Airgap server CA certificate is not editable from TCA UI if the airgap server is associated with any clusters. This guide provides steps to update TCA manager mongo DB directly as a workaround to unblock creating new clusters.
Prerequisites
Airgap server is updated with new self-signed certificate or private root CA signed certificate.
Note:
If airgap server is updated with public signed certificate, updating existing cluster or following the steps in this guide is not required.
Procedure
- Encode airgap server CA certificate with base64.
Login to airgap server, and use base64 tool to get base64 encoding string of the CA certificate.
For the airgap server auto-generated certificate, the CA certificate is located at /root/airgap/certs/ca.crt.
# base64 <path to the CA certificate> -w 0
- Login to TCA Manager appliance via SSH admin account.
# ssh admin@<tca manager ip>
- Update Mongo DB with the CA certificate base64 string.
Open the mongo DB interactive command line and update the CA certificate of the target airgap server.
[admin@tcam ~]$ mongo hybridity
MongoDB shell version: 3.2.5
connecting to: hybridity
Server has startup warnings:
2022-09-29T07:28:31.017+0000 I CONTROL [initandlisten]
2022-09-29T07:28:31.018+0000 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2022-09-29T07:28:31.018+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2022-09-29T07:28:31.018+0000 I CONTROL [initandlisten]
> db.Extension.find().pretty()
> db.Extension.update({"name":"<name>"},{$set:{"interfaceInfo.caCert":"<CA base64 content>"}});
WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })
Please replace the db.Extension.update command arguments with the real airgap server entity name and CA base64 string generated in Step 1 Encode airgap server CA certificate with base64..
Results
After reloading TCA UI, new CA certificate will be populated in the corresponding airgap server setting of Partner System. User can create new clusters associating to the CA updated airgap server.