jfeyen
New Member.
3376 views

Replace commercial certificate on GMS 2.1.0

Hi,

We have a commercial certificate on our GMS server.
This needs to be replaced.

How do I replace it and in which directories I do need to change it?
In my install documentation of the GMS I created a special dir for the certificates /certificates/mobility.pem , do i also need to change it there?

Do i need to change it on multiple places or only on one place?

Will it have impact on the devices ? We have androids , blackberry, ios, windows phones..

Kr,

Joeri
Labels (1)
0 Likes
16 Replies
Micro Focus Expert
Micro Focus Expert

Re: Replace commercial certificate on GMS 2.1.0

Hi Joeri,

This might be of some assistance, but in my steps I'm referring to the default certificate directories:

Updating The Device Connection Certificate

Change to /var/lib/datasync/device on your Mobility Server
Backup the existing mobility.pem file just for good measure (i.e.cp mobility.pem mobility.bak)
Copy the new mobility.pem file for your Device Sync Agent into /var/lib/datasync/device.
Restart the Device Sync Agent either by clicking on the Stop/Start buttons in the Web Admin Console, or just run rcgms restart.


Updating the Web Admin Console Certificate


Change to /var/lib/datasync/webadmin on the Mobility Server.
Back up the existing server.pem file (cp server.pem server.bak)
Copy the mobility.pem file that you created earlier into /var/lib/datasync/webadmin, and name it server.pem.
Restart the Web Admin (rcdatasync-webadmin restart).

Once you have done the above your devices should just continue to work without any interaction required.

I've done this myself quite a few times and, to date, have never had any issues with devices "breaking" due to a certificate replacement

Please let us know how it goes.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
jfeyen
New Member.

Re: Replace commercial certificate on GMS 2.1.0

laurabuckley;2409183 wrote:
Hi Joeri,

This might be of some assistance, but in my steps I'm referring to the default certificate directories:

Updating The Device Connection Certificate

Change to /var/lib/datasync/device on your Mobility Server
Backup the existing mobility.pem file just for good measure (i.e.cp mobility.pem mobility.bak)
Copy the new mobility.pem file for your Device Sync Agent into /var/lib/datasync/device.
Restart the Device Sync Agent either by clicking on the Stop/Start buttons in the Web Admin Console, or just run rcgms restart.


Updating the Web Admin Console Certificate


Change to /var/lib/datasync/webadmin on the Mobility Server.
Back up the existing server.pem file (cp server.pem server.bak)
Copy the mobility.pem file that you created earlier into /var/lib/datasync/webadmin, and name it server.pem.
Restart the Web Admin (rcdatasync-webadmin restart).

Once you have done the above your devices should just continue to work without any interaction required.

I've done this myself quite a few times and, to date, have never had any issues with devices "breaking" due to a certificate replacement

Please let us know how it goes.

Cheers,


Hi Laura,

The Web console part is this needed?
I see that this certificate is not a commercial one but a self signed created by the SLES server or de GMS setup..
The issuer is "support@novell.com"
I see this if I surf to my server : https://myserver.domain.com:8120/ and select view certificate.

Kr,

Joeri
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Replace commercial certificate on GMS 2.1.0

Hi Joeri

Personally I keep both Device and Web Console on a commercially minted certificate. Perhaps that's just personal preference - if I have customers accessing the Web Console I don't want them bothered with the "untrusted certificate" warning.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Replace commercial certificate on GMS 2.1.0

jfeyen wrote:

> Will it have impact on the devices ? We have androids , blackberry, ios,
> windows phones..


I just recently had to replace the certificate and nobody complained.
There are no Blackberry devices present here. And the new certificate is
based on the same root as the old one. So I do not know what happens if
you switch the CA. Certificate managemnent on mobile devices to me is a
kind of a black art.

Günther

0 Likes
jfeyen
New Member.

Re: Replace commercial certificate on GMS 2.1.0

=?UTF-8?B?R8O8bnRoZXIgU2Nod2Fyeg==?=;2409319 wrote:
jfeyen wrote:

> Will it have impact on the devices ? We have androids , blackberry, ios,
> windows phones..


I just recently had to replace the certificate and nobody complained.
There are no Blackberry devices present here. And the new certificate is
based on the same root as the old one. So I do not know what happens if
you switch the CA. Certificate managemnent on mobile devices to me is a
kind of a black art.

Günther


Gunther,

Thanks for your feedback about the devices. I will provide mine as soon as the certificate is replaced.

Joeri
0 Likes
jfeyen
New Member.

Re: Replace commercial certificate on GMS 2.1.0

laurabuckley;2409224 wrote:
Hi Joeri

Personally I keep both Device and Web Console on a commercially minted certificate. Perhaps that's just personal preference - if I have customers accessing the Web Console I don't want them bothered with the "untrusted certificate" warning.

Cheers,


Laura,

I will replace them both like you mentioned.

I also opened an SR. and I got back this TID:
https://www.novell.com/support/kb/doc.php?id=7006904
Our certificate that we use is a wilcard certficate from globalsign.
I am a bit lost in step 2 (From the dsapp menu, select Certificates | Generate CSR and Key:) and step 3 (Send the Certificate Signing Request to the Trusted Certificate Authority like VeriSign, GoDaddy, DigiCert, etc. Download their response files to the directory provided to store the certificate files in Step 2.)
These are things I never did on the install of the certificate when the server was installed. Is that normal? These are thing I don't have to do because I have a wildcard?
These are the steps i did on initial install of the server:
1. Download PFX
2. Unpack the key and cert
3. Download intermediate
4. Combine key + cert + intermediate in one pem file.

