DFAS_TSO_CS Regular Contributor.
Regular Contributor.
145 views

Manual way to accomplish omnicc -secure_comm -configure_peer from CM to PC GUI? (firewall)

Jump to solution

I recently upgraded a cell (HP-UX CM) from 9.09 (not using encrypted communications) to 10.30. After upgrading the GUI on my PC, I had to run the following:

On PC: omnicc -secure_comm -configure_peer cmserver.my.domain
On CM: omnicc -secure_comm -configure_peer mypc.my.domain

The first command worked but the second failed until I worked with our firewall team to temporarily allow 5555 connections from the CM to my PC so I could run the command.

On the CM it looks like the file /etc/opt/omni/client/ssconfig was updated with the following:

mypc.my.domain={
encryption={
certificate_file='/etc/opt/omni/client/sscertificates/mypc.my.domain_cert.pem';
certificate_thumbprint=' long hex string '; };
};

I have not checked but there is likely a similar file on the PC that was also updated.

I was wondering if there is a way that the .pem files and thumbprints could be generated and copied manually between the PCs and the CMs without having to have network communication enabled from the CM to the PCs? Or at least, to mimic running the omnicc -secure_comm command on the CM to PC. As mentioned, the other direction works fine. 

Our PCs are located within a secure network and the CM and other servers within a DMZ. Connections from the PC to the DMZ are allowed, but connections from the DMZ into the internal network are denied. It would be helpful if there were a manual way by copying a certificate file, etc. to accomplish whatever the omnicc command on the CM connecting to the PC is doing. I have several other cells to update and there are other GUI users that will need this as well. I'd like to not have to involve the firewall team each time it's necessary to run the command.

The firewall rules were reset to normal and everything has been working fine. The connection from the CM to the PC was only necessary for the duration of this 1 command.

Thanks.

Pat

0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Manual way to accomplish omnicc -secure_comm -configure_peer from CM to PC GUI? (firewall)

Jump to solution

Hello @DFAS_TSO_CS

I have an idea about how you can do this. I have not tested this yet but could work. 

In the server that you need to collect the certificate, you can go to ProgramData\OmniBack\Config\client\sscertificates or /etc/opt/omni/client/sscertificates. Then copy the file localhost_cert.pem
In this same server, run this command: omnicc -secure_comm -get_fingerprint and collect the fingerprint in the hexadecimal value. 

In the other server where you want to add the certificate, copy the one we copied first into rogramData\OmniBack\Config\client\sscertificates or /etc/opt/omni/client/sscertificates and save it with the name that usually will be saved: clientname_cert.pem
Then modify the ssconfig with a new entry like this one:

clientname={
encryption={
certificate_file='/etc/opt/omni/client/sscertificates/clientname_cert.pem';
certificate_thumbprint='HexaValue Copied before'; };
};

Let me know if I am clear or if you have any doubt.

Regards, 

Andres Fallas Salazar
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a LIKE by clicking on the bottom at the left of the post and show your appreciation.
5 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Manual way to accomplish omnicc -secure_comm -configure_peer from CM to PC GUI? (firewall)

Jump to solution

Hello @DFAS_TSO_CS

I have an idea about how you can do this. I have not tested this yet but could work. 

In the server that you need to collect the certificate, you can go to ProgramData\OmniBack\Config\client\sscertificates or /etc/opt/omni/client/sscertificates. Then copy the file localhost_cert.pem
In this same server, run this command: omnicc -secure_comm -get_fingerprint and collect the fingerprint in the hexadecimal value. 

In the other server where you want to add the certificate, copy the one we copied first into rogramData\OmniBack\Config\client\sscertificates or /etc/opt/omni/client/sscertificates and save it with the name that usually will be saved: clientname_cert.pem
Then modify the ssconfig with a new entry like this one:

clientname={
encryption={
certificate_file='/etc/opt/omni/client/sscertificates/clientname_cert.pem';
certificate_thumbprint='HexaValue Copied before'; };
};

Let me know if I am clear or if you have any doubt.

Regards, 

Andres Fallas Salazar
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a LIKE by clicking on the bottom at the left of the post and show your appreciation.
DFAS_TSO_CS Regular Contributor.
Regular Contributor.

Re: Manual way to accomplish omnicc -secure_comm -configure_peer from CM to PC GUI? (firewall)

Jump to solution

Andres,

Thanks for the quick reply - this is exactly what I was looking for!  I will be upgrading the next cell probably next week and will report back.  I was unsure of the location of the cert on the PC (C:\ProgramData\OmniBack\Config\client\sscertificates\localhost_cert.pem), and wasn't aware of the omnicc -secure_comm -get_fingerprint option.  I looked at my existing .pem file and ran the command to get the fingerprint and they match the cooresponding file and value on the CM so I have confidence this will work.

I appreciate your help.

Pat

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Manual way to accomplish omnicc -secure_comm -configure_peer from CM to PC GUI? (firewall)

Jump to solution

Hello @DFAS_TSO_CS

You are welcome. Test it and let us know if worked for you. If so, consider give some likes and accept the solution. 

Best regards, 

Andres Fallas Salazar
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a LIKE by clicking on the bottom at the left of the post and show your appreciation.
0 Likes
DFAS_TSO_CS Regular Contributor.
Regular Contributor.

Re: Manual way to accomplish omnicc -secure_comm -configure_peer from CM to PC GUI? (firewall)

Jump to solution

I was able to upgrade another cell yesterday and give this a try and it worked great!  Thanks for your help.  I was able to connect from my PC to the CM, but was rejected as an invalid user because I'd run into another problem having to do with /etc/hosts:

https://community.microfocus.com/t5/Data-Protector-User-Discussions/omniusers-add-returns-Details-unknown-on-CentOS/td-p/1764806

Today I re-did the upgrade after fixing /etc/hosts and doing omnidbutil -change_cell_name and this time after running through the above solution, I was able to fully connect and log in from the PC GUI.

Thanks again,

Pat

Micro Focus Expert
Micro Focus Expert

Re: Manual way to accomplish omnicc -secure_comm -configure_peer from CM to PC GUI? (firewall)

Jump to solution

Hello Pat, 

I am really glad to know that this worked correctly. These steps will be useful in the future. 

Have a nice week ahead, 

Andres Fallas Salazar
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a LIKE by clicking on the bottom at the left of the post and show your appreciation.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.