Change of IP and Host Name of the Change Guardian Server

Change of IP and Host Name of the Change Guardian Server

Symptoms

When the Host Name and/or IP address of the Change Guardian server is changed, all the existing agents and CAM would fail to communicate and forward events to Change Guardian server.

Even the new Agents deployment also will fail because of the old certificates i.e., already generated certificate with the older Host Name and/or IP Address

Bug 1144949 - 101235341451 : CG Server IP and domain changed all certs are using the wrong information

Diagnosis

The core problem here is CAM and Agents will not have any knowledge about the Change Guardian Server's new Host Name and/or IP Address so they will still try to communicate to the old Host Name and/or IP Address only.

Even after updating the new Host Name and/or IP Address in the CAM's configuration, it will still fail to communicate with the CG Server because all the client certificates are generated with the old Host Name and/or IP Address.

Solution

  • Let the CAM know what is new Host Name and/or IP Address of the CG Server
    • Once CAM starts communicating with the Change Guardian server, reconfiguring the existing agent will fix the problem.
  • Regenerate the client certificates available on CG Server
  • Update the Event Destination in the Policy Editor with the new Host Name or IP Address

Below steps helps to solve the Host Name and/or IP Address change issue

  1. Change Host Name / IP in CAM's configuration file on the Agent Machine
    1. Edit the following files to update the new Host Name and/or IP Address

      • Linux: Edit /etc/nq_cam.cfg file and update "NQCAM_AMS" value
      • Windows: Update the new Host Name or IP Address:

        • "hostLocator" registry key located @ path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NetIQ\ChanageGuardianAGent\IQRM

        • "amsHost" registry key located @ path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NetIQ\ClientAgentManager\

  2. Update /etc/hosts file to reflect the new Host Name and IP Address on the agent machine
  3. Restart CAM
    Windows : Go to Services → Select CAM Service and Restart .
    Linux : /etc/init.d/nq_cam restart
  4. Make sure that CAM is communicating with the new Host Name/IP Address.
    1. CAM's log file should show the following message with the New Host Name or IP Address

      CAM's log
      Linux /usr/netiq/cam/log/nq_cam.log

      Windows C:\ProgramData\NetIQ\ClientAgentManager

      In the log you will see the following message

      "The active root address is now <New_Host_Name/IP>:<Port>"

  5. Log in into Change Guardian Web UI and open Agent Manager UI
    1. Delete Windows and Linux Agent's default configurations
  6. Log in into CG Server machine and Reconfigure CG Server
    1. Execute configure_cg.sh script from /opt/novell/sentinel/setup folder to reconfigure CG Server with the new Host Name and IP Address

      Note

      No need to change anything, just the default values or the existing parameters are fine

  7. Make sure the following files are updated with the new Host Name and/or IP Address
    1. /etc/opt/novell/sentinel/config/cg/server.properties
    2. /opt/netiq/ams/assets/etc/cginfo.properties
  8. Log in into CG Server machine
    1. Change directory to /opt/netiq/cgutils/certs 
    2. Take a backup of the certs folder
    3. Delete ams-cert and javos-cert along with the keys
      1. ams-cert.pem, ams-pk.pem,  ams-pk.pem.pass

      2. javos-cert.pem, javos-pk.pem,  javos-pk.pem.pass

    4. Delete .config_cert_done file also (Note that this file starts with dot)
      NOTE: Please note that this .config_cert_done file is a hidden file
  9. Regenerate the AMS and Javos certificates
    1. Change directory to /opt/netiq/cgutils/bin and execute the following command

      #./cg_cert_setup.sh --setup

      NOTE: Please don't use --force option.
  10. Reconfigure AMS profile

    1. Change directory to /opt/netiq/ams/ams/security/profiles

    2. Take a backup of 'profile_ams' file

    3. Change directory to '/opt/netiq/ams/ams/security/profiles/profile_ams'

    4. Delete ams-cert.pem, ams-pk.pem.pass & ams-pk.pem.pass

    5. Change directory to /opt/netiq/ams/ams/bin

    6. Execute the below command to regenerate the AMS profile

      ./ams_cert_setup.sh --setup --force

    7. Enable AMS profile by executing the following command

      ./ams_cert_setup.sh --enable --profile=profile_ams

  11. Reconfigure Javos profile

    1. Change directory to /opt/netiq/cg/javos/security/profiles

    2. Take backup of profile_javos

    3. Change directory to /opt/netiq/cg/javos/security/profiles/profile_javos

    4. Detele javos-cert.pem javos-pk.pem javos-pk.pem.pass files

    5. Change direcotory to "/opt/netiq/cg/javos/bin" and execute the below command to regenerate Javos profile

      ./javos_cert_setup.sh --setup --force
    6. Enable Javos profle by executing the below command

      ./javos_cert_setup.sh --enable --profile=profile_javos

  12. Regenerate Agent's default configurations
    1. Restart assets service using the below command that regenerates the default agent configurations

      /etc/init.d/nq_assets restart

  13. Update Event Destination
    1. Log in into Policy Editor
    2. Go to 'Settings' and then 'Event Destination...'
    3. Edit the default event destination to update the new Host Name / IP Address
  14. Log in into CG Web UI and open Agent Manager 
    1. Select the Agent and Reconfigure the Agent with updated CG Server Configuration .
Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2019-10-22 16:49
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.