Re-configure security certificates in a CFR based Orbix domain

Dominique Sacre · 2013-05-17T17:44:00+00:00

Summary This article clarifies how to re-configure the security certificates in a CFR based Orbix domain. Article Number 37545 Environment Orbix 6.3.5 All Supported Operating Systems Question/Problem Description Re-configure security certificates in a CFR based Orbix domain Clarifying Information In a Configuration Repository (CFR) based Orbix domain the configuration information is stored in the underlying DB of the Configuration Repository server process.This configuration information can only be accessed through itadmin commands from the command line.Entering incorrect information through itadmin command can make the Orbix domain unusable, since the itadmin utility does not perform any syntax checking. If wrong or incorrect information is being entered through itadmin command, the Orbix domain needs to be re-created through itconfigure or restored from a backup.It is essential that in a CFR based Orbix domain the data entered into the CFR is correct. Error Message Defect/Enhancement Number Cause Resolution Assuming Orbix 6.3 is installed in /opt/orbix6 and a secure Orbix 6.3 CFR based domain called orbix63 has been generated with the following security/certificates settings available in /opt/orbix6/etc/domains/orbix63.cfg and /opt/orbix6/etc/domains/cfr-orbix63.cfg :ROOT_TRUSTED_CA_LIST_POLICY = ["/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem"];SERVICES_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf"];UTILITIES_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf"];ITADMIN_ADMIN_CERT_ROOT_DIR = "/opt/orbix6/asp/6.3/etc/tls/x509/certs/services";KDM_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf"];Assuming also that the CFR contains the following settings in the configuration scopes kdm_admin, IT_MgmtORB, iona_services, iona_utilities> itadmin variable show policies:trusted_ca_list_policy/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem> itadmin variable show principal_sponsor:auth_method_datafilename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf> itadmin variable show -scope kdm_admin principal_sponsor:auth_method_datafilename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf> itadmin variable show -scope IT_MgmtORB principal_sponsor:auth_method_datafilename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf> itadmin variable show -scope iona_services principal_sponsor:auth_method_datafilename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf> itadmin variable show -scope iona_utilities policies:trusted_ca_list_policy/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem> itadmin variable show -scope iona_utilities principal_sponsor:auth_method_datafilename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwfAssuming you need to change/replace the above security certificates with new_ca_list.pem, new.p12, and new.pwf, please follow the instructions below:1) Copy new_ca_list.pem to /opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists and new.p12, and new.pwf to /opt/orbix6/asp/6.3/etc/tls/x509/certs/services so that both sets of certificate reside in the same directory.2) Start your domain services by running start_orbix63_services3) RUN the following commands:>itadmin variable modify -type string -value /opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/new_ca_list.pem policies:trusted_ca_list_policy> itadmin variable modify -type list -value filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf principal_sponsor:auth_method_data> itadmin variable modify -scope kdm_admin -type list -value filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf principal_sponsor:auth_method_data> itadmin variable modify -scope IT_MgmtORB -type list -value filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf principal_sponsor:auth_method_data> itadmin variable modify -scope iona_services -type list -value filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf principal_sponsor:auth_method_data> itadmin variable modify -scope iona_utilities -type string -value /opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/new_ca_list.pem policies:trusted_ca_list_policyThe folowing command will fail with a handshake error unless you provide the previous settings through the -ORB parameters as follows:> itadmin -ORBpolicies:trusted_ca_list_policy [/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem] -ORBprincipal_sponsor:auth_method_data [filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf] variable modify -scope iona_utilities -type list -value filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf principal_sponsor:auth_method_data4) Stop the domain services by providing the previous settings through -ORB parameters. Check the stop_orbix63_services script for all services needed to be stopped and run each command from the command line by adding for each the following -ORB parameters:-ORBpolicies:trusted_ca_list_policy [/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem] -ORBprincipal_sponsor:auth_method_data [filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf]So e.g in order to stop the Naming Service you need to execute the command below:itadmin -ORBpolicies:trusted_ca_list_policy [/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem] -ORBprincipal_sponsor:auth_method_data [filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf] -ORBdomain_name orbix63 -ORBconfig_domains_dir "/opt/orbix6/etc/domains" ns stop iona_services.naming.<your_machines_hostname>5) After the services have been stopped you will need to change the following settings in /opt/orbix6/etc/domains/orbix63.cfg and /opt/orbix6/etc/domains/cfr-orbix63.cfg files to match the new certificate settings:ROOT_TRUSTED_CA_LIST_POLICY = ["/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/new_ca_list.pem"];SERVICES_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf"];UTILITIES_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf"];ITADMIN_ADMIN_CERT_ROOT_DIR = "/opt/orbix6/asp/6.3/etc/tls/x509/certs/services";KDM_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf"];If certificate constraints have been configured, ensure these are also modified to reflect the new certificate constraints:6) At this point the services can be started up with start_orbix63_services and stopped with stop_orbix63_services as usual.The orbix63 domain should be running only with the new certificates and the old certificates can be deleted. Workaround Notes IMPORTANT NOTE:Ensure a backup of the CFR's database is available prior to making the above changes, so that the CFR can be restored in case of corruption. Attachment Created date: 31 January 2013 Last Modified: 12 February 2013 Last Published: 31 January 2013 First Published date: 31 January 2013 #KnowledgeDocs#Orbix

