EOL of C++ SSL Certificate Plugins: How to remove deprecated plugins for SSL certificate management
Original Publishing Date:
2021-04-15
Introduction
Starting from CloudBlue Commerce 21.0, all SSL certificate plugins that used older technology developed in C++ are discontinued, as well as the certificate gateways (Certgate):
- eNom
- OpenSRS
- The SSL Store
- GlobalSign
A billing pre-check called "21-00-eol-ssl-certificates-pre-check.py" was added to prevent upgrading to CloudBlue 21.0 if any C++ SSL certificate plugins are active.
Steps to Complete
The main steps are as follows:
Phase 1: Create a backup of the Billing database.
Phase 2: Collect information about the objects that must be archived.
Phase 3: Clean up your installation of CloudBlue Commerce from the discontinued C++ SSL certificate gateways and plugins.
Phase 1
1.1. Create a full backup of the Billing database.
1.2. Create a separate backup of the following Billing database tables that will be affected:
Generic:
- "Cert"
- "CertArc"
- "CertPlugin"
- "CertPluginArc"
- "CertPluginTemplate"
- "CertPluginTemplateArc"
- "CertProduct"
- "CertProductArc"
- "CertSetup"
- "CertSetupArc"
- "CertST"
- "CertSTArc"
- "Task"
- "TaskHandler"
- "Scheduler"
- "AEvent"
- "AEventKind"
- "DBContainers"
- "RegisteredServer"
- "ServiceGate"
- "Method"
- "VendorDefaultConfig"
Plugin-specific:
- "CertEnomCert"
- "CertEnomCertArc"
- "CertEnomConf"
- "CertOpenSRSConf"
- "OpenSRSCert"
- "OpenSRSCertArc"
- "OpenSRSCertProduct"
- "OpenSRSCertProductArc"
- "CertGlobalSignConf"
- "GlobalSignCert"
- "GlobalSignCertArc"
- "GlobalSignCertProduct"
- "CertSSLStoreConf"
- "SSLStoreCert"
- "SSLStoreCertArc"
- "SSLStoreCertProduct"
Phase 2
2.1 Download the clean-up tool to the CloudBlue management node (MN) and extract its contents.
Make sure you have the latest version of the tool. The version number is specified in the archive name and in the VERSION file inside the tool archive.
2.2 Create a report with detailed information about all SSL certificates in Billing, including Billing subscription ID, certificate name, Certificate Signing Request (CSR), Private Key, Customer ID, Name, and all other details. Be sure to download the report from the CloudBlue management node to a protected storage and delete it from the management node. This report will help providers to recover SSL certificate data if a customer requests it. To generate the report, run the tool:
#
# python clean-up-cpp-cert-gate.py export-cert-data | tee export-cert-data.log
An example of output:
[2021-11-25 13:49:04,361] [INFO]: The cleanup tool for C++ SSL Certificates in Billing was started: clean-up-cpp-cert-gate.py 'export-cert-data'.
[2021-11-25 13:49:04,394] [INFO]: Exporting information about C++ SSL Certificates from Billing DB started
[2021-11-25 13:49:04,407] [INFO]:
File '/root/clean-up-hosting-module/decrypted_certs_data_1637837344.csv' created.
!!! Important !!!
Make sure the file is secured and not available for non-authorized access because it contains sensitive data.
[2021-11-25 13:49:04,407] [INFO]: Information about C++ SSL certificates was successfully exported to the file 'decrypted_certs_data_1637837344.csv
[2021-11-25 13:49:04,408] [INFO]: Operation has been successfully finished. See more details in the log file 'clean-up-cpp-cert-gate.log'.
Note: This command only exports information about SSL certificates registered through C++ SSL certificate plugins in Billing.
Data related to SSL certificates in OSS is not exported and is not affected by the cleaning process described in this article.
2.3 Collect information about all objects related to the deprecated C++ SSL certificates in Billing that must be removed before upgrading CloudBlue from 20.5 to 21. Run the tool:
#
# python clean-up-cpp-cert-gate.py show-objects | tee show-objects.log
An example of output:
[2021-11-25 14:06:20,102] [INFO]: The cleanup tool for C++ SSL Certificates in Billing was started: clean-up-cpp-cert-gate.py 'show-objects'.
