Strategy ONE

Update SSL Certificates on an MCP Environment

This pages shows you how to change the SSL certificate on the application load balancer of the environment.

Update the SSL Certification on the Application Load Balancer for the Underlying Environment

  1. Navigate to the AWS Console > EC2 > Load Balancer.

  2. Select the application load balancer for the environment by searching for the environment ID.

  3. Go to the Listeners tab.

  4. Select the listener with the ID of HTTPS: 443.

  5. Click View/edit certificates.

  6. Go to the + tab in the top left corner to add an updated certificate.

  7. From the list of certificates, select the certificate you want to import.

  8. Click Add.

    Once it successfully added, the following message appears.

  9. Go back to the load balancer to select the HTTPS:443 listener.

  10. Click Edit.

  11. From the Default SSL certificate drop-down, choose the certificate you imported in step 7.

  12. Click Save changes.

Update the SSL Certificate on the Collaboration Server on All Nodes of the Environment

  1. After updating the load balancer URL in AWS or Azure, download the pem SSL certificate file to the Linux box.

    For Azure, you must convert the .pfx file provided by the customer to pem.

  2. Use SSH to access the Linux environment and run the following command:

    Copy
    cd /opt/usher/ssl

  3. Back up the existing ThawteRootCa.crt, server.pem, and server.crt files:

    Copy
    cp thawteRootCa.crt thawteRootCa.crt_bak
    cp server.pem server.pem_bak
    cp server.crt server.crt_bak

  4. From the downloaded file in step 1, place the certificate in opt/usher/ssl (only the .pem file is required) as server.pem.

  5. Add the certificate to the Java keystore for both nodes:

    Copy 
    keytool -noprompt -import -trustcacerts -alias collabcert3 -file /opt/usher/ssl/server.pem

  6. Modify config.json by removing entries for CA, crt, and intermediate and only put references to the new .pem file on both nodes.

  7. Restart the Collaboration server.

  8. Add the certificate to trusted.jks for MicroStrategey Library, Web, and Mobile on all nodes after taking the backup:

    Copy
    cp /opt/apache/tomcat/latest/webapps/MicroStrategy/WEB-INF/trusted.jks /opt/apache/tomcat/latest/webapps/MicroStrategy/WEB-INF/trusted.jks.bak
    cp /opt/apache/tomcat/latest/webapps/MicroStrategyLibrary/WEB-INF/trusted.jks /opt/apache/tomcat/latest/webapps/MicroStrategyLibrary/WEB-INF/trusted.jks.bak
    cp /opt/apache/tomcat/latest/webapps/MicroStrategyMobile/WEB-INF/trusted.jks /opt/apache/tomcat/latest/webapps/MicroStrategyMobile/WEB-INF/trusted.jks.bak

    keytool -importcert -trustcacerts -alias "mobilenewcert" -keystore /opt/apache/tomcat/latest/webapps/MicroStrategyMobile/WEB-INF/trusted.jks -storepass mstr123 -file /opt/usher/ssl/server.pem
    keytool -importcert -trustcacerts -alias "webnewcert" -keystore /opt/apache/tomcat/latest/webapps/MicroStrategy/WEB-INF/trusted.jks -storepass mstr123 -file /opt/usher/ssl/server.pem
    keytool -importcert -trustcacerts -alias "librarynewcert" -keystore /opt/apache/tomcat/latest/webapps/MicroStrategyLibrary/WEB-INF/trusted.jks -storepass mstr123 -file /opt/usher/ssl/server.pemr

  9. Restart tomcat. Confirm if Library Admin displays any error and if bookmarks are working in Library.

Configure the Intelligence Server With SSL to Use the New Certificate and Import Certificate Into trusted.jks for Strategy Web, Library, and Mobile

According to KB484336, a new set of SSL standards requires the Intelligence server SSL certificate to include a subjectAlternativeName, or SAN. This was not previously required in MicroStrategy 2019. Thus, the certificate /opt/usher/ssl/server.crt doesn’t work for SSL on MicroStrategy 2020 and later. A new certificate must be generated for the Intelligence Server SSL. You must enable SSL and manually generate a new certificate as described in the following section.