Summary	This article clarifies how to re-configure the security certificates in a CFR based Orbix domain.
Article Number	37545
Environment	Orbix 6.3.5 All Supported Operating Systems
Question/Problem Description	Re-configure security certificates in a CFR based Orbix domain
Clarifying Information	In a Configuration Repository (CFR) based Orbix domain the configuration information is stored in the underlying DB of the Configuration Repository server process. This configuration information can only be accessed through itadmin commands from the command line. Entering incorrect information through itadmin command can make the Orbix domain unusable, since the itadmin utility does not perform any syntax checking. If wrong or incorrect information is being entered through itadmin command, the Orbix domain needs to be re-created through itconfigure or restored from a backup. It is essential that in a CFR based Orbix domain the data entered into the CFR is correct.
Error Message
Defect/Enhancement Number
Cause
Resolution	Assuming Orbix 6.3 is installed in /opt/orbix6 and a secure Orbix 6.3 CFR based domain called orbix63 has been generated with the following security/certificates settings available in /opt/orbix6/etc/domains/orbix63.cfg and /opt/orbix6/etc/domains/cfr-orbix63.cfg : ROOT_TRUSTED_CA_LIST_POLICY = ["/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem"]; SERVICES_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf"]; UTILITIES_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf"]; ITADMIN_ADMIN_CERT_ROOT_DIR = "/opt/orbix6/asp/6.3/etc/tls/x509/certs/services"; KDM_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf"]; Assuming also that the CFR contains the following settings in the configuration scopes kdm_admin, IT_MgmtORB, iona_services, iona_utilities > itadmin variable show policies:trusted_ca_list_policy /opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem > itadmin variable show principal_sponsor:auth_method_data filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf > itadmin variable show -scope kdm_admin principal_sponsor:auth_method_data filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf > itadmin variable show -scope IT_MgmtORB principal_sponsor:auth_method_data filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf > itadmin variable show -scope iona_services principal_sponsor:auth_method_data filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf > itadmin variable show -scope iona_utilities policies:trusted_ca_list_policy /opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem > itadmin variable show -scope iona_utilities principal_sponsor:auth_method_data filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf Assuming you need to change/replace the above security certificates with new_ca_list.pem, new.p12, and new.pwf, please follow the instructions below: 1) Copy new_ca_list.pem to /opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists and new.p12, and new.pwf to /opt/orbix6/asp/6.3/etc/tls/x509/certs/services so that both sets of certificate reside in the same directory. 2) Start your domain services by running start_orbix63_services 3) RUN the following commands: >itadmin variable modify -type string -value /opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/new_ca_list.pem policies:trusted_ca_list_policy > itadmin variable modify -type list -value filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf principal_sponsor:auth_method_data > itadmin variable modify -scope kdm_admin -type list -value filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf principal_sponsor:auth_method_data > itadmin variable modify -scope IT_MgmtORB -type list -value filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf principal_sponsor:auth_method_data > itadmin variable modify -scope iona_services -type list -value filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf principal_sponsor:auth_method_data > itadmin variable modify -scope iona_utilities -type string -value /opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/new_ca_list.pem policies:trusted_ca_list_policy The folowing command will fail with a handshake error unless you provide the previous settings through the -ORB parameters as follows: > itadmin -ORBpolicies:trusted_ca_list_policy [/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem] -ORBprincipal_sponsor:auth_method_data [filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf] variable modify -scope iona_utilities -type list -value filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf principal_sponsor:auth_method_data 4) Stop the domain services by providing the previous settings through -ORB parameters. Check the stop_orbix63_services script for all services needed to be stopped and run each command from the command line by adding for each the following -ORB parameters: -ORBpolicies:trusted_ca_list_policy [/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem] -ORBprincipal_sponsor:auth_method_data [filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf] So e.g in order to stop the Naming Service you need to execute the command below: itadmin -ORBpolicies:trusted_ca_list_policy [/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/ca_list.pem] -ORBprincipal_sponsor:auth_method_data [filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.p12,password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/cert.pwf] -ORBdomain_name orbix63 -ORBconfig_domains_dir "/opt/orbix6/etc/domains" ns stop iona_services.naming.<your_machines_hostname> 5) After the services have been stopped you will need to change the following settings in /opt/orbix6/etc/domains/orbix63.cfg and /opt/orbix6/etc/domains/cfr-orbix63.cfg files to match the new certificate settings: ROOT_TRUSTED_CA_LIST_POLICY = ["/opt/orbix6/asp/6.3/etc/tls/x509/trusted_ca_lists/new_ca_list.pem"]; SERVICES_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf"]; UTILITIES_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf"]; ITADMIN_ADMIN_CERT_ROOT_DIR = "/opt/orbix6/asp/6.3/etc/tls/x509/certs/services"; KDM_AUTH_METHOD_DATA = ["filename=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.p12","password_file=/opt/orbix6/asp/6.3/etc/tls/x509/certs/services/new.pwf"]; If certificate constraints have been configured, ensure these are also modified to reflect the new certificate constraints: 6) At this point the services can be started up with start_orbix63_services and stopped with stop_orbix63_services as usual. The orbix63 domain should be running only with the new certificates and the old certificates can be deleted.
Workaround
Notes	IMPORTANT NOTE: Ensure a backup of the CFR's database is available prior to making the above changes, so that the CFR can be restored in case of corruption.
Attachment

Created date:	31 January 2013
Last Modified:	12 February 2013
Last Published:	31 January 2013
First Published date:	31 January 2013

#KnowledgeDocs
#Orbix

Sign up

Please log in or register:

Welcome to the Rocket Forum!

Please log in or register:

Scanning file for viruses.

This file cannot be downloaded