-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathcredentials.html.md.erb
67 lines (41 loc) · 2.61 KB
/
credentials.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
---
title: Rotating IPsec Credentials
owner: Security Engineering
---
<strong><%= modified_date %></strong>
This topic describes the process Pivotal recommends to increase deployment security by
rotating credentials in the IPsec manifest. Your organizational security policy may specify
how often you should apply these changes.
There are two procedures for credential rotation described in this topic
* The first procedure describes rotating the instance certificate and instance private key specified in
your IPsec manifest, and requires updating BOSH. This procedure does not include rotating the certificate authority
(CA) certificate.
* The second procedure describes rotating your CA certificate in addition to your instance certificate and instance
private key. This procedure requires updating BOSH three times.
<p class="note"><strong>Note</strong>: The rolling deploys during these procedures result in minimal deployment downtime.</p>
## <a id="rotate-cert"></a>Rotate the Instance Certificate and Instance Private Key
Follow these steps:
1. Generate a new certificate and use your existing IPsec CA certificate to sign the new certificate.
2. Update the instance certificate and the private key fields in your `ipsec-addon.yml` file
with new values from the previous step.
3. Run the following command:
<pre class="terminal">
$ bosh update runtime-config PATH/MYPRODUCT_ipsec-addon.yml
</pre>
4. Navigate to your Ops Manager interface in a browser, and click **Apply Changes**.
## <a id="rotate-CA"></a>Rotate the CA Certificate, the Instance Certificate, and Instance Private Key
Follow these steps:
1. Generate a new CA certificate.
2. Append the newly generated CA certificate under the existing certificate in your `ipsec-addon.yml`.
3. Run the following command:
<pre class="terminal">$ bosh update runtime-config PATH/MYPRODUCT_ipsec-addon.yml</pre>
4. Navigate to your Ops Manager interface in a browser, and click **Apply Changes**.
5. Generate a new certificate and use your new IPsec CA certificate to sign the new certificate.
6. Update the instance certificate and the private key fields in the YAML file with new values from above.
7. Run the following command:
<pre class="terminal">$ bosh update runtime-config PATH/MYPRODUCT_ipsec-addon.yml</pre>
8. Navigate to your Ops Manager interface in a browser, and click **Apply Changes**.
9. Delete the older CA certificate in the `ipsec-addon.yml` file.
10. Run the following command:
<pre class="terminal">$ bosh update runtime-config PATH/MYPRODUCT_ipsec-addon.yml</pre>
11. Navigate to your Ops Manager interface in a browser, and click **Apply Changes**.