9.5.2.8. tpm cert: Getting Started - Advanced Example

You may want to provide your own certificates, or have installed with `disable-security-controls=true`, and now wish to enable security. If so, tpm cert is for you.

In the following advanced example, we will rotate the database certs using a source .pfx file.

--- Summary ---
  • Populate the tungsten.env file

  • Generate the security files defined in tungsten.env

  • Add new options to the tungsten.ini to match

  • Update the software using the new security settings

--- Details ---
  • Displays example tungsten.env contents

    tpm cert example env
  • Create a new $CONTINUENT_ROOT/share/tungsten.env file, which defaults to example id 1:

    tpm cert gen env 2
  • Run vi $CONTINUENT_ROOT/share/tungsten.env

    tpm cert vi env
      export BASE_DIR=/etc/tungsten/secure
      export BATCH="pfx2p12,JK,TS,CJ,CT"
  • Display variables set in $CONTINUENT_ROOT/share/tungsten.env

    tpm cert ask env
  • Displays example tungsten.ini contents

    tpm cert example ini
  • Run vi /etc/tungsten/tungsten.ini

    tpm cert vi ini
      java-keystore-path=/etc/tungsten/secure/tungsten_keystore.jks
      java-truststore-path=/etc/tungsten/secure/tungsten_truststore.ts
      java-connector-keystore-path=/etc/tungsten/secure/tungsten_connector_keystore.jks
      java-connector-truststore-path=/etc/tungsten/secure/tungsten_connector_truststore.ts
  • Generate all cert files in the BATCH envvar defined in the tungsten.env file:

    tpm cert gen batch --livetls -x
  • Display info as json all cert files in the BATCH envvar defined in the tungsten.env file:

    tpm cert info P12,JK,TS,CJ,CT
  • Display the extracted package staging directory that the software was installed from:

    tpm query staging
  • Update the software to use the new cert files in {certsdir}:

    cd {staging_dir}
    tools/tpm update --replace-release