Maintaining Certificates

Certificates and their Certificate Authority (CA) have an expiration date; therefore, they need to be renewed prior to expiring in order for the cluster to operate properly.

To better understand the CAs in the cluster, see Securing External Communication with the RE Certificate

In this section, $<CDF_HOME> refers to:
On-premises: /opt/arcsight/kubernetes
Cloud: $<OMT-deployer path>

 

Viewing the CA Validity Dates

Review the content below for information about viewing CA validity dates.

 

Renewing Internal CAs

This information for is for pod communication within the cluster and not for certificates used for external pod communication.

To check if your Internal Certificate Authority is close to expiration, login into the OMT Management Portal, which will show a warning if less than 30 days are left till expiration.

Alternatively, you can run the kube-status.sh script from /opt/arcsight/kubernetes/bin (installation path by default). Expiration date will be reported as the first line in the script output.

To renew internal CAs and dependent certificates:

  1. Execute renewCert. This action also distributes the renewed CA between the nodes.
    2. ${CDF_HOME}/scripts/renewCert --renew -t internal -V 730
  2. Follow the on-screen prompts to:
    1. Generate new certificates.
    2. Distribute them between the nodes using scp.
    3. Apply certificates by restarting nodes one by one.

 

Renewing External CAs

This procedure updates the certificates used by the OMT Management Portal as well as ArcSight capabilities. Changing the certificate by way of the OMT Management Portal, Administration > Certificate, only changes the certificate used by the OMT Management Portal.

To renew external CAs, request that your PKI team generates an intermediate certificate and matching key. Be sure to obtain any higher root certificate authority or a whole chain if more that one level used.

If you cannot get a key from your PKI team, see Using an RE External Communication Certificate Signed by Your Trusted Certificate Authority.

  1. Execute cdf-updateRE.sh.
    2. ${CDF_HOME}/scripts/cdf-updateRE.sh write --re-key={New Intermediate Key Name}.pem --re-crt={New Intermediate Certificate Name}.crt
    If your intermediate certificate is signed by a higher root certificate authority, provide a chain of root CA certificate and intermediate certificate concatenated in one file (keeping the headers) to the "re-crt" parameter. Make sure the intermediate certificate is first in the file, and the root CA certificate is last in the file.
  2. Pods of the deployed ArcSight capabilities that perform external communication continue to use the certificates generated by the platform on the pod start up until the pod is restarted.
    3. To understand the pods that perform external communication, see Understanding Labels and Pods.

 

Renewing External Certificate of Management Portal and Fusion Single-Sign-On Portal

To renew the certificate for portals:

  1. Log in to database node1.

  2. Follow these steps to stop the Kafka Scheduler and Watchdog:

    1. Change to the database tools directory:

      cd /opt/arcsight-db-tools

    2. Stop the Kafka Scheduler:

      ./kafka_scheduler stop

    3. Disable watchdog:

      scripts/watchdog.sh disable

  3. Restart the ArcSight pods:

    kubectl delete pods --all -n $(kubectl get namespaces --no-headers -o custom-columns=":metadata.name" | grep arcsight-installer)

  4. Run this command to update the nginx certificate:

    ${CDF_HOME}/scripts/cdf-updateRE.sh renewPortals
    The second command generates the nginx certificate and updates the nginx-invesitgate-secret and nginx-default-secret.
  5. Continue to the next step to update the database certificates: Configuring the ArcSight Database to Use the Updated RE External Communication Certificate.