Implement centralized PKI

Idea ID 2815958

Implement centralized PKI

Make a centralized PKI, so that there would be no self-signed certificate, and there would be no need for the command "omnicc -secure_comm -configure_peer <host> [-accept_host]". This command is an overhead, especially when there are many clients involved in the functioning of a cell.


The idea is to have something like below:

(1) Empower KMS to distribute CA certificate(s), including the trust anchor to the clients getting imported (directly via GUI or "omnicc -import_host <host>"). No thumb-print look-up. This will take care of the short/long host-name, FQDN, etc, as there would be no need for ssconfig entries.

(2) The same set of certificates can now be extended to the app-server, and everything can be fully automated. All of this could be made part of the "omnicc -import_host <host>".

(3) You will not need a user to be created to access the Cell Manager from a GUI client. This can be completely authenticated by the certificates.

(4) This could open up, N-number of possibilities, in a HIGHLY SIMPLIFIED manner. One such is, KMS can take up the role of checking the certificates' validity, daily, at the stroke of midnight hours, and trigger a notification, if they are about to get expired. The time can be made configurable, when you would start getting the notifications, say within 30 days' of expiry, or 5 days' of expiry.


NOTE: Please add more benefits, if you can find. I'm sure I did not cover all the nuances that can get simplified due to this. And yes, I don't see any downsides of this.

Tags (2)
1 Comment
Micro Focus Expert
Micro Focus Expert
Status changed to: Needs Clarification

"omnicc -secure_comm ..."  is not needed when using the standard Installation Server based approach. That would normally address more than 90% of your installs or upgrades.

Please provide examples why this is not working for you.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.