The Hybrid Data Pipeline product package includes the update_server_cert.sh script to simplify the process of updating SSL certificates in Linux deployments of Hybrid Data Pipeline. The script may be used to update certificates for either load balancer or non-load balancer deployments. After you obtain a new CA certificate, you may run the script to configure the server to use the new certificate. Then, depending on your environment, certificate information must be updated for components such as the ODBC driver, JDBC driver, and On-Premises Connector.

Important: If you imported any less-well-known certificates into your JVM truststore to connect to backend data stores, you must reimport these certificates after updating the Hybrid Data Pipeline certificate and redeploying components. For details on importing certificates, see Importing data store SSL certificates.

Prerequisites

Non-load balancer deployment

  • A new CA certificate. For non-load balancer deployments, the full certificate chain must be provided in x509 PEM file format. See SSL configuration (non-load balancer) for details.
  • Access to the Hybrid Data Pipeline server installation. This access is required to use the update_server_cert.sh script.
  • Access to the key location. You must have write access to the key location so that the shell script may update the PEM and JKS files in the key location.

Load balancer deployment

  • A new CA certificate
    • The load balancer must be configured to use the new certificate. Refer to your load balancer vendor documentation for information. See also Load balancer configuration.
    • The server requires only the public certificate to communicate with the load balancer. The certificate file must be in x509 PEM, x509 DER, or binary DER formats to successfully run the shell script. See SSL configuration (load balancer) for details.
  • Access to a Hybrid Data Pipeline server installation. This access is necessary to use the update_server_cert.sh script.
  • Access to the key location. You must have write access to the key location so that the shell script may update the PEM and JKS files in the key location.
Important: If you imported any less-well-known certificates into your JVM truststore to connect to backend data stores, you must reimport these certificates after updating the Hybrid Data Pipeline certificate and redeploying components. For details on importing certificates, see Importing data store SSL certificates.

Step-by-step

Take the following steps to update the server certificate.

  1. Run the update_server_cert.sh script. When updating the certificate for a cluster, the script only needs to be run on one node. The path to the new certificate file must be provided. For example:
    hdp_install_dir/ddcloud/update_server_cert.sh new_ca_path/ssl_certificate.pem

    Result: The ddcloud.pem and ddcloudTrustStore.jks files in the redist directory hdp_install_dir/redist are updated with the new certificate information.

  2. Update certificate information for the following components as needed.
    Note: The ddcloudTrustStore.jks and ddcloud.pem files are available in the redist folder of the installation directory for non-load balancer deployments. They are in the redist folder in the keystore location.

    JDBC driver

    1. Copy and rename the updated ddcloudTrustStore.jks to trustStore.jks.
    2. Replace the TrustStore file in the JDBC driver installation directory jdbc_install_dir/SSLCertificates/trustStore.jks with the updated version.

    ODBC driver

    1. Copy and rename the updated ddcloud.pem to sslcertificates.pem.
    2. Replace the PEM file in the ODBC driver installation directory odbc_install_dir/sslcertificates/sslcertificates.pem with the updated version.

    On-Premises Connector

    Note: The On-Premises Connector TrustStore must be updated only if you are using a certificate from a less-well-known CA.
    1. Replace the TrustStore file in the On-Premises Connector installation directory opc_install_dir/OPDAS/ConfigTool/ddcloudTrustStore.jks with the updated version.
    2. Restart the On-Premises Connector.
      1. Select Stop Services from the Progress DataDirect Hybrid Data Pipeline On-Premises Connector program group.
      2. After the service has stopped, select Start Services from the Progress DataDirect Hybrid Data Pipeline On-Premises Connector program group.
      3. Select Configuration Tool from the Progress DataDirect Hybrid Data Pipeline On-Premises Connector program group.
      4. Select the Status tab and click Test to verify that the On-Premises Connector configuration is connecting to the Hybrid Data Pipeline server.
    3. Repeat steps a-b for each On-Premises Connector connecting to the server.