it will prompt you for some information. </para> <step> <para> Run the <filename>nss-db-gen</filename> script by switching to the root user and issuing the command: </para> <screen> # /usr/bin/nss-db-gen Working in: /tmp/tmp24055 </screen> </step> <step> <para> Specify a directory for the new database and certificates to be stored, or press enter to accept the default value of <filename>/tmp/rhua/qpid</filename>: </para> <screen> Please specify a directory into which the created NSS database and associated certificates will be installed. Enter a directory [/tmp/rhua/qpid]: /tmp/rhua/qpid </screen> </step> <step> <para> Enter a password to be used by qpid to secure the database: </para> <screen> Enter NSS database password: Password file created. </screen> </step> <step> <para> The script will create the database and generate the necessary keys and certificates: </para> <screen> Database created. Creating CA certificate: Generating key. This may take a few moments... CA created Creating BROKER certificate: Generating key. This may take a few moments... Broker certificate created. Creating CLIENT certificate: Generating key. This may take a few moments... Client certificate created. </screen> </step> <step> <para> Enter the NSS database password again. This is so that the database created in the last step can be accessed: </para> <screen> Enter Password or Pin for "NSS Certificate DB": </screen> </step> <step> <para> Enter a password to be used for the pkcs12 file, and re-enter it to confirm: </para> <screen> Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL </screen> </step> <step> <para> Enter the pkcs12 password again. This is so that the certificate created in the last step can be accessed. The script will export the key and certificate, and finish: </para> <screen> Enter Import Password: MAC verified OK Client key & certficate exported Artifacts copied to: /tmp/rhua/qpid. </screen> </step> </procedure> Revision 1-13 LKB Hi Lana, The latest revision of following stage documentation is 1-12. Could you point me the updated doc with Revision 1-13 to verify this defect. Thanks. HTML: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/index.html PDF: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/pdf/Installation_Guide/Red_Hat_Update_Infrastructure-2.0-Installation_Guide-en-US.pdf Need to add this section in the "3.1 Example Answer file" under General section. This includes the qpid/ssl configuration options. Chapter 3 RHUI Installer ==>Page 16 ==> Example 3.1 Example Answer file ----- # Full path to the CA certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_ca: /tmp/rhua/qpid/ca.crt # Full path to the client certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_client: /tmp/rhua/qpid/client.crt # Full path to the NSS database used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. Note: This must be # a directory containing a number of files, including the NSS database and password file. qpid_nss_db: /tmp/rhua/qpid/nss ----- I'll add another comment with new updated answer file. Just replace the Example 3.1 with following example. Simply replace this with existing sample file in installation guide. ------------------------------------------------------------------------------- # # RHUI Installer Sample Answers File # # This sample answers file can be found at /etc/rhui/answers.sample. # # This file is meant to be used as a template for creating an answers file for use with # the RHUI Installer. Once the appropriate values have been entered, the RHUI Installer # will generate RPMs based on these values through the following call: # # $ rhui-installer --answers <path to populated answers file> # # The results of running the above call will be found in the directory specified in the # dest_dir attribute under the [general] section. # == General =========================================================================== # The [general] section contains configuration options that apply to the RHUI installation # as a whole. [general] # This will be used as the version for all RPMs that are created by this answers file. # Individual components may override this value with the "rpm_version" attribute. version: 2.0 # Local directory into which RHUI tools will place any temporary files as well as the # built RPMs. If this directory exists prior to running RHUI tools, the user executing # it must have write permissions. dest_dir: /tmp/rhui # Full path to the CA certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_ca: /tmp/rhua/qpid/ca.crt # Full path to the client certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_client: /tmp/rhua/qpid/client.crt # Full path to the NSS database used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. Note: This must be # a directory containing a number of files, including the NSS database and password file. qpid_nss_db: /tmp/rhua/qpid/nss # == RHUA =========================================================================== # The [rhua] section contains attributes describing a particular RHUA instance. [rhua] # Name of the RHUA configuration RPM created by RHUI tools. rpm_name: rh-rhua-config # Fully qualified hostname of the RHUA instance. hostname: rhua.example.com # SSL certificate and private key to be installed on the RHUA. The CN of this certificate # must match the hostname listed above. ssl_cert: ssl_key: # CA certificate used to sign the RHUA's SSL certificate. This is needed by the CDS # instances when connecting back to the RHUA to synchronize content to verify the # RHUA certificate during the handshake. ca_cert: # If a proxy server is needed for the RHUA to connect to the internet, this is the hostname # of that server. If this is not specified, no proxy server will be used. # proxy_server_host: proxy.example.com # Port to access on the proxy server. This value has no effect if proxy_server_host is # not specified. # proxy_server_port: 443 # Proxy server username. Omit if the proxy server does not require authentication. # proxy_server_username: admin # Proxy server password. # proxy_server_password: password # == CDS Instances =========================================================================== # There should be one [cds-*] section for each CDS to be used in the RHUI infrastructure. # The name between the [ ] must begin with "cds", however the remainder is arbitrary and must # only be unique with respect to other cds sections. There will be one CDS configuration RPM # generated for each section found. [cds-1] # Name of the RPM that will be created for this CDS configuration. rpm_name: rh-cds1-config # Fully qualified name of this CDS instance. hostname: cds1.example.com # SSL certificate and private key to be used by this CDS instance. The CN of this # certificate must match the hostname listed above. ssl_cert: ssl_key: # [cds-2] # rpm_name: rh-cds2-config # hostname: cds2.example.com # ssl_cert: # ssl_key: ---------------------------------------------------------------------------- Done in revision 1-15. LKB Verified the updated example answer file as per comment 7 here at: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/chap-Installation_Guide-RHUI_Installer.html Updated Under Chapter 3 ==> RHUI Installer ==> Example 3.1 Example answer file This book is now available at http://docs.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/index.html Please raise a new bug for any further changes. LKB |