UCMDB Support Tip: Certificates For Multiple Servers
2 UCMDB servers, 2 probe servers and an F5 Load balancer.
1.Do one install the same certificate onto both UCMDB servers?
2.When exporting the UCMDB certificate, to import to the Probes HPProbeTrustStore.jks do one import the same certificate to both probes?
3.When looking to do two-way authentication, do one export both the Probe certificates and install them into both CMDB trust store (server.truststore)?
4.To enable cluster authentication between both CMDB Servers, do one need a separate certificate or will the certificate from point 1 suffice?
1.No, each certificate has its own common name (cn). In the case of certificates for TLS, the cn must be the FQDN. Therefore, two certificates are require for two UCMDB servers.
2.It requires two certificates for the two UCMDB servers, it is necessary to import those two certificates in the probe’s trust store. It is important to remember to import the public keys of the two certificates.
3.As the Hardening Guide states … have to create a new client key store on each probe. This client certificate has to be imported in each of the UCMDB’s trust stores.
4.For cluster authentication, all UCMDB instances inside the cluster use the same cluster key store, which means the same public and private key of the certificate. Therefore, one should create a new certificate according to the Hardening Guide or request a signed certificate from the customer. The configuration of the load balancer is important.
The load balancer might need a certificate as well and it needs to trust all certificates from all UCMDB instances (as well as the probes). The probes do also need the certificate of the load balancer in their trust store.
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
Please hit the Kudo botton, if you find this post useful.