[2021-11-25 14:06:20,111] [INFO]:
Found the following subscriptions related to the deprecated C++ SSL certificates module:
[2021-11-25 14:06:20,112] [INFO]: The vendor "Root Inc" (ID #1) has the following SSL certificate subscriptions in Billing module based on deprecated C++ SSL certificate plug-ins:
[2021-11-25 14:06:20,112] [INFO]: Subscription ID #1000001 ("ENOM SSL Certificate - RapidSSL hddlklkenccv.com") Certificate "hddlklkenccv.com" (ID #1) Customer "Customer 1" (ID #1000001)
[2021-11-25 14:06:20,112] [INFO]: Subscription ID #1000002 ("OpenSRS Comodo SSL Certificate lleerrhjhnssww.com") Certificate "lleerrhjhnssww.com" (ID #2) Customer "Customer 1" (ID #1000001)
[2021-11-25 14:06:20,112] [INFO]: Subscription ID #1000003 ("SSLStore RapidSSL Certificate mmerrfklsdbb.com") Certificate "mmerrfklsdbb.com" (ID #3) Customer "Customer 1" (ID #1000001)
[2021-11-25 14:06:20,112] [INFO]: Subscription ID #1000004 ("GlobalSign AlphaSSL Certificate fbnsfeeeqnbn.com") Certificate "fbnsfeeeqnbn.com" (ID #4) Customer "Customer 1" (ID #1000001)
[2021-11-25 14:06:20,112] [INFO]: Subscription ID #1000005 ("ENOM SSL Certificate - RapidSSL deprovis-ertguybdfn.com") Certificate "ertguybdfn.com" (ID #5) Customer "Customer 1" (ID #1000001)
[2021-11-25 14:06:20,114] [INFO]:
Found the following Service Plans related to the deprecated C++ SSL certificate module:
[2021-11-25 14:06:20,114] [INFO]: Service Plan ID 4, Name: "en ENOM SSL Certificate - RapidSSL " (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,115] [INFO]: Service Plan ID 5, Name: "en OpenSRS Comodo SSL Certificate " (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,115] [INFO]: Service Plan ID 6, Name: "en SSLStore RapidSSL Certificate " (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,115] [INFO]: Service Plan ID 7, Name: "en GlobalSign AlphaSSL Certificate " (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,116] [INFO]:
Found the following Service Templates related to the deprecated C++ SSL certificate module:
[2021-11-25 14:06:20,116] [INFO]: Service Template ID 1000004, Name: "en ENOM SSL Certificate - RapidSSL " (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,116] [INFO]: Service Template ID 1000005, Name: "en OpenSRS Comodo SSL Certificate " (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,116] [INFO]: Service Template ID 1000006, Name: "en SSLStore RapidSSL Certificate " (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,116] [INFO]: Service Template ID 1000007, Name: "en GlobalSign AlphaSSL Certificate " (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,117] [INFO]:
Found the following plug-ins related to deprecated C++ SSL certificates module:
[2021-11-25 14:06:20,117] [INFO]: Plug-in ID 1, Name: "eNom" (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,118] [INFO]: Plug-in ID 2, Name: "OpenSRS" (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,118] [INFO]: Plug-in ID 3, Name: "The SSL Store" (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,118] [INFO]: Plug-in ID 4, Name: "GlobalSign" (Vendor ID #1 "Root Inc")
[2021-11-25 14:06:20,118] [INFO]:
[2021-11-25 14:06:20,125] [INFO]: The BSS DB table "CertPluginTemplate" contains row(s) related to deprecated CERTGATE and/or its plug-ins
[2021-11-25 14:06:20,128] [INFO]: The BSS DB table "DBContainers" contains row(s) related to deprecated CERTGATE and/or its plug-ins
[2021-11-25 14:06:20,135] [INFO]: The BSS DB table "RegisteredServer" contains row(s) related to deprecated CERTGATE and/or its plug-ins
[2021-11-25 14:06:20,135] [INFO]: The BSS DB table "ServiceGate" contains row(s) related to deprecated CERTGATE and/or its plug-ins
[2021-11-25 14:06:20,191] [INFO]: The BSS DB table "Method" contains row(s) related to deprecated CERTGATE and/or its plug-ins
[2021-11-25 14:06:20,198] [INFO]: The BSS DB table "VendorDefaultConfig" contains row(s) related to deprecated CERTGATE and/or its plug-ins
[2021-11-25 14:06:20,336] [INFO]: Found the file '/usr/local/bm/conf/wnd/BM/customization.CERTGATE' related to deprecated CERTGATE and/or its plug-ins on PBAAPPL node
[2021-11-25 14:06:20,471] [INFO]: Found the file '/usr/local/bm/etc/ssm.conf.d/.CERTENOM.conf' related to deprecated CERTGATE and/or its plug-ins on PBAAPPL node
[2021-11-25 14:06:20,606] [INFO]: Found the file '/usr/local/bm/etc/ssm.conf.d/.CERTOPENSRS.conf' related to deprecated CERTGATE and/or its plug-ins on PBAAPPL node
[2021-11-25 14:06:20,733] [INFO]: Found the file '/usr/local/bm/etc/ssm.conf.d/.CERTGLOBALSIGN.conf' related to deprecated CERTGATE and/or its plug-ins on PBAAPPL node
[2021-11-25 14:06:20,859] [INFO]: Found the file '/usr/local/bm/etc/ssm.conf.d/.CERTSSLSTORE.conf' related to deprecated CERTGATE and/or its plug-ins on PBAAPPL node
[2021-11-25 14:06:20,988] [INFO]: Found the file '/usr/local/bm/etc/ssm.conf.d/.CERTGATE.conf' related to deprecated CERTGATE and/or its plug-ins on PBAAPPL node
[2021-11-25 14:06:20,989] [INFO]: Operation has been successfully finished. See more details in the log file 'clean-up-cpp-cert-gate.log'.
