9.5.2. tpm cert Command

Introduction

The tpm cert command is designed to streamline the generation of Tungsten-specific security files for use by the tpm install and tpm update commands.

The tpm cert command minimizes the complexity of handling certificates but cannot remove it entirely. For the best results, contact Continuent Support and get help from the experts before using this command.

By default, the tpm install command will take care of all security files in new installations (upgrades preserve existing) when disable-security-controls=false or when the option is ommitted when installing v7.0.0 or later.

You may need to provide your own certificates, or handle enabling security at a later time and install with disable-security-controls=true. If so, tpm cert is for you.

  • Cert SOURCE files are in the "certsdir" $CONTINUENT_ROOT/generated/

  • Cert RUNNING files are in the "security directory" $CONTINUENT_ROOT/share/

By default, all commands use source files located in "certsdir". To read running files in the "security directory", use --running (or -r).

To use custom values/paths, create a file called tungsten.env in the "security directory" and populate the variables as needed.

Important

There is no way to rotate security files with zero downtime. This is a database server limitation because once the first database server process is restarted with the new certs, the cluster will not be able to communicate with it. The same goes for the tpm update step if done before the database server process restarts. Once all database servers are using the new certs and all cluster nodes have been updated, everything will be able to communicate properly and the operation will be done.

Important

LIMITATION: At this time, tpm cert cannot be run if the Tungsten software is not yet installed. This will be fixed in the next release.