I've been working intensively with the VMware vRealize product suite over that past 4 months, including Hyperic. One of the things we have to do on our current project is to replace the Hyperic server certificate whenever a new Hyperic instance is introduced into the environment. This is a relatively straight forward task, but one that consists of quite a few steps. In this blog post, I've documented exactly how to go about replacing Hyperic server certificates.
IMPORTANT: Before going ahead with replacing Hyperic Server certificates, please read this blog post which describes a bug in the Hyperic agent that could be encountered when replacing Hyperic Server certificates.
The following outlines the procedure to follow in order to change the server SSL certificate for VMware vRealize Hyperic 5.8.4. This procedure needs to be completed on every Hyperic Server in the environment, not the agent computers.
On the Hyperic Server
1. Log into the Hyperic Server as root
2. Change user to hyperic
su -l hyperic
3. Create a new directory where certificate files will be stored while we complete the requests and Java certificate keystore build:
mkdir /var/tmp/ssl
4. Change Directory to /var/tmp/ssl
cd /var/tmp/ssl
5. Obtain the required SSL certificate from your internal or a public certificate authority. You'll need a BASE64 encoded version of the certificate. Copy the newly issued certificate to /var/tmp/ssl/hyperic.cer over Secure Shell using a tool such as WinSCP.
6. Create a new .cer file in BASE64 format, which contains all of the root certificates in the certificate chain for the issued server certificate. Place the .PEM file in /var/tmp/ssl/caroots.cer
7. Create a PKCS12 formatted certificate store, containing all of the following components in one encrypted file:
• The private key used to generate the CSR that was submitted to the Certificate Authority for the signing of the new certificate
• The SSL Certificate that was returned from the Certificate Authority
• The root certificate chain
openssl pkcs12 –export \ -out hyperic.pfx \ -inkey hyperic.key \ -in hyperic.cer \ -certfile caroots.cer
8. Create a new Java Keystore using the Java Keytool and import the OpenSSL pkcs12 formatted certificate store into the new Java KeyStore. The alias will be set as “1” at this point, as the command will fail if it is set to “hq”. We will change the alias from “1” to the Hyperic required “hq” later on in the process.
/opt/hyperic/server-5.8.4-EE/jre/bin/keytool -importkeystore \ -deststorepass hyperic \ -destkeypass hyperic \ -destkeystore hyperic.keystore \ -srckeystore hyperic.pfx \ -srcstoretype PKCS12 \ -srcstorepass hyperic \ -alias 1
9. Change the Alias of 1 to hq in the newly created keystore:
/opt/hyperic/server-5.8.4-EE/jre/bin/keytool -changealias \ -keystore hyperic.keystore \ -alias 1 \ -destalias hq
10. Stop the Hyperic Service
/opt/hyperic/server-5.8.4-EE/bin/hq-server.sh stop
11. Make a backup of the current (original) hyperic.keystore
cd /opt/hyperic/server-5.8.4-EE/conf/ mv hyperic.keystore hyperic.keystore.orig.bak cp /var/tmp/ssl/hyperic.keystore ./hyperic.keystore
On the vPostgress Database Server:
The following steps are required to be completed on the Hyperic Database. The database is on a different server if the Hyperic vAPP was deployed. To complete the next steps, you will have to log into the server hosting the Hyperic Database.
12. Log into the database:
/opt/vmware/vpostgress/9.2/bin/psql HQ hqadmin
13. See what keys are currently in the keystore table:
SELECT id, alias_name, type FROM EAM_KEYSTORE WHERE TYPE='PrivateKeyEntry' AND alias_name='hq';
14. Delete the key from the database. When the server is started, a new key entry will be made to the table in order to replace the deleted key.
DELETE FROM eam_keystore WHERE TYPE='PrivateKeyEntry' AND alias_name='hq';
On the Hyperic Server
15. Start the hq-server service
/opt/hyperic/server-5.8.4-EE/bin/hq-server.sh start
Roll Back Actions
If the SSL certificate change needs to be rolled back, the following steps are required to be completed:
On the Hyperic Server
1. Log into the Hyperic Server as root
2. Change user to hyperic
su -l hyperic
3. Stop the Hyperic Server
/opt/hyperic/server-5.8.4-EE/bin/hq-server.sh stop
4. Create a backup copy of the new SSL certificate to be rolled back from
cd /opt/hyperic/server-5.8.4-EE/conf/ mv hyperic.keystore hyperic.keystore.new.bak
5. Copy the original SSL certificate back into the correct location
cd /opt/hyperic/server-5.8.4-EE/conf/ cp hyperic.keystore.orig.bak ./hyperic.keystore
On the Postgress Database Server:
The following steps are required to be completed on the Hyperic Database.
6. Log into the database:
/opt/vmware/vpostgress/9.2/bin/psql HQ hqadmin
7. See what keys are currently in the keystore table:
SELECT id, alias_name, type FROM EAM_KEYSTORE WHERE TYPE='PrivateKeyEntry' AND alias_name='hq';
8. Delete the key from the database. When the server is started, a new key entry will be made to the table in order to replace the deleted key.
DELETE FROM eam_keystore WHERE TYPE='PrivateKeyEntry' AND alias_name='hq';
On the Hyperic Server
9. Start the hq-server service
/opt/hyperic/server-5.8.4-EE/bin/hq-server.sh start