PDA

View Full Version : Change SuMA SSL certificate



dgersic
14-Feb-2019, 17:42
I have inherited a SuMa system here managing a bunch of servers. SuMa is currently 3.1.9, the managed servers are primarily SLES11Sp4 using Salt.

Right now, SuMa is using the default self-signed certificate. Working fine. Client wants SuMa to use a certificate signed by an external CA. This seems like it should be possible, but I have not found good documentation on how to do so.

Google led me to:

https://www.suse.com/documentation/suse-manager-3/singlehtml/book_suma_best_practices_31/book_suma_best_practices_31.html#bp.cert.custom.se tup

which may work, I don't yet know. It seems like there could be a lot more information in that section. It seems to apply to a new install, which this is not, and does not cover what happens if I do this to an existing and working system. Do I really need to blow away the current setup and start over for something so simple as changing a certificate?

There is a copy of this for 3.2 also, but it's even less helpful:

https://www.suse.com/documentation/suse-manager-3/3.2/susemanager-best-practices/html/book.suma.best.practices/bp.chap.bring.your.own.cert.html#bp.cert.custom.se tup

Note the "???TITLE???" link in the 3.2 doc, where the 3.1 had "Step 1". Looks like somebody goofed the reformat on the copy from 3.1 to3.2.

Further research via Google found this (old?) page:

https://wiki.microfocus.com/index.php/SUSE_Manager/Replace_CA_Certificate

for older versions, not sure how or if it could be used for SuMa 3.1.9.

Then searching this forum turned up:

https://wiki.microfocus.com/index.php?title=SUSE_Manager/Certificate

which doesn't say if it's possible or not, but does say that it's not supported.

So, what's the current actual answer? Can I replace the certificate being used here? If so, by which set of directions? Do I then have to re-register all of the Salt minions to get them to work again?

I don't have a test SuMa to see what happens. I can VM snapshot before proceeding however.

mcalmer
17-Feb-2019, 14:46
Further research via Google found this (old?) page:

https://wiki.microfocus.com/index.php/SUSE_Manager/Replace_CA_Certificate

for older versions, not sure how or if it could be used for SuMa 3.1.9.



Use this WIKI page. SSL certificate handling has not changed too much since 3.0.

dgersic
18-Feb-2019, 16:29
Use this WIKI page. SSL certificate handling has not changed too much since 3.0.

This page says:



SUSE Manager 2.1
The proceedure described below regarding the traditional clients should work also on SUSE Manager 2.1.


Is that supposed to be for SUMA v3 (not 2.1)?

jmozdzen
20-Feb-2019, 16:29
Hi,



So, what's the current actual answer? Can I replace the certificate being used here? If so, by which set of directions? Do I then have to re-register all of the Salt minions to get them to work again?

I don't have a test SuMa to see what happens. I can VM snapshot before proceeding however.

you can use your own / externally generated certificates with SuMa, and you can change them after install.

You didn't mention if all clients already trust the external CA that's signing the SuMa certificate. If not, then you'll have to distribute the CA certificate to all clients and trust it. One way is to use the SuMa mechanisms, which I believe are mentioned in the Wiki page.

If you need to go the manual route to provision the certificates (which likely is fully unsupported):

The other side is the server certificate that is needed on the SuMa server - basically, it's about the httpd server certificate, which is provided by separate key and cert files. Go have a look at the httpd config and follow the symlink chains to find the right spot to place your files. If you're using osad / Jabber as well, then you need to provide a separate certificate/key combo file (basically a file containing both the cert and the key in one, by "cat"ing both into one file) for jabberd. I don't have a system at hand at the moment and don't remember the exact path name of that file - if needed, I could look it up.

regards,
J