Details
-
Sub-task
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
Description
While automatic certificate rotation is not implemented, there is a manual procedure that needs to follow to renew the certificates in an Ozone cluster.
This procedure in simple steps:
- stop the service
- remove old key and certificate material from the metadata folders
- remove the omCertSerialID and scmCertSerialID fields from the respecitve service's VERSION file
- start the service
During this process though, the old certificate is not cleared from the rocksDB of SCM.
The aim here is to implement a tool from CLI that enables the removal of the old certificates, best may be if this tool can remove the certificates that are already expired only, so that there are no possibility to unwillingly remove certificates from the DB that are still in use. Automation will be done for the rest, and with this eventually all old certificates can be cleared.
Attachments
Issue Links
- links to