Run all following steps with the mstr user and not root.

  1. Use SSH to access the cloud machine.

  2. Obtain your credentials from your email and log into the VNC service.

  3. In File System, go to /opt/mstr/MicroStrategy/bin.

  4. Launch Configuration Wizard, located in /opt/mstr/MicroStrategy/bin/mstrcfgwiz, using the VNC service.

  5. Choose Configure Intelligence Server and click Next.

  6. From the DSN drop-down, select the current metadata DSN. This was previously created, or check with cat /opt/mstr/MicroStrategy/MSIReg.reg | grep -E 'DSN=|MetadataLogin'.

  7. Enter the mstr username and password and click Next.

  8. Enter the same password for the Administrator user and click Next.

  9. Choose an existing server definition.

    For a parallel or existing environment, you can get the server definition by executing the following:

    Copy 
     /opt/mstr/MicroStrategy/bin/mstrctl -s IntelligenceServer gsic|sed -n '/svrd/p'

  10. Check the project load and port settings and click Next.

    In the case you receive an error stating that a chosen port is invalid or already in use, see KB485344.

  11. For MicroStrategy 2021 and later, SSL must be enabled for environments.

    You can also check if 39321 is used as the SSL port in Web Admin or the /opt/apache/tomcat/latest/webapps/MicroStrategy/WEB-INF/xml/sys_defaults.properties file.

    Select the Configure SSL checkbox and use the certificate and key, as shown below:

    • Certificate: /opt/mstr/MicroStrategy/install/IntelligenceServer/TLS/cert_<HOSTNAME>.customer.cloud.microstrategy.com.pem

    • Key: /opt/mstr/MicroStrategy/install/IntelligenceServer/TLS/pvtKey_<HOSTNAME>.customer.cloud.microstrategy.com.pem

    • Password: mstr123

    • SSL Port: 39321

    1. Deselect the Configure SSL checkbox and click Next.

    2. Complete the configuration.

    3. Restart the configuration. The certificate path is automatically returned.

      • Correct certificate : /opt/mstr/MicroStrategy/install/IntelligenceServer/TLS/cert_<HOSTNAME>.customer.cloud.microstrategy.com.pem

      • Correct Key: /opt/mstr/MicroStrategy/install/IntelligenceServer/TLS/pvtKey_<HOSTNAME>.customer.cloud.microstrategy.com.pem

  12. Select Keep the existing statistics settings and click Next.

  13. Select the Send Intelligence Server telemetry to Platform Analytics checkbox.

  14. Enter <this server IP address>:9092. For cluster nodes, enter the IP address of node1 on both nodes (there must be an odd number of Telemetry servers, so for a 2-node environment, it is just on node1).

  15. Click Next.

  16. Review the summary and click Apply.

    The Intelligence server reconfiguration may take a while. Upon successful reconfiguration, the following window is returned.

  17. Click Finish.

  18. For clustered nodes, repeat on all nodes of the environment.

Import Certificate Into trusted.jks for Strategy Web, Library, and Mobile

Since the certificate has been changed for the Intelligence server SSL, you must import the certificate to trusted.jks for Strategy Web, Library, and Mobile to establish trust between these services and the Intelligence server.

You can check the current webapps folder on the environment to see if there are any custom ones:

Copy 
ls /opt/apache/tomcat/latest/webapps/

  1. Go to each of the following paths. For cluster nodes, perform it on each node and each Web, Library, and Mobile web app.

