ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
75b9e25e680705ea0d5cc4eb73f74aff6d2bb14a
nexus/knowledgebase/csd-wiki/ICSD/AWS-RDS-certificate-update--Helm-Simulation-env_686088156.md
weishen 3f2e1765d8 Auto-sync: 2026-04-18 17:09
2026-04-18 17:09:43 +08:00

10 lines
11 KiB
Markdown
Raw Blame History

# AWS-RDS-certificate-update--Helm-Simulation-env_686088156
<table><colgroup><col> <col> <col> <col></colgroup><tbody><tr><th>Tasks</th><th>Products</th><th>Duration</th><th>Steps</th></tr><tr><td rowspan="6"><p><strong>Preparation</strong></p></td><td><strong>Download the new AWS RDS certificate bundle PEM file</strong></td><td><strong>5 mins</strong></td><td><p><strong>Download the new AWS RDS certificate bundles for specific AWS region from the <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.RegionCertificates">Certificate bundles for specific AWS Regions</a>.</strong></p><p>for example, for region of us-west-2, download the below certificate:</p><p><strong><img height="250" src="attachments/686088156/686088166.png"></strong></p><p><strong>Upload the certificate bundle to the bastion.</strong></p><p>Note</p><div><ol><li>There is no dependency on below operations for each product. You may prepare the yaml files (this can be done before the maintain window) and run the steps in parallel to reduce the ESM level downtime.</li><li>During the restart the applications (OMT/Suite/CMS/OO/Audit) are not able to access, which is considered as the downtime of this whole process.</li></ol></div></td></tr><tr><td><strong>OMT</strong></td><td><strong>5 mins</strong></td><td><p><strong>1. Acquire database info before running the script:</strong></p><p><strong><img height="181" src="attachments/686088156/686088168.png"></strong></p><p><strong>Note:</strong> Above are OOB values, if you are not using OOB values, you may get the values with below commands:</p><p><em>kubectl get cm default-database-configmap -n <CDF NAMESPACE> -o yaml</em></p><p>The result is like:</p><p><strong>DEFAULT_DB_CDFIDM_PASSWORD_KEY</strong>: defaultdb_cdfidm_user_password<br><strong>DEFAULT_DB_CDFIDM_USERNAME</strong>: cdfidm<br>DEFAULT_DB_HOST:xxxxxyyyyy<a href="http://us7-simulation-smax.ctz1ruxhq5vf.us-west-2.rds.amazonaws.com/">.us-west-2.rds.amazonaws.com</a><br><strong>DEFAULT_DB_NAME</strong>: cdfidmdb</p><p>You may find the db user, db name and PASSWORD_KEY value from database configmap.</p><p><strong>2. Get the cmfidm db password.<br></strong><em>kubectl get pod -n $CDF_NAMESPACE | grep "itom-idm" | head -1 | awk '{print $1}'<br></em><em>kubectl exec <idm pod> -n $CDF_NAMESPACE -c idm -- get_secret <password key></em></p><p>For example:<br><em>kubectl exec $(kubectl get pod -n $CDF_NAMESPACE | grep "itom-idm" | head -1 | awk '{print $1}') -n $CDF_NAMESPACE -c idm -- get_secret defaultdb_cdfidm_user_password</em></p><p>Take the note of your <DB HOST> <DB PORT> <DB NAME> <DB USERNAME> <DB USER PASSWORD> which you will be using in OMT certificate replacement.</p><p><em>Reference:</em> <strong><a href="https://docs.microfocus.com/doc/OMT/24.2/ModifyExternalDatabaseConfiguration">https://docs.microfocus.com/doc/OMT/24.2/ModifyExternalDatabaseConfiguration</a></strong></p></td></tr><tr><td><strong>SMAX & HCMX</strong></td><td><strong>10 mins</strong></td><td><div><ol><li><p>[Optional] If you don't remember the path of your custom <strong>my-values.yaml</strong> file, run the following command to get your yaml file.</p><p>helm get values <ESM_RELEASE_NAME> -n <ESM_NAMESPACE> > my-values.yaml<br></p></li><li><p>Confirm if <code>tlsEnabled </code> is set to true and replace the caCertificates under "database" with the <strong>new PEM content</strong> directly or base64 all the content (e.g cat <certFile> | base 64).</p><p>Example:</p><pre><code>global:
database:
tlsEnabled: true
tlsMode: verify-full # or use verify-ca
... ...
