Replacing the agent certificate

The uses a preinstalled Certificate Authority (CA) certificate.

The Agent uses a preinstalled Certificate Authority (CA) certificate. You can replace it copying the your preferred certificate and its private key to the host.

To view your current agent certificate:

$ openssl s_client -prexit -connect database_IP:database_port

Generating a certificate

If you don't already have one, you can generate a self-signed certificate. For more information, see Generating TLS certificates and keys

  1. Generate the private key and certificate.

    $ openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out agent.cert -keyout agent.key

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MA
Locality Name (eg, city) []:Cambridge
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:*.mycompany.com
Email Address []:myaddress@mycompany.com

  2. Make a copy of the certificate in PEM format.

    $ openssl x509 -in agent.cert -out agent.pem -outform PEM

  3. Review the certificate.

    $ openssl x509 -in agent.pem -text

Replacing the agent certificate on a host

The following procedure replaces the Agent's current private key and certificate on a single host. To replace this certificate and key across an entire cluster, repeat this procedure for all the hosts.

  1. Stop the Agent service on the host.

    $ /etc/init.d/vertica_agent stop

  2. Backup and rename the existing agent certificate and key.

    
$ cd /opt/vertica/config/share
$ mv agent.cert agent.cert.bck
$ mv agent.key agent.key.bck
$ mv agent.p em agent.pem.bck

  3. Transfer the new certificate and key to the host's /opt/vertica/config/share directory.

    $ scp agent.* root@123.12.12.123:/opt/vertica/config/share

  4. Change the owner of the certificate and key to uidbadmin and the group to verticadba.

    $ chown installed_Vertica_user:installed_Vertica_group agent.*

  5. Make the certificate and key files read-only.

    $ chmod -R 400 agent.*

  6. Start the Agent service.

    $ /etc/init.d/vertica_agent start
starting agent
Opening PID file "/opt/vertica/log/agent.pid".
Overwriting /opt/vertica/log/agent_uidbadmin.log
Overwriting /opt/vertica/log/agent_uidbadmin.err
start OK for user: uidbadmin

  7. Verify that you can view information about your database with your API key.

    $ curl -X GET https://10.20.80.145:5444/databases -H "VerticaApiKey:wCgXny3Wm+8OhEvGkAclv7v9+VIlxgXblpr4rf" -k

  8. Verify that the Agent is using the new certificate.

    $ openssl s_client -prexit -connect 10.20.80.145:5444