• Windows Head Node Setup
• Linux Head Node Setup
• Troubleshooting

1.7.1 Windows Head Node Setup

In order to use a certificate, you must install it using the netsh tool in a Windows command prompt with administrator privileges.

1.7.1.1 Installing a Certificate from a Known Authority

If you use a certificate from a known certificate authority, it can be used directly by doing the following:

1. Open the Certificates MMC Snap-in.
   
   
   1. Click on Start, then Run.
   2. Type "mmc" and click OK. The MMC console window will appear.
   3. Click on File, then Add/Remove Snap-in.
   4. Select Certificates, click the Add button, and choose Computer account. Click Next and then Finish. Click OK on the Add or Remove Snap-ins page.
      
      
2. Using the Certificates MMC Console, find the certificate and open it, then click the Details tab.
   
   
   1. Copy the Thumbprint value and remove the spaces. This is the certificate hash.
      
      
3. Select the proper folder or store location for the certificate. Right click on it, go to All Tasks, and click Import.
   
   
4. Follow the wizard to import the certificate.
   
   
5. Skip to step 4 below and run the netsh command with the certificate hash provided in the Certificates details view.

1.7.1.2 Installing a Self-signed Certificate

In order to run the makecert and certutil commands, you must download Windows SDK version 6.1 or later and install them. Use the SDK Command Prompt or CMD Shell to run the tools. To do so, click Start, hover over All Programs, then Microsoft Windows SDK, and click SDK Command Prompt or CMD Shell.

If you generate and use a self-signed certificate, you must do the following:

1. First run the following the command and enter a private key to generate the root certificate authority (CA):

   makecert -n "CN=RootCA" -r -sv RootCA.pvk RootCA.cer
   

   RootCA is a unique, arbitrary name.
   
   
2. Install or import the RootCA.cer certificate into the Trusted Root Authorities certificate store by following the directions above for the Certificates MMC console.
   
   
3. Run the following commands to generate a self-signed certificate from the certificate authority.

   makecert -sk machinekey -iv RootCA.pvk -n "CN=machine" -ic RootCA.cer -sr localmachine -ss my -sky exchange -pe
   certutil -store my machine

   machinekey is a unique, arbitrary key name, and machine is the DNS name of the Windows head node.
   
   
4. Copy the hash key from the output of certutil and remove the spaces. This will be the certhash parameter for the following netsh command. The appid parameter is unique to MSMHPC and must be copied exactly.

   netsh http add sslcert ipport=0.0.0.0:5345 certhash=8e853e4e2fcdbc70e35f38fb1659c55941d43e9c appid={c7263768-9bba-4efc-b851-07b1ea218b1e}

   
   

   The port specified in the above example must match the configured server port, or SSL will not work correctly.

1.7.2 Linux Head Node Setup

Once the certificate is installed on the Windows head node correctly, the setup on the Linux side is minimal. If you use a common certificate signed by a real certificate authority (CA), it should work on its own. If you use a self-signed certificate or custom CA, you must install the CA certificate into the certificate store on the Linux head node by doing the following:

1. Convert the certificate from the DER file format (cer or crt files) that makecert uses into a PEM file format using the following command:

   openssl x509 -in RootCA.crt -inform DER -out RootCA.pem -outform PEM

   
   

   The openssl library is required for SSL configuration.

   
   
2. Copy the RootCA.pem file into the correct location for the Linux distribution.
   
   

   The location is different for each platform. For CentOS it's at /etc/pki/tls/certs.

   
   
3. In MSMHPC tools, remove the comment brackets from the lines setting the environment settings for openssl (they should be in the first block of code) in Moab/MSMHPC.pm:

   # Set to the correct root CA PEM file if using a self-signed certificate
   $ENV{HTTPS_CA_FILE} = 'certs/RootCA.pem';
   $ENV{HTTPS_CA_DIR} = 'certs/';



4. Verify that the RootCA.pem file location is set correctly. The file name RootCA is arbitrary.
   
   

1.7.3 Troubleshooting

If you encounter problems using the certificate on the Linux side, uncomment the $ENV line in Moab/MSMHPC.pm in MSMHPC tools:

# Use for debugging HTTPS connections (openssl)
#$ENV{HTTPS_DEBUG} = 1;

This will show what is occurring with openssl to allow troubleshooting.