Kr,

Joeri
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Replace commercial certificate on GMS 2.1.0

Hi Joeri,

Personally I have never used the dsapp application to manage my certificates. I've always done it the manual way.

From what I can see from your post above, the steps that you detail are correct. You have your .pem file and are good to go with following my recommended instructions posted earlier in this thread. Alternatively follow the TID - but look under Additional Information for the manual steps for implementing your certificate.

Please let us know how it goes.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
jfeyen
New Member.

Re: Replace commercial certificate on GMS 2.1.0

laurabuckley;2409429 wrote:
Hi Joeri,

Personally I have never used the dsapp application to manage my certificates. I've always done it the manual way.

From what I can see from your post above, the steps that you detail are correct. You have your .pem file and are good to go with following my recommended instructions posted earlier in this thread. Alternatively follow the TID - but look under Additional Information for the manual steps for implementing your certificate.

Please let us know how it goes.

Cheers,


Hi Laura,

Thanks for your info. I will do it the manual way cause then I know what I am doing.
I will do it next week and keep you updated.

Joeri
0 Likes
erichflynn Absent Member.
Absent Member.

Re: Replace commercial certificate on GMS 2.1.0

I used the dsapp today for a 3rd party CA with intermediate chain and it worked great. This is much simpler for those that are intimidated with the whole SSL thing.

The tool just does the same thing as the manual way, because certs are in proper locations with proper permissions, etc...




>>> laurabuckley<laurabuckley@no-mx.forums.microfocus.com> 10/22/2015 1:26 AM >>>


Hi Joeri,

Personally I have never used the dsapp application to manage my
certificates. I've always done it the manual way.

From what I can see from your post above, the steps that you detail are
correct. You have your .pem file and are good to go with following my
recommended instructions posted earlier in this thread. Alternatively
follow the TID - but look under Additional Information for the manual
steps for implementing your certificate.

Please let us know how it goes.

Cheers,


--
Laura Buckley
Technical Consultant
IT Dynamics, South Africa

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below...
------------------------------------------------------------------------
laurabuckley's Profile: https://forums.novell.com/member.php?userid=122
View this thread: https://forums.novell.com/showthread.php?t=494753
0 Likes
Knowledge Partner
Knowledge Partner

Re: Replace commercial certificate on GMS 2.1.0

In article <jfeyen.7529uo@no-mx.forums.microfocus.com>, Jfeyen wrote:
> We have a commercial certificate on our GMS server.
> This needs to be replaced.

...
> Will it have impact on the devices ? We have androids , blackberry, ios,
> windows phones..


The theory is that it shouldn't be noticed at all. All the devices are
supposed to automatically keep an updated list of the root CAs and the
whole point of a commercial cert is to have it tie back to one those root
CAs. They should only break if there is a break in that chain of trust.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!
GMS troubleshooting tips at http://www.konecnyad.ca/andyk/gwmobility.htm

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Knowledge Partner
Knowledge Partner

Re: Replace commercial certificate on GMS 2.1.0

In article <K%LVx.697$vh4.654@novprvlin0914.provo.novell.com>, Günther
Schwarz wrote:
> So I do not know what happens if
> you switch the CA. Certificate managemnent on mobile devices to me is a
> kind of a black art.

As long as the new CA is one of the standard ones that all the devices
stay up to date on, then there should be no problem at all. If it is a
private CA, then there will be issues due to the lack of a chain of trust
unless you've gotten the public key of that CA root onto all the devices.

Yes, 'Black Art' is about right. The base theory of PKI is easy enough,
the devil is in those details, and those details not always the easiest to
get at.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!
GMS troubleshooting tips at http://www.konecnyad.ca/andyk/gwmobility.htm

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Replace commercial certificate on GMS 2.1.0

Hi,

Thank you for your feedback - greatly appreciated 🙂 Good to know that there is an easier option for folk who are not too familiar with the SSL command line stuff.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Replace commercial certificate on GMS 2.1.0

Andy Konecny wrote:
> In article <K%LVx.697$vh4.654@novprvlin0914.provo.novell.com>, Günther
> Schwarz wrote:
>> So I do not know what happens if
>> you switch the CA. Certificate managemnent on mobile devices to me is a
>> kind of a black art.

> As long as the new CA is one of the standard ones that all the devices
> stay up to date on, then there should be no problem at all.


Problems start when you ask which CA are "standard" ones. Apple makes it
especially hard for the users of their appliances to get a list of the
root certificates installed together with the information for which
services (browser, ActiveSync, VPN, etc) they are trusted.

> If it is a
> private CA, then there will be issues due to the lack of a chain of trust
> unless you've gotten the public key of that CA root onto all the devices.


In between the list of CA that are almost universally trusted and the
"private" ones that are basically limited to one organization or
workgroup there are many CA that might or might not be trusted by Apple
or Google.

Günther

0 Likes
jfeyen
New Member.

Re: Replace commercial certificate on GMS 2.1.0

konecnya;2410026 wrote:
In article <jfeyen.7529uo@no-mx.forums.microfocus.com>, Jfeyen wrote:
> We have a commercial certificate on our GMS server.
> This needs to be replaced.

...
> Will it have impact on the devices ? We have androids , blackberry, ios,
> windows phones..


The theory is that it shouldn't be noticed at all. All the devices are
supposed to automatically keep an updated list of the root CAs and the
whole point of a commercial cert is to have it tie back to one those root
CAs. They should only break if there is a break in that chain of trust.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!
GMS troubleshooting tips at http://www.konecnyad.ca/andyk/gwmobility.htm


Thanks for making that clear ! Understood 🙂
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.