2.4 Make sure that the Destroy Service on Cancel option is disabled for all BSS service templates based on Certgate. These are listed in the report that you generated in step 2.3.
Go to Billing > Products > Service Plans > the Service Templates tab > {SSL Certificate Service Template name} and make sure the option Destroy Service on Cancel is set to No.
2.5 Contact the affected customers listed in the report that you generated in step 2.3 and notify them that certificate subscriptions are no longer supported and will be archived. Providers should recommend that customers back up their certificates and let users take some to time to back up, before all certificate subscriptions are archived. Although, this is not mandatory. Note that even after archiving in CloudBlue, all already issued certificates will be active and will keep working until their expiration date, and customers' services will not be affected by the Certgate end-of-life. Optionally, providers can cancel certificate subscriptions with a refund, although this is not mandatory because canceled certificate subscriptions will be archived as well.
Phase 3
Use the clean-up tool to remove all data associated with the discontinued C++ SSL certificate gateways and plugins. Make sure you have the latest version of the tool. The version is specified in the archive name and in the VERSION file inside the tool archive.
Important: You must complete all the outlined steps in the specified order. Complete every step of phase 3 before proceeding to the next step.
3.1 Remove all SSL certificates, subscriptions, and orders that are related to the deprecated C++ SSL certificate plugins. Run the tool:
#
# python clean-up-cpp-cert-gate.py clean-certificates | tee clean-certificates.log
If any certificates, subscriptions, or orders cannot be removed or archived by this command, resolve all found issues and re-run the command. For example, orders in the Long Running Operation status cannot be archived and you must wait until all orders are processed and operations related to SSL certificated are completed. You can change the timeout for certificate registration to speed up order processing. To do so, go to Billing > System > Settings > Services > Certificates > the Setup tab and edit the Registration Timeout (minutes) value.
3.2 Archive all documents, service plans, and templates related to the discontinued C++ SSL certificate gateway. Run the tool:
#
# python clean-up-cpp-cert-gate.py clean-service-plans | tee clean-service-plans.log
If any objects cannot be archived by this command, resolve all of the encountered issues and re-run the command. Contact technical support for assistance if you cannot resolve the issues on your own.
3.3 Delete all instances of discontinued C++ SSL certificate plugins using the Provider Panel and Reseller Panel. Go to Billing > System > Settings > Services > Certificates > the Plug-Ins tab, select all plugin instances, and click Delete. You must delete all plugin instances for the provider and resellers. You can find the complete list of plugin instances to be deleted in the report that you generated with a command in step 2.3.
3.4 Delete the discontinued C++ SSL certificate packages from the Billing application node using the Provider Panel. Go to Operations > Infrastructure > Service Nodes > {PBAAPPL node name} > Packages tab and delete the following packages in the following order:
- bm-cert-plugin-certopensrs, bm-cert-plugin-certsslstore, bm-cert-plugin-certenom, bm-cert-plugin-certglobalsign
- bm-certgate
- bm-transport-opensrs
You can use the search panel to find these packages by Name. To delete a package, click the Deinstall icon (red cross) in the Actions column and confirm the deletion.
3.5 Delete the discontinued C++ SSL certificate packages from the package repository by using the Provider Panel. Go to Operations > Infrastructure > Packages > Package Repository > the Packages tab and delete the following packages in any order:
- bm-cert-plugin-certopensrs
- bm-cert-plugin-certsslstore
- bm-cert-plugin-certenom
- bm-cert-plugin-certglobalsign
- bm-certgate
- bm-transport-opensrs
You can use the search panel to find these packages by Name. Select the packages and click Delete to delete them.
3.6 Remove the certificate gateway and plugins. Run the tool:
#
# python clean-up-cpp-cert-gate.py certgate | tee certgate.log
Finally, re-run the tool as described in step 2.3 and make sure there are no more objects related to the discontinued C++ SSL certificate gateway and plugins, which block the upgrade pre-check "21-00-eol-ssl-certificates-pre-check.py".
Internal
Link to the internal JIRA article: https://jira.int.zone/browse/OA-21800 "[EOL] Remove C++ SSL plugins and SDK".
Additional information:
1. Providers can set the "DRY_RUN" variable to True in the "oacleanup/cleanup/cpp_cert_gate.py" script to make the script run in safe mode. In this case, all actions intended by the script will be printed out without actually executing them. This might be useful if you need to double-check before starting the actual cleanup.
2. The values of private keys exported in the report that you generated in step 2.2 are encrypted. To decrypt them, see the internal article https://cbportal.freshservice.com/support/solutions/articles/23000091686--only-internal-how-to-decrypt-pbabf-data-from-ba-database