Specifying a Security Certificate

10.5.2 Specifying a Security Certificate

The Oracle Exadata administrator can specify new security certificates as required.

Each certificate consists of a key pair, which includes a public key and matching private key. You can specify either a user-generated self-signed certificate or a CA-Certified security certificate.

ExaCLI accepts valid CA-Certified security certificates without any prompts and without requiring you to accept the certificates.

To use a specific security certificate:

Modify security attributes for the storage server or compute node.
To upload a security certificate, modify the following storage server (cell) or compute node (dbserver) attributes:
- securityPubKey - Specifies a URL for the certificate public key file.
- securityPrivKey - Specifies a URL for the certificate private key file.
- securityPrivKeyPW - Specifies the password to use if the private key file is encrypted.
  
  If you specify securityPrivKeyPW=*, the user is prompted for the password.
The keys must be supplied as PEM-encoded files. Each URL can use the http, https, or file access scheme.
The following examples show commands for uploading a security certificate:
- Example for a storage server (cell) using http URLs to access the key files. In this example, the private key password (securityPrivKeyPW) is specified.
```
$ exacli -l celladministrator -c cellhost  -
         -e 'alter cell securityPubKey="http://www.example.com/security/newkey1.pem.crt", -
             securityPrivKey="http://www.example.com/security/newkey1-private.pem", -
             securityPrivKeyPW="welcome1"'

...
```
- Example for a compute node (dbserver) using local file URLs to access the key files. In this example, the user is prompted for the private key password.
```
$ exacli -l dbadministrator -c dbhost  -
         -e 'alter dbserver securityPubKey="file:///root/security/newkey2.pem.crt", -
             securityPrivKey="file:///root/security/newkey2-private.pem", -
             securityPrivKeyPW=*'

Password: *********
...
```
Restart the Management Server (MS) on the storage server or compute node.

After you upload the security certificate individually to every server in the cluster, you must restart MS before the new security certificate is visible.
For example:
- Restart MS on a storage server (cell).
```
CellCLI> alter cell restart services ms

Restarting MS services... 
The RESTART of MS services was successful.
```
- Restart MS on a compute node (dbserver).
```
DBMCLI> alter dbserver restart services ms

Restarting MS services... 
The RESTART of MS services was successful.
```

Parent topic: Certificates for ExaCLI