Generating the Versa Director Certificate and Syncing it with Versa Analytics Node. : Versa Support

Question: How to generate a Versa Director Certificate and sync it with Versa Analytics node?

How to sync the Versa Analytics certificates with Versa Director for secure channel?

Solution:

Versa provides scripts to generate self-signed certificate in Director and install it to all the Versa Analytics nodes. This script automatically generates the certificate in both the Master Director and the Slave Director and copies it to all the nodes of Versa Analytics.

From releases 20.x user can select secure ports 443/8443 to connect between Director and Analytics. On releases 21.x onwards only secure ports will be allowed between Director and Analytics. This needs the user to sync Analytics certificates to the Director.

Follow these steps to generate the Versa Director certificate and copy to all the Versa Analytics nodes. If you already have either a self-signed certificate or a CA signed certificate, go to the certificate synchronization part

Self-signed Certificate generation

You can generate single certificate for both Master and Slave directors by providing their host names to the script. The certificate is synchronized to Slave Director automatically. Follow these steps to generate the certificate.

Run the sudo su – versa command to switch to Versa user.
Run the versa@Director:~$ /opt/versa/vnms/scripts/vnms-certgen.sh --cn versa-director --san versa-director2 --overwrite --storepass versa123 script to generate certificate.
Currently, --storepass accepts only default password as its parameter.

This step generates the common certificate versa director client.cer using the hostname of Master and Slave Director nodes and overwrites the existing certificate, if any.

NOTE: Do not generate the certificate using sudo privilege.

Restart the Master Versa Director.
Restart the Slave Versa Director.

Certificate Synchronization

Configure Analytics cluster in Versa Director.

Ensure that Versa Director(s) is reachable from Analytics nodes using hostname. If not reachable, add director hostname (used during certificate generation) to the /etc/hosts directory in each of Analytics Nodes.
Run the versa@Director:~$ /opt/versa/vnms/scripts/vnms-cert-sync.sh --sync script on Master Versa Director, as a versa user, to sync the certificate to all the analytics nodes.

Alternatively, you can sync and install the certificate manually using this procedure:
1. Run this command to copy the versa_director_client.cer to all Analytics node(s) in the /opt/versa/var/van-app/certificates/ directory.
  versa@Analytics:~$ sudo scp admin@Director-IP:/var/versa/vnms/data/certs/versa_director_client.cer /opt/versa/var/van-app/certificates/
2. Run this command to remove the existing versa_director_truststore.ts file from each Analytics node.
  versa@Analytics $ rm /opt/versa/var/van-app/certificates/versa_director_truststore.ts
3. Run the van-vd-cert-install.sh with an alias which is a locally significant unique string.
  versa@Analytics$ /opt/versa/scripts/van-scripts/van-vd-cert-install.sh /opt/versa/var/van-app/certificates/versa_director_client.cer
Run this command as versa user, to ensure that certificate in both Versa Director and nodes are correct.

versa@Director:~$ /opt/versa/vnms/scripts/vnms-cert-sync.sh --verify

NOTE: Enter the Versa Analytics cluster name and SSH password in the Versa Analytics node.

Example:

versa@versa-director:/opt/versa/vnms/scripts$ ./vnms-cert-sync.sh --verify

Enter VAN Cluster Name:

VAN1

CMD_MAAPI is true [mtid = 0]

Analytics Clusters Configured:10.192.71.71 10.192.71.72

Enter password for Analytics cluster For user versa

verifying certificates

MD5 hash matches with Director certificate on 10.192.71.71

MD5-Director:2c25f8696d68e4bd6cc6057b03b5fa2a

MD5Remote:2c25f8696d68e4bd6cc6057b03b5fa2a

MD5 hash matches with Director certificate on 10.192.71.72

MD5-Director:2c25f8696d68e4bd6cc6057b03b5fa2a

MD5Remote:2c25f8696d68e4bd6cc6057b03b5fa2a

Viewing the help options in all the scripts

Run the :/opt/versa/vnms/scripts$ ./vnms-certgen.sh --help command to view the help option in all the scripts available.

admin@versa-director:/opt/versa/vnms/scripts$ ./vnms-certgen.sh --help

Usage: vnms-certgen

generate self signed certificate

echo "sample example : $./vnms-certgen.sh --cn=exampel.com --san=test.sample.com]"

Options:

-h, --help Show this help message and exit.

[--cn] <Fully qualified domain name representing Designated Master Director>

[--san] <Fully qualified domain name representing Slave Director>

[--overwrite] <Overwrite existing certificates>

Sync the Analytics certificate to the Director

This operation is required if you have either:

Release 20.x using port 443/8443 to connect between Director and Analytics
Release 21.x onwards

Run this script from the Master Director as versa user

1. Switch to versa user

sudo su – versa

2. Run this script /opt/versa/vnms/scripts/vd-van-cert-upgrade.sh --pull

3. This will prompt for service restart of Director; it is required to install those certificates on Director. If you postpone the service restart, the certificates will be installed post service restart only.

NOTE: Take care of the Director HA state before service restart of the Director. Stop services on Slave Director, perform service restart on Master, once Master Director is UP, start services on Slave Director.

versa@Director-1:~$ /opt/versa/vnms/scripts/vd-van-cert-upgrade.sh --pull

Pulling Analytics certificates to Director key store

VAN Clusters IPs: [ 10.48.9.51 10.48.9.52 10.48.9.53 10.48.9.54 ]

Removing previous analystics cert store

Getting Certificate for : 10.48.9.51