19 Oct 2015

Replacing Hyperic 5.8.4 Server SSL Certificates

I've been working intensively with the VMware vRealize product suite over that past 4 months, including Hyperic. One of the things we have to do on our current project is to replace the Hyperic server certificate whenever a new Hyperic instance is introduced into the environment. This is a relatively straight forward task, but one that consists of quite a few steps. In this blog post, I've documented exactly how to go about replacing Hyperic server certificates.

IMPORTANT: Before going ahead with replacing Hyperic Server certificates, please read this blog post which describes a bug in the Hyperic agent that could be encountered when replacing Hyperic Server certificates.

The following outlines the procedure to follow in order to change the server SSL certificate for VMware vRealize Hyperic 5.8.4. This procedure needs to be completed on every Hyperic Server in the environment, not the agent computers.

On the Hyperic Server

1. Log into the Hyperic Server as root

2. Change user to hyperic

su -l hyperic

3. Create a new directory where certificate files will be stored while we complete the requests and Java certificate keystore build:

mkdir /var/tmp/ssl

4. Change Directory to /var/tmp/ssl

cd /var/tmp/ssl

5. Obtain the required SSL certificate from your internal or a public certificate authority. You'll need a BASE64 encoded version of the certificate. Copy the newly issued certificate to /var/tmp/ssl/hyperic.cer over Secure Shell using a tool such as WinSCP.

6. Create a new .cer file in BASE64 format, which contains all of the root certificates in the certificate chain for the issued server certificate. Place the .PEM file in /var/tmp/ssl/caroots.cer

7. Create a PKCS12 formatted certificate store, containing all of the following components in one encrypted file:

• The private key used to generate the CSR that was submitted to the Certificate Authority for the signing of the new certificate

• The SSL Certificate that was returned from the Certificate Authority

• The root certificate chain

openssl pkcs12 –export \
-out hyperic.pfx \
-inkey hyperic.key \
-in hyperic.cer \
-certfile caroots.cer

8. Create a new Java Keystore using the Java Keytool and import the OpenSSL pkcs12 formatted certificate store into the new Java KeyStore. The alias will be set as “1” at this point, as the command will fail if it is set to “hq”. We will change the alias from “1” to the Hyperic required “hq” later on in the process.

/opt/hyperic/server-5.8.4-EE/jre/bin/keytool -importkeystore \
-deststorepass hyperic \
-destkeypass hyperic \
-destkeystore hyperic.keystore \
-srckeystore hyperic.pfx \
-srcstoretype PKCS12 \
-srcstorepass hyperic \
-alias 1

9. Change the Alias of 1 to hq in the newly created keystore:

/opt/hyperic/server-5.8.4-EE/jre/bin/keytool -changealias \
-keystore hyperic.keystore \
-alias 1 \
-destalias hq

10. Stop the Hyperic Service

/opt/hyperic/server-5.8.4-EE/bin/hq-server.sh stop

11. Make a backup of the current (original) hyperic.keystore

cd /opt/hyperic/server-5.8.4-EE/conf/
mv hyperic.keystore hyperic.keystore.orig.bak
cp /var/tmp/ssl/hyperic.keystore ./hyperic.keystore

On the vPostgress Database Server:

The following steps are required to be completed on the Hyperic Database. The database is  on a different server if the Hyperic vAPP was deployed. To complete the next steps, you will have to log into the server hosting the Hyperic Database.

12. Log into the database:

/opt/vmware/vpostgress/9.2/bin/psql HQ hqadmin

13. See what keys are currently in the keystore table:

SELECT id, alias_name, type FROM EAM_KEYSTORE WHERE TYPE='PrivateKeyEntry' AND alias_name='hq';

14. Delete the key from the database. When the server is started, a new key entry will be made to the table in order to replace the deleted key.

DELETE FROM eam_keystore WHERE TYPE='PrivateKeyEntry' AND alias_name='hq';

On the Hyperic Server

15. Start the hq-server service

/opt/hyperic/server-5.8.4-EE/bin/hq-server.sh start

Roll Back Actions

If the SSL certificate change needs to be rolled back, the following steps are required to be completed:

On the Hyperic Server

1. Log into the Hyperic Server as root

2. Change user to hyperic

su -l hyperic

3. Stop the Hyperic Server

/opt/hyperic/server-5.8.4-EE/bin/hq-server.sh stop

4. Create a backup copy of the new SSL certificate to be rolled back from

cd /opt/hyperic/server-5.8.4-EE/conf/
mv hyperic.keystore hyperic.keystore.new.bak

5. Copy the original SSL certificate back into the correct location

cd /opt/hyperic/server-5.8.4-EE/conf/
cp hyperic.keystore.orig.bak ./hyperic.keystore

On the Postgress Database Server:

The following steps are required to be completed on the Hyperic Database.

6. Log into the database:

/opt/vmware/vpostgress/9.2/bin/psql HQ hqadmin

7. See what keys are currently in the keystore table:

SELECT id, alias_name, type FROM EAM_KEYSTORE WHERE TYPE='PrivateKeyEntry' AND alias_name='hq';

8. Delete the key from the database. When the server is started, a new key entry will be made to the table in order to replace the deleted key.

DELETE FROM eam_keystore WHERE TYPE='PrivateKeyEntry' AND alias_name='hq';

On the Hyperic Server

9. Start the hq-server service

/opt/hyperic/server-5.8.4-EE/bin/hq-server.sh start
Written by  0 comment
Last modified on Monday, 19 October 2015 10:04
Rate this item
(1 Vote)

Comments (0)

There are no comments posted here yet

Leave your comments

Posting comment as a guest. Sign up or login to your account.
0 Characters
Attachments (0 / 3)
Share Your Location

@mo6020 And an extra hop to further shield your "Anonymous" group activity participation 😂
Follow Rynardt Spies on Twitter