LifeKeeper Single Server Protection uses SSL/TLS to communicate between different systems. By default, the product is installed with default certificates that provide some assurance of identity between nodes. This document explains how to replace these default certificates with certificates created by your own Certificate Authority (CA).
How Certificates Are Used
Communication to the SteelEye Management Console (SMC) and LifeKeeper Single Server Protection servers uses SSL/TLS to protect the data being transferred. Both systems provide a certificate to identify themselves, and both systems use a CA certificate to verify the certificate that is presented to them over the SSL connection.
Four certificates are involved:
- /opt/LifeKeeper/etc/certs/LK4LinuxValidNode.pem (LifeKeeper Single Server Protection server certificate)
- /opt/LifeKeeper/etc/certs/LK4LinuxValidSMC.pem (SMC server certificate)
- /opt/LifeKeeper/etc/certs/LK4LinuxClient.pem (LifeKeeper Single Server Protection client certificate, installed on all servers)
- /opt/LifeKeeper/etc/certs/LKCA.pem (certificate authority, installed on all servers)
The first three certificates must be signed by the fourth certificate to satisfy the verification performed by the servers. Note that the common name of the certificates is not verified, only that the certificates are signed by the CA.
Using Your Own Certificates
In some installations, it may be necessary to replace the default certificates with certificates that are created by an organization’s internal CA. If this is necessary, replace the four certificates listed above with new certificates using the same certificate file names. These certificates are of the PEM type. The LK4LinuxValidNode.pem, LK4LinuxValidSMC.pem and LK4LinuxValidClient.pem each contain both their respective key and certificate. The LK4LinuxValidNode.pem and LK4LinuxValidSMC.pem certificates are server type certificates. LK4LinuxValidClient.pem is a client type certificate.
If the default certificates are replaced, LifeKeeper Single Server Protection and SMC will need to be restarted to reflect the changes. If the certificates are misconfigured, steeleye-lighttpd daemon will not start successfully and errors will be received in the LifeKeeper Single Server Protection log file. If problems arise, refer to this log file to see the full command that should be run.