Highlighted
markvh Super Contributor.
Super Contributor.
424 views

ZCM 2017 CA/certificate update Deep Freeze

Hi there,

I thought I had posted this question already but cant see to find it, so forgive me if it's a duplicate.

We have 4 SELS servers and are running ZCM 2017
The certs are expiring and I need to update them as well as create a new external CA.
I know this process whould be a lot easier with ZCM 2017 as updates are pushed out to the workstations when the certs are reminted.
This will work well for most of our staff workstations.

The challenge I have is that all our computing lab workstations are frozen which means when they reboot they will loose any changes received.
I need to ensure I schedule this update and make sure the machines are unfrozen when receiving the update and then freeze them again.
So the system might thing the machine has received the update, yet when the machine reboots, the update is lost.

What command can I run on the workstation to ensure the trust relationshit is updated correctly ?
I can then unfreeze the machine before the cert expires, run the command and then freeze them again.
If I do this, will the machine continue to communicate correctly at the specified changeover date ?

Thanks
Mark
Labels (1)
0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: ZCM 2017 CA/certificate update Deep Freeze

The following is conjecture......

If you manually run the "Certificate Remint Tool" manually on the devices while unfrozen before a re-freeze you should be good.
The intent of the tool was to fix devices that "Missed" the update, but should work in your case too where it is lost due to a system rollback....so that when the new day hits you should be good.

My best guess is that these devices will be fine so long as the tool is run in advance, and the changes recorded in a new re-freeze.
Definitely keep a copy of the tool handy, since it may get deleted after a base-line and in your case that may not mean all devices have the change.



--
If the certificate activation time passes before the system update is applied on the
devices, these devices will not be able to communicate with Primary Servers on which the new
certificate has already been activated. You will then need to run the Certificate Remint Tool. This
tool can be downloaded from the following location http://<ip of primary server>:<port>/
zenworks-setup. This tool will be available for download on all the Primary Servers after the
update is created and assigned. It will not be available when the certificate update is baselined
and deleted.

https://www.novell.com/documentation/zenworks-2017-update-4/pdfdoc/zen_certificates/zen_certificates.pdf#bataxss

markvh;2496265 wrote:
Hi there,

I thought I had posted this question already but cant see to find it, so forgive me if it's a duplicate.

We have 4 SELS servers and are running ZCM 2017
The certs are expiring and I need to update them as well as create a new external CA.
I know this process whould be a lot easier with ZCM 2017 as updates are pushed out to the workstations when the certs are reminted.
This will work well for most of our staff workstations.

The challenge I have is that all our computing lab workstations are frozen which means when they reboot they will loose any changes received.
I need to ensure I schedule this update and make sure the machines are unfrozen when receiving the update and then freeze them again.
So the system might thing the machine has received the update, yet when the machine reboots, the update is lost.

What command can I run on the workstation to ensure the trust relationshit is updated correctly ?
I can then unfreeze the machine before the cert expires, run the command and then freeze them again.
If I do this, will the machine continue to communicate correctly at the specified changeover date ?

Thanks
Mark
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.