Previous Topic: How to Work with System AlertsNext Topic: Set Defaults for External Storage for a Grid

Installing and Maintaining CA AppLogicBFC User GuideAdministration and Advanced OperationsChange the Root Key on the BFC and Run the rekey Script

Change the Root Key on the BFC and Run the rekey Script

You can change the root SSH key on the BFC. This may be necessary for security purposes or if the SSH key is lost for some reason. After you change the root key, you use the rekey script to push that key into the utility image and the BFC database.

The rekey script is installed with the BFC. If you installed the BFC to /opt/bfc, the rekey script is in /opt/bfc/bin.

Follow these steps:

  1. Change or replace the root ssh key on the BFC.
    1. Make a backup copy of your current key.
    2. To generate a new key, run the following command as root: 
      ssh-keygen -t rsa
    3. Copy the key to your BFC machine.
  2. Change to /opt/bfc/bin and enter the following command: 
    ./rekey

    When the script completes, the message "successfully updated the keys" displays. Your new SSH key is pushed to the utility image and BFC database.

    The rekey script automatically stops and restarts the SSHD service.

  3. Replace the SSH key on individual grids.
    1. Start the BFC, open the Grids page and select the grids you want to work with.
    2. Click Manage SSH Keys on the Grid Actions menu.
    3. In the Manage Grid SSH Keys dialog, click Browse and select your SSH file.
    4. Select the Replace SSH Keys option.
    5. Click Push Keys to replace the key on the selected grids.
  4. Test your new SSH key by using SSH as root from the BFC to all grid servers and grid controllers.

    Note: You must rediscover the Manual Powered servers and reboot the IPMI Controlled servers so that they can run with the updated utility image.

Replace the Server Certificate on the BFC

You can use the following procedure to replace the server certificate on the BFC. This procedure assumes you installed the BFC at /opt/bfc.

  1. Copy your new certificate and its private key to the BFC machine.
  2. Stop the BFC with the following command: 
    service bfc stop
  3. Change to the following folder and create a backup copy of your server.crt and server.key files: 
    cd /opt/bfc/lib/client_interface-0.1/priv
  4. Copy your new certificate and private key to the server.crt and server.key files.

    Note: Be certain to use these exact file names.

  5. Confirm that the mode and ownership of the new files are correct. Set both files to mode 0600 and owned by bfcamin:bfc.
  6. Start the BFC.

    Your server certificate is changed.