The LifeKeeper API uses SSL/TLS to communicate between different systems. By default, the product is installed with default certificates that provide some assurance of identity between nodes. This document explains how to replace these default certificates with certificates created by your own Certificate Authority (CA).
How Certificates Are Used
In cases where SSL/TLS is used for communications between LifeKeeper servers to protect the data being transferred, a certificate is provided by systems to identify themselves. The systems also use a CA certificate to verify the certificate that is presented to them over the SSL connection.
Three certificates are involved:
- /opt/LifeKeeper/etc/certs/LK4LinuxValidNode.pem (server certificate)
- /opt/LifeKeeper/etc/certs/LK4LinuxValidClient.pem (client certificate)
- /opt/LifeKeeper/etc/certs/LKCA.pem (certificate authority)
The first two certificates must be signed by the CA certificate to satisfy the verification performed by the servers. Note that the common name of the certificates is not verified, only that the certificates are signed by the CA.
Using Your Own Certificates
In some installations, it may be necessary to replace the default certificates with certificates that are created by an organization’s internal or commercial CA. If this is necessary, replace the three certificates listed above with new certificates using the same certificate file names. These certificates are of the PEM type. The LK4LinuxValidNode.pem and LK4LinuxValidClient.pem each contain both their respective key and certificate. The LK4LinuxValidNode.pem certificate is a server type certificate. LK4LinuxValidClient.pem is a client type certificate.
If the default certificates are replaced, LifeKeeper will need to be restarted to reflect the changes. If the certificates are misconfigured, SIOS-lighttpd daemon will not start successfully and errors will be received in the LifeKeeper log file. If problems arise, refer to this log file to see the full command that should be run.