You may want to provide your own certificates, or have installed with
disable-security-controls=true, and now wish to enable security. If
so, tpm cert is for you.
In the following advanced example, we will rotate the database certs using a source .pfx file.
Populate the tungsten.env file
Generate the security files defined in
tungsten.env
Add new options to the /etc/tungsten/tungsten.ini to match
Update the software using the new security settings
Displays example tungsten.env contents
shell> tpm cert example env
Create a new
$CONTINUENT_ROOT/share/tungsten.env file, which
defaults to example id 1:
shell> tpm cert gen env 2
Run vi $CONTINUENT_ROOT/share/tungsten.env
shell> tpm cert vi env
export BASE_DIR=/etc/tungsten/secure
export BATCH="pfx2p12,JK,TS,CJ,CT"
Display variables set in
$CONTINUENT_ROOT/share/tungsten.env
shell> tpm cert ask env
Displays example tungsten.ini contents
shell> tpm cert example ini
Run vi /etc/tungsten/tungsten.ini
shell> tpm cert vi ini
java-keystore-path=/etc/tungsten/secure/tungsten_keystore.jks
java-truststore-path=/etc/tungsten/secure/tungsten_truststore.ts
java-connector-keystore-path=/etc/tungsten/secure/tungsten_connector_keystore.jks
java-connector-truststore-path=/etc/tungsten/secure/tungsten_connector_truststore.ts
Generate all cert files in the BATCH envvar defined in the
tungsten.env file:
shell> tpm cert gen batch --livetls -x
Display info as json all cert files in the BATCH envvar defined in
the tungsten.env file:
shell> tpm cert info P12,JK,TS,CJ,CTDisplay the extracted package staging directory that the software was installed from:
shell> tpm query stagingUpdate the software to use the new cert files in {certsdir}:
shell>cd {staging_dir}shell>tools/tpm update --replace-release