...
This step requires root access
to switch to root access run the following command “su root” and enter the root password set during installation
If the encryption at rest process has been run previously the private key must be decrypted
If the key is not encrypted skip the decryption step
to verify run the following command If no file is found that means the key is encrypted
Code Block ls -la /var/opt/yarnlab/yarnman/config/private-encryption-key.pem ls: cannot access '/var/opt/yarnlab/yarnman/config/private-encryption-key.pem': No such file or directory
to verify the key is encrypted
Code Block ls -la /var/opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe -rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 8129 Nov 14 03:40 /var/opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe
Switch into docker container by running the following command - Note that the prompt changes from the root to container shell
Code Block docker exec -it ym-yarnman /bin/bash ym-yarnman-app@yl-ym-yarnman:/opt/yarnlab/yarnman$
to decrypt the key run the following command
Code Block clevis decrypt < /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe > /opt/yarnlab/yarnman/config/private-encryption-key.pem
reset permissions
chmod 600 /opt/yarnlab/yarnman/config/private-encryption-key.pem
change passphrase from default “yarnman”
Code Block ssh-keygen -p -f /opt/yarnlab/yarnman/config/private-encryption-key.pem Enter old passphrase: Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
backup old key
Code Block mv /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe /opt/yarnlab/yarnman/config/private-encryption-key.pem.jwe.bk
exit the container shell
Code Block exit exit root@ym-ph-test [ /var/opt/yarnlab/ ]#
verify the key is decrypted and ensure the that
Code Block ls -la /var/opt/yarnlab/yarnman/config/private-encryption-key.pem -rw-r--r-- 1 ym-yarnman-app ym-yarnman-app-gp 3326 Nov 20 20:21 /var/opt/yarnlab/yarnman/config/private-encryption-key.pem
add new passphrase to /var/opt/yarnlab/yarnman/config/local.yaml
Code Block encryption: dbPassphrase: 'Clouduc123somepassword'
TO update
yq -i '.encryption.dbPassphrase = "Clouduc123somepassword"' /var/opt/yarnlab/yarnman/config/local.yaml
encrypt passphrase
Code Block docker exec ym-yarnman node ./scripts/encrypt-local-config.js -k encryption.dbPassphrase 1668977064139 INFO Starting the encryption of 1 local configuration fields through Clevis Shamir Secret Sharing 1668977064142 INFO Attempting to encrypt the following local config fields: encryption.dbPassphrase 1668977064371 INFO Local key 'encryption.dbPassphrase' encrypted successfully 1668977064371 INFO 1 local config fields encrypted, 0 fields omitted
verify
Code Block cat cat /var/opt/yarnlab/yarnman/config/local.yaml
re encrypt keys
Code Block docker exec ym-yarnman node ./scripts/encrypt-keys.js 1668977138519 INFO Encrypting private and SSL keys using settings: 1668977138521 INFO - not overwriting existing encrypted files and not deleting any original files after encryption 1668977138522 INFO -------------------------------- 1668977138522 INFO Encrypting... 1668977138768 INFO - 'private-encryption-key.pem' encrypted successfully 1668977138768 INFO - 'ssl-key.pem' already encrypted, not overwriting 1668977138768 INFO -------------------------------- 1668977138768 INFO Finished encrypting the files
restart services
Code Block systemctl restart yarnman
verify while services are restarting look for
Code Block docker logs ym-yarnman -f 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206414 INFO Decrypting 1 encrypted configuration keys 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206415 INFO Decrypting configuration key 'encryption.dbPassphrase' 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206500 INFO Configuration key 'encryption.dbPassphrase' decrypted successfully 2|administration-app-b6925c3239fc4c878ff6888ce5cb2b51 | 1668977206500 INFO Finished decrypting 1 configuration keys
...
login to yarnman administration application web interface
Navigate to Authentication database
Rename the Default Authentication Database name from “Central DB” to “<Node Name> Central DB” or other suitably unique name
Navigate to Authentication Policies
Rename the Default Authentication Policy name from “Central DB-Only Policy” to “<Node Name> Central DB-Only Policy” or other suitably unique name
Navigate to Nodes and select the Standalone node
Update the yarnman node name
Navigate to Nodes , select the node you wanted to setup and click on the Replication tab
Click on Add Replication
Enter the source and target connection strings
Source Address Syntax https://10.222.1.4:6984 - NOTE that the default source address is 10.222.1.4
Source address: https://10.222.1.4:6984
Source username: architect
source password: yarnmansomepassword
Remote address Syntax https://<TargetIP>:6984
Target address https://10.101.10.10:6984
Target username: architect
Target password: yarnmansomepassword
Once replication is setup status can be reviewed by clicking on the replication address, eg https://10.101.10.10:6984 . If the replication shows blank, the Sync button can be pressed to kick off replication again.
Repeat for each pair of nodes to achieve a full mesh
If there are 2 datacenters repeat for each primary node in each data centre -
2 node - 2 replications
n1->n2
n2->n1
3 node - 6 replications
n1->n2
n1->n3
n2->n1
n2->n3
n3->n1
n3->n2
4 node - 12 replications
n1->n2
n1->n3
n1->n4
n2->n1
n2->n3
n2->n4
n3->n1
n3->n2
n3->n4
n4->n1
n4->n2
n4->n3
...
Switch user to root
Code Block su root
Run the following command to create the CSR request config file
Code Block nano /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf
add copy the following contenst and replace <FQDN>with the Fully Quailifed Domain Name of the server
Code Block [req] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] emailAddress = Email Address (emailAddress_max = 64) [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = <FQDN>
Run the following command to generate the CSR
Command Syntax
Code Block openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${FUNCTION}/CN=${FQDN}" \ -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:yarnmansomepassword -sha512 -newkey rsa:4096
All of the following need to be replaced
${COUNTRY}
${STATE}
${LOCATION}
${ORGANIZATION}
${FUNCTION}
${FQDN
Example
Code Block openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=AU/ST=NSW/L=SYDNEY/O=yarnlab/OU=lab/CN=yarnman.test.yarnlab.io" \ -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:yarnmansomepassword -sha512 -newkey rsa:4096
Collect CSR for signing
Option 1- SFTP download from /var/opt/yarnlab/upgrade/
cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr
Option 2 - copy content to new file yarnman-ssl.cnf
cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr
Once signed certificate has been received from CA
Review if certificate has intermediate CA siging and follow process below
Backup existing SSL public certificate
Code Block cp /var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert.bk
Code Block cat /var/opt/yarnlab/yarnman/config/ssl-cert.cert
Update public certificatge
Option 1
upload to /var/opt/yarnlab/yarnman/upgrade/ssl-cert.cert
Code Block rm /var/opt/yarnlab/yarnman/config/ssl-cert.cert mv /var/opt/yarnlab/yarnman/upgrade/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert systemctl restart yarnman
nano /var/opt/yarnlab/yarnman/config/ssl-cert.cert
Code Block systemctl restart yarnman
...