database:
caCertificates:
pg_ca.crt: <cert-file-base64-encoded> or PEM</code></pre><p><strong>Note:</strong></p><strong>If you are using base64 encoded content, make sure the encoded content is formatted in one line, as below:<img height="88" src="attachments/686088156/686088170.png"></strong><strong>If you are not using base64 encoded content, please refer to below format:<br><img height="172" src="attachments/686088156/686088174.png"></strong></li><li><p>Run the command to check if job exist in ENV. It should return nothing. <strong>If job exist, make sure it's in Completed status and delete it.</strong><br>kubectl get job -n <ESM_NAMESPACE>|grep -v NAME | awk '{print $1}'<br>Run below command to get the pod status - if they are "Completed", it means the jobs are done and you may delete the jobs with 'delete job' command:<br>kubectl get pods -n <EMS_NAMESPACES> |grep job<br>If above pods are all completed status, delete related jobs:<br>kubectl delete job <the jobs identified in get job command> -n <EMS NS></p></li></ol><p>NOTE: The yaml file with new pem content replaced will be used in RDS certificate replacement.</p><p><strong>Reference</strong>: <a href="https://staging.docs.microfocus.com/doc/SMAX/Main/ChangeCertForPostgreSQL">https://staging.docs.microfocus.com/doc/SMAX/Main/ChangeCertForPostgreSQL</a></p></div></td></tr><tr><td><strong>CMS</strong></td><td><strong>5 mins</strong></td><td><p>1.Get the CMS values.yaml from current running deployment by running below command</p><p>helm get values <cms_releasename> -n <cms_namespace> >values.yaml</p><p>2.Replace the content of caCertificates.postgresql.crt in values.yaml with the content of AWS RDS certificate bundle got at above step.</p><p><strong>Note:</strong> every line of certificate content starts with 4 indentation in values.yaml</p></td></tr><tr><td><strong>OO</strong></td><td><strong>5 mins</strong></td><td><p>1.Get the OO values.yaml</p><p>helm get values <OO RELEASE NAME> -n <OO NS> > values.yaml</p><p>2.Replace the content of caCertificates.postgresql.crt in values.yaml with the content of AWS RDS certificate bundle got at above step.</p><p><strong>Note:</strong> every line of certificate content starts with 4 indentation in values.yaml</p></td></tr><tr><td><strong>Audit</strong></td><td><strong>5 mins</strong></td><td><div><ol><li>Get the Audit values.yaml<br>helm get values <Audit RELEASE NAME> -n <Audit NS> > values.yaml</li><li>Replace the content of caCertificates.RE_ca_dbcrt in values.yaml with the content of AWS RDS certificate bundle got at above step.<br><p><strong>Note:</strong> every line of certificate content starts with 4 indentation in values.yaml</p></li></ol></div></td></tr><tr><td rowspan="5"><p><strong>Maintain Window</strong></p><p><strong>Update the certificate in application side</strong></p></td><td><strong>OMT</strong></td><td><strong>5 mins</strong></td><td><p><strong>Navigate to the $CDF_HOME/bin directory, run the updateExternalDbInfo.sh script with below parameters:</strong></p><p>NOTE: you may find the DB parameters in preparation steps.</p><p><em>./updateExternalDbInfo.sh -H <DB connection URL> -p <DB port> -d <DB name> -u <database username> --dbpassword <database password> --component itom-idm --cacert <Database Certificate><br></em>For example:<br><em>./updateExternalDbInfo.sh -H <a href="http://saas-simulation-smax.ctz1ruxhq5vf.us-west-2.rds.amazonaws.com/">xxxxyyyy.us-west-2.rds.amazonaws.com</a> -p 5432 -d <strong>cdfidmdb</strong> -u <strong>cdfidm</strong> --dbpassword <password> --component itom-idm --cacert /home/centos/ <strong>us-west-2-bundle.pem</strong></em></p></td></tr><tr><td><p><strong>SMAX/HCMX</strong></p></td><td><p><strong>30 mins</strong></p></td><td><div><ol><li>Run the following commands to apply DB setting change. The yaml file is the one with new pem content replaced in preparation steps.