1. Home
  2. Initialize And Finalize Scripts
  3. How do I use the finalize script to transfer certificates to the nodes?

How do I use the finalize script to transfer certificates to the nodes?

In many cases, it might be desired to use node-specific certificates for certain service, e.g.:
– Make the SSH certificates persist through full re-installation.
– Use different Kerberos key tables per node.

The node installer is aready doing something similar when it copies the node’s certificate from the NFS share /cm/node-installer/certificates of the head node, to each node.

To do that for any other type of certificate you will need to create a certifcate store directory, e.g. /cm/certificates on the head node or NFS server and export it to the nodes:

$ mkdir /cm/certificates $ cmsh [headnode]% device use headnode [headnode->device[headnode]]% fsexports [headnode->device[headnode]->fsexports]% add /cm/certificates [headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% set hosts internalnet [headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% set write no [headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% commit [headnode->device[headnode]->fsexports[/cm/certificates]]%

You will need to place the node-specific files in a sub-directory under that certificate store directory. The subdirectory is given the name of the node.

E.g.:

  • For node001 create /cm/certificates/node001 and place the certificates within the node001 directory
  • For node002, create /cm/certificates/node002 and place the certificates within the node002 directory.

 and so on.

After that you will need to modify the finalize script for the node’s category:

$ cmsh [headnode]% category use default [headnode->category[default]]% set finalizescript (A text editor session will start) [headnode->category[default]]% commit

The finalize script could be:

#!/bin/bash mkdir /tmp/certificates mount master:/cm/certificates /tmp/certificates cp -an /tmp/certificates/$CMD_HOSTNAME/* /localdisk/etc/ssh umount /tmp/certificates rm -rf /tmp/certificates

Updated on May 20, 2020

Related Articles

Leave a Comment