configuring solace - how to pass via cliscripts the server certificate password

guyiom
guyiom Member Posts: 2

Hello,

I am trying to automate the complete configuration of a solace server (running in a docker env, but I dont think it matters here).
Via the use of cliscript (cli -s cliscript.cli), I can configure many element like passing the CA certificate, ect, but I cannot automate the passing of the server certificate password.
I have tried many things like using EOF in a script, pipe, echoing, ect without luck

Do you know a way to do this ?

PS : I also looked at sempv2 ; here I can also pass some parameters options, but I did not find the documentation on how to pass the server-certificate and its password (here I also was able to pass the CA certificate for ex).

Comments

  • guyiom
    guyiom Member Posts: 2

    I manage to work around the issue by creating a server key pairs without a password

  • MrSmart
    MrSmart Member Posts: 29 ✭✭✭
    edited July 2023 #3
    Sorry for digging up this old thread, but how can I set the server-certificate in an automated way from outside the container?

    I have external storage running:

    docker exec -it solace bash /var/lib/solace/setCertificate.sh

    runs a script in the external storage which contains:
    cli -A -s setCertificate.cli

    but it just opens cli and doesn't run the script.

    When I do this:
    docker exec -it solace bash

    and then manually:
    cli -A -s setCertificate.cli

    it works fine, does somebody have a suggestion on how to configure that variable with a script when the container is already running?


    The main goal here is to be able to renew my certificate file and let solace take it in again/ refresh its configuration. Solace does refresh the certificate this way, but it doesn't work automatically.
  • Tamimi
    Tamimi Member, Administrator, Employee Posts: 538 admin

    Not sure if this will help, but you can pass in certificate file path and the passphrase as environment variables if you are using a docker compose file approach. So something along the lines of

     environment:
          - tls_servercertificate_filepath=noProdServer.pem
          - tls_servercertificate_passphrasefilepath=noProdServer.file
        volumes:
          - ./certs:/run/secrets
    

    where the certs directory has two files

    • noProdServer.pem- the certificate
    • noProdServer.file - the passphrase for the certificate.

    Note that the certificate .pem file will be in the following format

    -----BEGIN ENCRYPTED PRIVATE KEY-----
    <your private key here>
    -----END ENCRYPTED PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    <your certificate here>
    -----END CERTIFICATE-----
    

  • MrSmart
    MrSmart Member Posts: 29 ✭✭✭
    edited July 2023 #5

    Well I have it figured out now. When you call the full path of the cli and then the cli script that's already in place from outside docker, it actually runs.

    docker exec -it solace /usr/sw/loads/currentload/bin/cli -A -s enableConfigSyncSSL.cli

    This is for updating the TLS certificate while solace is running. Not just when launching it for the first time.

  • Tamimi
    Tamimi Member, Administrator, Employee Posts: 538 admin

    Thanks for the sharing your findings!

This Week's Leaders