By default, the IoT FND OVA comes bundled with keys and certificates which is stored in a keystore. The default values are:
-
On IoT FND OVA Linux Host:
Keystore Location: /opt/fnd/data/
Keystore Name: cgms_keystore.selfsigned
-
On IoT FND container:
Keystore Location: /opt/cgms/server/cgms/conf/
Keystore Name: cgms_keystore
-
Default Password: Public123!
Important
|
-
This is the default password for both the files mentioned above.
-
Both these files have the same content.
-
When IoT FND container is restarted, the values of /opt/cgms/server/cgms/conf/cgms_keystore file in IoT FND container is overwritten
by /opt/fnd/data/cgms_keystore file. If /opt/fnd/data/cgms_keystore file is not present in host, then /opt/fnd/data/cgms_keystore.selfsigned
file is used.
|
When IoT FND OVA is a new installation, each certificate/key entry is referenced by an alias name in the keystore. The default
alias are:
-
cisco_sudi (cisco root CA certificate with 2029 expiry)
-
jmarconi (cisco certificate)
-
cgms (self signed certificate that is used by IoT FND when communicating with devices it has to manage)
Note
|
This keystore is specific for certificates used for IoT FND communication with its managed devices. There is a different keystore
for web certificate.
|
Custom cgms_keystore
The cgms certificate in /opt/cgms/server/cgms/conf/cgms_keystore file in IoT FND container and /opt/fnd/data/cgms_keystore.selfsigned
file of the linux host has by default self signed certificate of IoT FND. There are two options to build a custom cgms_keystore
in /opt/fnd/data location on linux host, where the IoT FND certificate of the customer organisation can be imported and stored.
We can either copy the existing /opt/fnd/data/cgms_keystore.selfsigned file on the Linux host or build it from scratch. After
the cgms_keystore file is present on the linux host, if both /opt/fnd/data/cgms_keystore.selfsigned and /opt/fnd/data/cgms_keystore
files are present, then /opt/fnd/data/cgms_keystore takes precedence.
Note
|
NTP is a mandatory requirement for Public Key Infrastructure. Hence NTP should be in sync between the issuing Certificate
Authority (CA) server, IoT FND, TPS, and FAR/HER. If hostname or IP address has to be changed for the IoT FND host, it has
to be done before certificate for IoT FND is issued and hence it should be done before starting to build cgms_keystore.
The SAN field in IoT FND certificate is a mandatory requirement and contains the hostname of the IoT FND server. Any change
in hostname or IP address is listed in SAN field (if IP address is also present in the SAN field), then the certificate should
be reissued. Depending on the PnP type used, the SAN field contains the hostname of the IoT FND or the IP address or both.
|
The cgms_keystore should contain the below mandatory certificates/keys:
-
Issuing CA certificate of the organisation – This is the certificate of the issuing CA server of the organisation. The issuing
CA server can be a root CA server or intermediate CA server. If it is an intermediate CA, it is recommended to import root
CA and also intermediate CA certificates into the keystore.
-
IoT FND device certificate is issued for IoT FND by issuing CA server.
-
Cisco SUDI with 2029 expiry date – This is the cisco manufacturer certificate for IoT FND issued by Cisco with expiry date
2029.
-
Cisco SUDI with 2099 expiry date – This is the cisco manufacturer certificate for IoT FND issued by Cisco with expiry date
2099.
The below option shows how to build cgms_keystore file from scratch that contains the required certificates and keys.