Reprovision an Ecosystem
FMOS does not provide any tools for removing roles from machines that are already members of an ecosystem. This includes single-server ecosystems, where a single machine holds all FMOS roles.
In some situations, it may be desirable to reprovision an ecosystem where a single server holds both the application server and database roles by separating these roles onto multiple appliances. This procedure can result in data loss, so it is important to ensure the steps below are followed precisely.
The text in the blue boxes are examples only. Do not copy this text into your CLI.
The user performing the reprovisioning must be assigned the Backup Operator role.
Step 1: Back up the Database
Before making any changes to the ecosystem, it is imperative that a backup is made on the machine that holds the database role.
-
Log in to database server.
-
At the prompt, enter the command: fmos backup
Copy~]$ fmos backup
Backing up system configuration ... ok
Backing up database ... ok
Backing up files ... ok
Successfully created backup /var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup
-
Copy the backup to a remote storage location, such as an SFTP server.
Copysftp> cd /home/usernmae
sftp> put /var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup
Uploading /var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup to /home/username/fmos-ref8-15_2017-06-23-2030.backup
/var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup 100% 365MB 30.4MB/s 00:12
sftp> quit
If you encounter a Permission Denied error when attempting to copy the backup to a remote machine, your account does not have the Backup Operator role assigned. See the FMOS Users chapter for details.
-
It is important to verify that the copy of the backup stored on the remote server is identical to the one stored locally and has not been damaged. This can be done by calculating the SHA256 checksum of both files and visually compare the results.
Copy~]$ sha256sum /var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup
2abb45c74220534e5407326161cb661d63885c038768ac842b2d76bbe33a5d2c /var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup
username-d4b .homeshare % sha256sum fmos-ref8-15_2017-06-23-2030.backup
2abb45c74220534e5407326161cb661d63885c038768ac842b2d76bbe33a5d2c fmos-ref8-15_2017-06-23-2030.backup
Step 2: Back up the Server Certificate
Backing up the server (HTTPS) certificate is required if the machine uses a custom certificate that is signed by an internal or third-party certificate authority. It is optional, but highly recommended, even if the default self-signed certificate is used as well.
-
Use the fmos pki export-server-cert command to make a copy of the server certificate.
-
You will need to provide an Export Passphrase.
Copy$ fmos pki export-server-cert $(hostname -f).pem
Enter an optional passphrase to encrypt the private key. If no passphrase is given, the private key will not be encrypted.
Export passphrase:
Confirm passphrase:
Successfully exported 2 certificate(s) and 1 private key(s)
-
Copy the file to a remote storage location and validate its checksum as well.
Step 3: Install FMOS
Once the data and certificate have been backed up, follow the standard procedure for installing FMOS from removable media on both of the new machines. Be sure to use the FQDN of the original server on the machine that will hold the application server role.
On the ecosystem selection screen, choose New Deployment and Database Only for the new database machine and Existing Deployment for the new application server machine.
Step 4: Restore Database Backup
After FMOS has been installed and configured on the new database appliance, the backup needs to be restored.
-
Copy the file from the remote storage to the local machine.
-
After it is copied, restore the backup.
-
At the prompt, enter the command: fmos restore
Copysftp> lcd /var/lib/backup/firemon
sftp> cd /home/username
sftp> get fmos-ref8-15_2017-06-23-2030.backup
Fetching /home/username/fmos-ref8-15_2017-06-23-2030.backup to fmos-ref8-15_2017-06-23-2030.backup
/home/username/fmos-ref8-15_2017-06-23-2030.backup 100% 365MB 33.2MB/s 00:11
sftp> quit
[firemon@fmos-ref8-15db ~]$ fmos restore /var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup
Restoring system configuration ... ok
Restoring database ... ok
Restoring files ... ok
Successfully restored backup /var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup
prepare to deploy security manager ...
...
Successfully restored configuration
Step 5: Restore Server Certificate
If the server certificate was backed up, it needs to be imported onto the new application server machine.
-
Retrieve the backup from the remote storage location.
-
After it is retrieved, import the backup.
-
At the prompt, enter the command: fmos pki import-server-cert
-
Enter the Passphrase used in Step 2.
Copy~]$ sftp
SECUREPASSAGE\username@email.com's password:
Connected to fs.securepassage.com.
sftp> get fmos-ref8-15.development.frmn.pem
Fetching /home/username/fmos-ref8-15.development.frmn.pem to fmos-ref8-15.development.frmn.pem
/home/username/fmos-ref8-15.development.frmn.pem 100% 7610 7.4KB/s 00:00
sftp> quit
The certificate or private key is encrypted. Enter the encryption passphrase to unlock it
Passphrase:
Successfully imported server certificate, private key, and 1 intermediate CA certificate(s)
prepare to deploy security manager
...
Successfully deployed configuration
Step 6: Join Ecosystem as AS
Following the database restore, the new application server can be added to the ecosystem using the fmos ecosystem join command.
-
At the prompt, enter the command: fmos ecosystem join
-
Follow the on-screen prompts to complete the process.
Copy~]$ fmos ecosystem join
The server's certificate is not trusted
The security certificate presented by the specified server is not trusted. This means that it was issued by a certificate
authority (CA) that is not recognized by this system. This could mean a man-in-the-middle attack is in progress. To be
certain that the server is machine you intended to contact, please verify the certificate manually.
To verify this certificate, connect to the server in question and execute the following command:
openssl x509 -in /etc/pki/tls/certs/fmos-admin.cer -noout -fingerprint -sha256
The SHA256 fingerprint of the server's certificate is:
35:E5:1B:57:B6:AD:42:49:2A:27:CA:CB:18:26:B8:B3:B5:F3:2A:F7:A4:14:CA:E1:A8:BC:CC:F7:8E:20:9B:EF
Is this correct? [y/N] y
Enter FMOS authentication credentials for fmos-ref8-15db.development.frmn
Username:
Password:
Found Server Control Panel v0.3 on fmos-ref8-15db.development.frmn, FMOS 8.15.0
Which of the available roles shall this machine hold?
Application Server [y/N] y
Data Collector [y/N] n
This machine will hold the following roles:
* Application Server
Is this correct? [Y/n]
Joining ecosystem ... ok
prepare to deploy security manager
...
If the process fails at “ensure ndexec user exists in secmgr” with an “Unable to authenticate username/password” error, the SIP super user credentials will need to be temporarily reset to their default values (firemon/firemon). Log in to the Administration application, navigate to Access > Users, choose user ID 1, and select Edit from the menu. Set the user name to firemon and the password to firemon and click Save. Finally, return to the FMOS command line and apply the configuration policy by running fmos redeploy.
Step 7: Distribute Server Certificate to Data Collectors
If the server certificate was not backed up, a new self-signed certificate was generated when the application server joined the ecosystem. This certificate needs to be added to the trust store on all data collector appliances in the ecosystem. To do this:
-
At the prompt, enter the command: fmos pki export-server-certificate
Copy~]$ fmos pki export-server-cert --no-key $(hostname -f).crt
Successfully exported 1 certificate(s) and 0 private key(s)
-
Copy the file to each data collector, and then import it using fmos pki import-ca: