search

Optional: Installing a security certificate

The default, insecure certificate that Control Center uses for TLS-encrypted communications are based on a public certificate compiled into serviced. Use this procedure to replace the default certificate files with your own files. 

  • If you are using virtual host public endpoints for your Zenoss Service Dynamics deployment, you need a wildcard certificate or a subject alternative name (SAN) certificate.
  • If your end users access the browser interface through a reverse proxy, the reverse proxy may provide the browser with its own SSL certificate. If so, please contact Zenoss Support for additional assistance.

To perform this procedure, you need valid certificate files. For information about generating a self-signed certificate, see Creating a self-signed security certificate

To use your own certificate files, perform this procedure on the Control Center master host and on each Control Center delegate host in your environment.

Follow these steps:

  1. Log in to the host as root or as a user with superuser privileges.
  2. Use a secure copy program to copy the key and certificate files to /tmp.
  3. Move the key file to the /etc/pki/tls/private directory. 
    Replace <KEY_FILE> with the name of your key file:

    mv /tmp/<KEY_FILE>.key /etc/pki/tls/private
  4. Move the certificate file to the /etc/pki/tls/certs directory. 
    Replace <CERT_FILE> with the name of your certificate file:

    mv /tmp/<CERT_FILE>.crt /etc/pki/tls/certs
  5. Updates only: Create a backup copy of the Control Center configuration file. 
    Do not perform this step for a fresh install:

    cp /etc/default/serviced /etc/default/serviced.before-cert-files
  6. Edit the Control Center configuration file.
    1. Open /etc/default/serviced in a text editor.
    2. Locate the line for the SERVICED_KEY_FILE variable, and then make a copy of the line, immediately below the original.
    3. Remove the number sign character (#) from the beginning of the line.
    4. Replace the default value with the full pathname of your key file.
    5. Locate the line for the SERVICED_CERT_FILE variable, and then make a copy of the line, immediately below the original.
    6. Remove the number sign character (#) from the beginning of the line.
    7. Replace the default value with the full pathname of your certificate file.
    8. Save the file, and then close the editor.
  7. Verify the settings in the configuration file.

    grep -E '^\b*[A-Z_]+' /etc/default/serviced
  8. Updates only: Reload the systemd manager configuration.
    Do not perform this step for a fresh install:

    systemctl daemon-reload