Replacing the agent certificate

The uses a preinstalled Certificate Authority (CA) certificate.

The Agent uses a preinstalled Certificate Authority (CA) certificate. You can replace it copying the your preferred certificate and its private key to the host.

To view your current agent certificate:

$ openssl s_client -prexit -connect database_IP:database_port

Generating a certificate

If you don't already have one, you can generate a self-signed certificate. For more information, see Generating TLS certificates and keys

  1. Generate the private key and certificate.

    $ openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out agent.cert -keyout agent.key
    
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:MA
    Locality Name (eg, city) []:Cambridge
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
    Organizational Unit Name (eg, section) []:IT
    Common Name (e.g. server FQDN or YOUR name) []:*.mycompany.com
    Email Address []:myaddress@mycompany.com
    
  2. Make a copy of the certificate in PEM format.

    $ openssl x509 -in agent.cert -out agent.pem -outform PEM
    
  3. Review the certificate.

    $ openssl x509 -in agent.pem -text
    

Replacing the agent certificate on a host

The following procedure replaces the Agent's current private key and certificate on a single host. To replace this certificate and key across an entire cluster, repeat this procedure for all the hosts.

  1. Stop the Agent service on the host.

    $ /etc/init.d/vertica_agent stop
    
  2. Backup and rename the existing agent certificate and key.

    
    $ cd /opt/vertica/config/share
    $ mv agent.cert agent.cert.bck
    $ mv agent.key agent.key.bck
    $ mv agent.p em agent.pem.bck
    
  3. Transfer the new certificate and key to the host's /opt/vertica/config/share directory.

    $ scp agent.* root@123.12.12.123:/opt/vertica/config/share
    
  4. Change the owner of the certificate and key to uidbadmin and the group to verticadba.

    $ chown installed_Vertica_user:installed_Vertica_group agent.*
    
  5. Make the certificate and key files read-only.

    $ chmod -R 400 agent.*
    
  6. Start the Agent service.

    $ /etc/init.d/vertica_agent start
    starting agent
    Opening PID file "/opt/vertica/log/agent.pid".
    Overwriting /opt/vertica/log/agent_uidbadmin.log
    Overwriting /opt/vertica/log/agent_uidbadmin.err
    start OK for user: uidbadmin
    
  7. Verify that you can view information about your database with your API key.

    $ curl -X GET https://10.20.80.145:5444/databases -H "VerticaApiKey:wCgXny3Wm+8OhEvGkAclv7v9+VIlxgXblpr4rf" -k
    
  8. Verify that the Agent is using the new certificate.

    $ openssl s_client -prexit -connect 10.20.80.145:5444