Help Center > > User Guide> Managing Active Clusters> Security Management> Replacing HA Certificates

Replacing HA Certificates

Updated at:Feb 12, 2020 GMT+08:00


HA certificates are used to encrypt the communication between active/standby processes and high availability processes to ensure security. Replace the HA certificates on active and standby management nodes on MRS Manager to ensure product security.

The certificate file and key file can be generated by the users.

Impact on the System

The MRS Manager system must be restarted during the replacement and cannot be accessed or provide services.


  • You have obtained the root-ca.crt root file and the root-ca.pem key file of the certificate to be replaced.
  • You have prepared a password, for example, Userpwd@123, for accessing the key file.

    The password must meet the following complexity requirements. Otherwise, security risks may be incurred.

    • The password must contain at least eight characters.
    • The password must contain at least four types of the following: uppercase letters, lowercase letters, digits, and special characters ~`!?,.:;-_'(){}[]/<>@#$%^&*+|\=.


  1. Log in to the active management node.
  2. Run the following command to switch the user:

    sudo su - root

    su - omm

  3. Run the following command to generate root-ca.crt and root-ca.pem in the ${OMS_RUN_PATH}/workspace0/ha/local/cert directory:

    sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/ --root-ca --country=country --state=state --city=city --company=company --organize=organize --common-name=commonname --email=Administrator email address --password=password

    For example, run the following command to generate the files: sh ${OMS_RUN_PATH}/workspace/ha/module/hacom/script/ --root-ca --country=CN --state=gd --city=sz --company=hw --organize=IT --common-name=HADOOP.COM --password=Userpwd@123

    If the following information is displayed, the command is executed successfully:

    Generate root-ca pair success.

  4. On the active management node, run the following command as user omm to copy root-ca.crt and root-ca.pem to the ${BIGDATA_HOME}/om-0.0.1/security/certHA directory:

    cp -arp ${OMS_RUN_PATH}/workspace0/ha/local/cert/root-ca.* ${BIGDATA_HOME}/om-0.0.1/security/certHA

  5. Copy root-ca.crt and root-ca.pem generated on the active management node to ${BIGDATA_HOME}/om-0.0.1/security/certHA on the standby management node as user omm.

    scp ${BIGDATA_HOME}/om-0.0.1/security/certHA/root-ca.* omm@IP address of the standby management node:${BIGDATA_HOME}/om-0.0.1/security/certHA

  6. Run the following command to generate an HA certificate and perform automatic replacement:

    sh ${BIGDATA_HOME}/om-0.0.1/sbin/

    Enter password as prompted and press Enter.

    Please input ha ssl cert password:

    If the following information is displayed, the HA certificate is replaced successfully:

    [INFO] Succeed to replace ha ssl cert.

  7. Run the following command to restart OMS.

    sh ${BIGDATA_HOME}/om-0.0.1/sbin/

    The following information is displayed:

    start HA successfully.

  8. Log in to the standby management node and switch to user omm. Repeat 6 to 7.

    Run the sh ${BIGDATA_HOME}/om-0.0.1/sbin/ command to check whether HAAllResOK of the management node is Normal. Access the MRS Manager again. If MRS Manager can be accessed, the operation is successful.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?

Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel