Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
external-header-nav
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation
NorthStar ControllerNorthStar Planner
NorthStar Controller NorthStar Controller/Planner Getting Started Guide Installation and Configuration Overview

NorthStar Controller/Planner Getting Started Guide

keyboard_arrow_up
close
keyboard_arrow_left
NorthStar Controller/Planner Getting Started Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Renew SSL Certificates for NorthStar Web UI

date_range 18-Nov-23
arrow_backward
arrow_forward

NorthStar generates SSL certificates during installation. You can renew or replace these SSL certificates generated during installation with the trusted certificates issued or approved by the information technology department in your organization. This topic describes how to replace the SSL certificates for web processes.

The SSL certificate files cert.pem and key.pem are located at /opt/northstar/web/certs/. Both these certificates are in X.509 format and you must restart the web process after you replace the files.

For internal server communications to happen seamlessly, the servers must have valid security certificates installed. However, these certificates do not affect the web processes, and needs to be replaced or renewed only if your security team needs you to do so.

SSL certificates for individual servers are located in these locations:

  • Health Monitor—/opt/northstar/healthMonitor/certs

  • ES Proxy—/opt/northstar/esauthproxy/certs

  • Web Health—/opt/northstar/web/routes/v1/health/certs

  • SNMP Collection—/opt/northstar/snmp-collector/conf

To replace the SSL certificates for NorthStar web UI:

  1. Establish an SSH connection to device on which NorthStar is installed.
  2. Navigate to /opt/northstar/web/.

    content_copy zoom_out_map
    user@host:~$ cd /opt/northstar/web/
user@host:~/web$ ls -l
total 264
-rwx------.   1 pcs pcs    166 Dec  4  2020 appGlobals.js*
-rwx------.   1 pcs pcs  46457 Jun  3 11:56 app.js*
drwx------.   2 pcs pcs     37 Dec  4  2020 certs/
drwx------.  11 pcs pcs    153 Mar 15 20:07 client/
...
drwx------.   7 pcs pcs   4096 May  7 11:21 test/
drwx------.   6 pcs pcs   4096 May  7 11:22 thirdparty/
drwx------.   2 pcs pcs     55 May  7 11:22 util/
drwx------.   3 pcs pcs     17 Mar 15 20:08 webstart/
  3. Locate the folder named certs. The trusted SSL certificates are stored in this folder.
    content_copy zoom_out_map
    user@host:~/web$ cd certs/
user@host:~/web/certs$ ls -l
total 8
-rwx------. 1 pcs pcs 1294 Feb 17 07:14 cert.pem*
-rwx------. 1 pcs pcs 1679 Feb 17 07:14 key.pem*

    • cert.pem—Certificate file

    • key.pem—Key used to generate the certificate.

  4. Verify expiration date of the current SSL certificates.
    content_copy zoom_out_map
    user@host:~/web/certs$ openssl x509 -enddate -noout -in cert.pem
notAfter=Apr 28 12:14:11 2023 GMT
  5. Run the following command to view the contents of the certificate file:
    content_copy zoom_out_map
    user@host:~/web/certs$ openssl x509  -in cert.pem
  6. Copy the new certificate files and back up the existing certificate files. You can use the backed up certificate files to restore them later in case you face any issue.
    content_copy zoom_out_map
    user@host:~/web/certs$ cp cert.pem cert.pem.bak
user@host:~/web/certs$ cp key.pem key.pem.bak

user@host:~/web/certs$ ls -l
total 16
-rwx------. 1 pcs pcs 1294 Feb 17 07:14 cert.pem*
-rwx------. 1 pcs pcs 1294 Jul  9 11:55 cert.pem.bak*
-rwx------. 1 pcs pcs 1679 Feb 17 07:14 key.pem*
-rwx------. 1 pcs pcs 1679 Jul  9 11:55 key.pem.bak*
    Note:

    The names of the certificate files must be cert.pem and key.pem, respectively.

  7. (Optional) Verify the status of the severs and web processes.
    content_copy zoom_out_map
    user@host:~/web/certs$ supervisorctl status
bmp:bmpMonitor                   RUNNING   pid 2492, uptime 42 days, 22:05:18
collector:worker1                RUNNING   pid 9737, uptime 42 days, 22:02:59
collector:worker2                RUNNING   pid 9739, uptime 42 days, 22:02:59
collector:worker3                RUNNING   pid 9738, uptime 42 days, 22:02:59
collector:worker4                RUNNING   pid 9740, uptime 42 days, 22:02:59
...
web:app                          RUNNING   pid 7769, uptime 29 days, 0:47:11
web:gui                          RUNNING   pid 6536, uptime 29 days, 1:01:44
web:notification                 RUNNING   pid 6530, uptime 29 days, 1:01:44
web:planner                      RUNNING   pid 6529, uptime 29 days, 1:01:44
web:proxy                        RUNNING   pid 6533, uptime 29 days, 1:01:44
web:restconf                     RUNNING   pid 6535, uptime 29 days, 1:01:44
web:resthandler                  RUNNING   pid 6532, uptime 29 days, 1:01:44
  8. Restart the web processes for the changes to take effect.
    content_copy zoom_out_map
    user@host:~/web/certs$ supervisorctl restart web:*
web:proxy: stopped
web:planner: stopped
web:notification: stopped
web:resthandler: stopped
web:gui: stopped
web:app: stopped
web:restconf: stopped
web:planner: started
web:notification: started
web:app: started
web:resthandler: started
web:proxy: started
web:restconf: started
web:gui: started
user@host:~/web/certs$
  9. Verify that the severs and web processes are running after the restart.
    content_copy zoom_out_map
    user@host:~/web/certs$ supervisorctl status
bmp:bmpMonitor                   RUNNING   pid 2492, uptime 42 days, 22:06:10
collector:worker1                RUNNING   pid 9737, uptime 42 days, 22:03:51
collector:worker2                RUNNING   pid 9739, uptime 42 days, 22:03:51
collector:worker3                RUNNING   pid 9738, uptime 42 days, 22:03:51
collector:worker4                RUNNING   pid 9740, uptime 42 days, 22:03:51
...
web:app                          RUNNING   pid 14383, uptime 0:00:15
web:gui                          RUNNING   pid 14387, uptime 0:00:15
web:notification                 RUNNING   pid 14382, uptime 0:00:15
web:planner                      RUNNING   pid 14381, uptime 0:00:15
web:proxy                        RUNNING   pid 14385, uptime 0:00:15
web:restconf                     RUNNING   pid 14386, uptime 0:00:15
web:resthandler                  RUNNING   pid 14384, uptime 0:00:15
user@host:~/web/certs$

    The certificates have been successfully renewed and web services restarted. You can now verify the certificate information from your web browser.

Note:

NorthStar overwrites any user-defined certificates during an upgrade. You need to replace the certificates again after an upgrade.

arrow_backward PREVIOUS Changing Control Packet Classification Using the Mangle Table
NEXT arrow_forward Using an Ansible Playbook to Automate NorthStar Installation
external-footer-nav