    • Web: /opt/apache/tomcat/latest/webapps/MicroStrategy*/WEB-INF

    • Library: /opt/apache/tomcat/latest/webapps/MicroStrategyMobile*/WEB-INF

    • Mobile: /opt/apache/tomcat/latest/webapps/MicroStrategyLibrary*/WEB-INF

    For example:

    Copy 
    cd /opt/apache/tomcat/latest/webapps/MicroStrategySTD/WEB-INF

  2. Make a backup of the current certificate:

    Copy 
    cp trusted.jks trusted.jks.bak

  3. Run the following command and type yes when asked if you trust this certificate.

    Copy 
    keytool -importcert -trustcacerts -alias "rootca_new" -keystore trusted.jks -storepass mstr123 -file /opt/mstr/MicroStrategy/install/IntelligenceServer/TLS/cert_env-hostname.mstrci.com.pem

    For example:

    Copy 
    keytool -importcert -trustcacerts -alias "rootca_new" -keystore /opt/apache/tomcat/latest/webapps/MicroStrategy/WEB-INF/trusted.jks -storepass mstr123 -file /opt/mstr/MicroStrategy/install/IntelligenceServer/TLS/cert_*.pem -noprompt

    If trusted.jsk is missing, for example, in the Mobile web app, copy it from MicroStrategy.

    Example

    For a single node and only three default web apps, run the following scripts individually to back up the jks certificate and add it to the keystore:

    Copy 
    cp /opt/apache/tomcat/latest/webapps/MicroStrategy/WEB-INF/trusted.jks /opt/apache/tomcat/latest/webapps/MicroStrategy/WEB-INF/trusted.jks.bak
    cp /opt/apache/tomcat/latest/webapps/MicroStrategyLibrary/WEB-INF/trusted.jks /opt/apache/tomcat/latest/webapps/MicroStrategyLibrary/WEB-INF/trusted.jks.bak
    cp /opt/apache/tomcat/latest/webapps/MicroStrategyMobile/WEB-INF/trusted.jks /opt/apache/tomcat/latest/webapps/MicroStrategyMobile/WEB-INF/trusted.jks.bak

    keytool -importcert -trustcacerts -alias "rootca_new" -keystore /opt/apache/tomcat/latest/webapps/MicroStrategy/WEB-INF/trusted.jks -storepass mstr123 -file /opt/mstr/MicroStrategy/install/IntelligenceServer/TLS/cert_*.pem -noprompt
    keytool -importcert -trustcacerts -alias "rootca_new" -keystore /opt/apache/tomcat/latest/webapps/MicroStrategyLibrary/WEB-INF/trusted.jks -storepass mstr123 -file /opt/mstr/MicroStrategy/install/IntelligenceServer/TLS/cert_*.pem -noprompt
    keytool -importcert -trustcacerts -alias "rootca_new" -keystore /opt/apache/tomcat/latest/webapps/MicroStrategyMobile/WEB-INF/trusted.jks -storepass mstr123 -file /opt/mstr/MicroStrategy/install/IntelligenceServer/TLS/cert_*.pem -noprompt

    Node 1

    Copy 
    keytool -importcert -trustcacerts -alias "rootca_1" -keystore trusted.jks -storepass mstr123 -file /opt/mstr/MicroStrategy/install/IntelligenceServer/TLS/cert_<HOSTNAME>.customer.cloud.microstrategy.com.pem

    Node 2

    Copy 
    keytool -importcert -trustcacerts -alias "rootca_2" -keystore trusted.jks -storepass mstr123 -file /opt/mstr/MicroStrategy/install/IntelligenceServer/TLS/cert_<HOSTNAME>.customer.cloud.microstrategy.com.pem

    cert_<HOSTNAME>.customer.cloud.microstrategy.com.pem is the certificate created when the Intelligence server was configured.

  4. Restart tomcat on each node:

    Copy
    service mstr tomcatrestart

  5. Restart the Modeling service on each node:

    Copy
    /opt/mstr/MicroStrategy/install/ModelingService/bin/modelservice.sh restart