<br>helm upgrade <ESM_RELEASE_NAME> <ESM_CHART_FILE> -n <ESM_NAMESPACE> -f my-values.yaml<br>For example:<br>helm upgrade itsma ESM_Helm_Chart-2x.x/charts/esm-1.0.0+2x.x-xxx.tgz -n itsma-xxyy -f values.yaml<br></li><li><p>Run the following command to make sure that all SMAX pods are ready before next step.<br>kubectl get pod -n < <em>ESM_NAMESPACE</em> > |grep -v 1/1|grep -v 2/2|grep -v 3/3|grep -v 4/4|grep -v Completed<br></p></li><li><p>Restart the suite<br>$CDF_HOME/bin/cdfctl runlevel set -l DOWN -n <ESM_NAMESPACE><br>Wait till all pods are down, then run below command to bring the application up<br>$CDF_HOME/bin/cdfctl runlevel set -l UP -n <ESM_NAMESPACE></p></li></ol></div></td></tr><tr><td><p><strong>CMS</strong></p></td><td><p><strong>20 mins</strong></p></td><td><p>1. Update the deployment by running helm upgrade command. The yaml file is the one with new pem content replaced in preparation steps.</p><p><em>helm upgrade <cms_releasename> <CMS CHART FILE> -n <cms_namespace> -f values.yaml</em></p><p>2. Restart CMS</p><p>$CDF_HOME/bin/cdfctl runlevel set -l DOWN -n <CMS_NAMESPACE></p><p>wait till all pods are shut down</p><p>$CDF_HOME/bin/cdfctl runlevel set -l UP -n <CMS_NAMESPACE></p><p>3. Monitor pod status:</p><p>kubectl get pod -n <CMS_ <em>NAMESPACE</em> > |grep -v 1/1|grep -v 2/2|grep -v 3/3|grep -v 4/4|grep -v Completed</p><p>NOTE: You may do this in parallel with SMAX restart</p></td></tr><tr><td><strong>OO</strong></td><td><strong>20 mins</strong></td><td><p>1.Update the deployment by running helm upgrade command. The yaml file is the one with new pem content replaced in preparation steps.</p><p><em>helm upgrade <oo_release_name> <OO_CHART_FILE> -n <oo_namespace> -f values.yaml</em></p><p>2. Restart OO</p><p>$CDF_HOME/bin/cdfctl runlevel set -l DOWN -n <OO_NAMESPACE><br>wait till all pods are shut down<br>$CDF_HOME/bin/cdfctl runlevel set -l UP -n <OO_NAMESPACE></p><p>3. Monitor pod status:</p><p>kubectl get pod -n <OO_ <em>NAMESPACE</em> > |grep -v 1/1|grep -v 2/2|grep -v 3/3|grep -v 4/4|grep -v Completed</p><p>NOTE: You may do this in parallel with SMAX restart</p></td></tr><tr><td><strong>Audit</strong></td><td><strong>5 mins</strong></td><td><ol><li>Update the deployment by running helm upgrade command. The yaml file is the one with new pem content replaced in preparation steps.<br><em>helm upgrade <audit_release_name> -n <audit_namespace> -f values.yaml <audit_CHART_FILE></em></li><li>Restart Audit</li></ol><p>$CDF_HOME/bin/cdfctl runlevel set -l DOWN -n <Audit_NAMESPACE><br>wait till all pods are shut down<br>$CDF_HOME/bin/cdfctl runlevel set -l UP -n <Audit_NAMESPACE></p><p>3. Monitor pod status:</p><p>kubectl get pod -n <Audit_ <em>NAMESPACE</em> > |grep -v 1/1|grep -v 2/2|grep -v 3/3|grep -v 4/4|grep -v Completed</p><p>NOTE: You may do this in parallel with SMAX restart</p></td></tr><tr><td><p><strong>Update the certificates of AWS RDS DB instances.</strong></p></td><td><strong>Update the certificate on AWS RDS DB instances.</strong></td><td><strong>10 mins</strong></td><td><p>1.Login AWS console, go to the RDS instances that you want to update the certificates.</p><p>2.Select the RDS instance, click modify button</p><p>3.Change the <strong>Certificate authority.</strong></p><p><strong>If your primary certificate CA is rds-ca-2019, it's recommended to select the rds-ca-rsa2048-g1 CA as new value</strong></p><p><strong><img height="250" src="attachments/686088156/686088176.png"></strong></p><p>4.Save the change, and select <strong>immediate effect</strong>.</p><p><strong>Repeat the steps for all your RDS instances</strong></p></td></tr></tbody></table>
Reference in New Issue View Git Blame Copy Permalink