(DP) Support Tip: Regenerating Certificates at Cluster environment

1 Likes
over 2 years ago

Topic
Regenerating Certificates at Cluster environment

Response
Use the following steps to regenerate certificates that are required for communication between Application Server and Data Protector GUI.
You may use these steps for regenerating certificates in the following scenarios:

- hostname is not FQDN (shortname)
- Certificates have been updated or removed
- Certificates have expired
- While troubleshooting the Data Protector upgrade process
- Server name is updated


Steps

1. Login to Active node of the cluster (ex. Node 1)
2. Regenerate the certificate by following steps below
2.1. Copy the KeystorePassword from webservice.properties configuration file.
The configuration file is located at /etc/opt/omni/client/components/webservice.properties .
2.2. Rename the cacerts file located in the folder /opt/omni/jre/lib/security
2.3. Rename the ascert.crt file located in folder /etc/opt/omni/server/AppServer
2.4. Rename server.keystore and server.truststore files located in folder /etc/opt/omni/server/certificates/server
2.5. Rename client.keystore and client.trustore files located in folder /etc/opt/omni/server/certificates/client
2.6. Open command prompt, and run the following command:
/opt/omni/bin/perl /opt/omni/sbin/omnigencert.pl -server_id virtual_hostname -server_san dns:virtual_hostname,dns:node1_hostname,dns:node2_hostname -user_id hpdp -store_password KeystorePassword
3. Run the following command to export certificate:
Note: If the command can not be entered as character limit, please create a script file to execute the command
/opt/omni/jre/bin/keytool -noprompt -exportcert -alias "cn=ca virtual_hostname, o=micro focus, st=md, c=us" -file "/etc/opt/omni/server/AppServer/ascert.crt" -keystore "/etc/opt/omni/server/certificates/server/server.keystore" -storepass KeystorePassword
4. Run the following command to remove an old alias:
/opt/omni/jre/bin/keytool -noprompt -delete -alias "cn=ca virtual_hostname, o=micro focus, st=md, c=us" -keystore "/opt/omni/jre/lib/security/cacerts" -storepass changeit
5. Run the following command to import certificate:
/opt/omni/jre/bin/keytool -noprompt -import -alias "cn=ca virtual_hostname, o=micro focus, st=md, c=us" -file "/etc/opt/omni/server/AppServer/ascert.crt" -keystore "/opt/omni/jre/lib/security/cacerts" -storepass changeit
Note : storepassword for this file is really "changeit"
6. Restart Data Protector services (ex. cmhaltpkg and cmrunpkg)
7. Please confirm if DP GUI can connect to CM and every contents can be displayed without any error
8. Disconnect DP GUI and move the DP package to the other node (failover to Node 2)
9. Login to Node 2 (that is now Active node of the cluster)
10. Run the following command to export certificate:
Note: If the command can not be entered as character limit, please create a script file to execute the command
/opt/omni/jre/bin/keytool -noprompt -exportcert -alias "cn=ca virtual_hostname, o=micro focus, st=md, c=us" -file "/etc/opt/omni/server/AppServer/ascert.crt" -keystore "/etc/opt/omni/server/certificates/server/server.keystore" -storepass KeystorePassword
11. Run the following command to remove an old alias:
/opt/omni/jre/bin/keytool -noprompt -delete -alias "cn=ca virtual_hostname, o=micro focus, st=md, c=us" -keystore "/opt/omni/jre/lib/security/cacerts" -storepass changeit
12. Run the following command to import certificate:
/opt/omni/jre/bin/keytool -noprompt -import -alias "cn=ca virtual_hostname, o=micro focus, st=md, c=us" -file "/etc/opt/omni/server/AppServer/ascert.crt" -keystore "/opt/omni/jre/lib/security/cacerts" -storepass changeit
13. Restart Data Protector services (ex. cmhaltpkg and cmrunpkg)
14. Please confirm if DP GUI can connect to CM(the DP package is running at Node 2) and every contents can be displayed without any error

Labels:

Support Tip
Comment List
Anonymous
Related Discussions
Recommended