CycoTron Absent Member.
Absent Member.
3991 views

Move ZCM Certificate Authority between zones?

I am creating and migrating to a new zone, this time on MSSQL instead of Sybase becuase of a database failure.

Is it possible for me to move the ZCM Internal CA from the old zone to the new, so that all my devices will not need the new certificates added?

If possible, then I should only need to unreg/reg the devices to the new zone to make the transition, correct?

-Nick Kelnhofer Professional Network Administrator CNA, MCSA, A+, Net+, Security+
Labels (2)
0 Likes
11 Replies
chasb73 Absent Member.
Absent Member.

Re: Move ZCM Certificate Authority between zones?

This is exactly what i need to do as well! Any thoughts would be greatly appreciated!!

Charlie
0 Likes
CycoTron Absent Member.
Absent Member.

Re: Move ZCM Certificate Authority between zones?

chasb73;1842631 wrote:
This is exactly what i need to do as well! Any thoughts would be greatly appreciated!!

Charlie


I used the zman certificate-authority-export utility to attempt to move the CA role to the new zone. It said it worked successfully, although I don't really know if the servers generated new certs with this CA or not in the new zone.

However, I have added a few devices to the new zone just by doing a zac unr / zac reg and they are working fine. So either the CA move worked, or when you reg to a new server it automatically imports the new Cert.

It seems to be working fine for me! ...Now I just have about 100 bundles left to transfer to the new zone 😞

-Nick Kelnhofer Professional Network Administrator CNA, MCSA, A+, Net+, Security+
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Move ZCM Certificate Authority between zones?

CycoTron,

>However, I have added a few devices to the new zone just by doing a zac
>unr / zac reg and they are working fine. So either the CA move worked,
>or when you reg to a new server it automatically imports the new Cert.


If you download the complete agent install package and unzip it, the CA
will be included. Also when you browse to the ZCC, click on the
certificate icon before logging in and you can see what CA is being used
too.

--
Jared Jennings
Novell Support Forums Sysop
Senior Systems Architect, Data Technique, Inc.
http://www.datatechnique.com

My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
Twitter@ http://twitter.com/jaredljennings
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Move ZCM Certificate Authority between zones?

Here are the procedures for backing upand restoring the CA.
http://www.novell.com/documentation/zcm10/zcm10_system_admin/data/bb2j7h6.html

After doing this, you will likely need to follow the procedures for a "DNS
Name Change".
http://www.novell.com/documentation/zcm10/zcm10_system_admin/?page=/documentation/zcm10/zcm10_system_admin/data/bb2j7h6.html

I've never tried this, but I think it should work.
Just be sure to not wipe out your old setup so you can test this one and
doing in a lab to start would be smart.

--
Craig Wilson - MCNE, MCSE, CCNA
Novell Support Forums Volunteer Sysop

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
"CycoTron" <CycoTron@no-mx.forums.novell.com> wrote in message
news:CycoTron.3x12on@no-mx.forums.novell.com...
>
> I am creating and migrating to a new zone, this time on MSSQL instead of
> Sybase becuase of a database failure.
>
> Is it possible for me to move the ZCM Internal CA from the old zone to
> the new, so that all my devices will not need the new certificates
> added?
>
> If possible, then I should only need to unreg/reg the devices to the
> new zone to make the transition, correct?
>
>
> --
> -Nick Kelnhofer
> Professional Network Administrator
> CNA, MCSA, A+, Net+
> ------------------------------------------------------------------------
> CycoTron's Profile: http://forums.novell.com/member.php?userid=3926
> View this thread: http://forums.novell.com/showthread.php?t=383309
>



0 Likes
chasb73 Absent Member.
Absent Member.

Re: Move ZCM Certificate Authority between zones?

I've just realised that my Certificates are external, i assume that this should make it even simpler?

I can just copy the certificate files across to the new zone and point that server to them?

Thanks
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Move ZCM Certificate Authority between zones?

chasb73,

>I've just realised that my Certificates are external, i assume that this
>should make it even simpler?


It sure will.

--
Jared Jennings
Novell Support Forums Sysop
Senior Systems Architect, Data Technique, Inc.
http://www.datatechnique.com

My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
Twitter@ http://twitter.com/jaredljennings
0 Likes
chasb73 Absent Member.
Absent Member.

Re: Move ZCM Certificate Authority between zones?

Hi

When i set up the new Zone i used the external certificates from the other Zone during the install process. Obviously these certificates have the old server name on them, but i assume thats not an issue so long as the certificate on the agent matches the server certificate?

I am getting errors when logging in:

Unable to log into the network because the Cached login information is not available.

Any Suggestions?

Thanks

Charlie

Jared Jennings;1842809 wrote:
chasb73,

>I've just realised that my Certificates are external, i assume that this
>should make it even simpler?


It sure will.

--
Jared Jennings
Novell Support Forums Sysop
Senior Systems Architect, Data Technique, Inc.
Data Technique, Inc. | Information Technology Consulting Solutions

My Blog and Wiki with Tips, Tricks, and Tutorials
Main Page - ZENWorks Wiki
Twitter@ Jared Jennings (jaredljennings) on Twitter
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Move ZCM Certificate Authority between zones?

chasb73,

>When i set up the new Zone i used the external certificates from the
>other Zone during the install process. Obviously these certificates have
>the old server name on them, but i assume thats not an issue so long as
>the certificate on the agent matches the server certificate?


Craig can correct me, but I don't think that would work. by external CA,
we mean that an external CA not the internal CA, but like VeriSign, AD,
EDir, etc signed the servers certificate.

The only time that you can export and import certificates like that with
the ZCM utility is if the server name stays the same. As in a backup and
restore as part of a DR.

--
Jared Jennings
Novell Support Forums Sysop
Senior Systems Architect, Data Technique, Inc.
http://www.datatechnique.com

My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
Twitter@ http://twitter.com/jaredljennings
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Move ZCM Certificate Authority between zones?

I suspect it would fail.
The client will do a forward and reverse DNS lookup on the server name in
the cert to verify the name in the cert matches the name of the server with
which its talking.
If the FQDN of the new server matched that of the old server, this may work.

Now, If you are using a True External CA and that CA does not change it
would still be trusted by the workstations.
In that case, you would likely not need to place a Cert Game with the new
server since the devices would automatically accept and use the new cert
with the new dns name.
The Docs say this may not be the case, but from what I have seen this does
indeed work.


--
Craig Wilson - MCNE, MCSE, CCNA
Novell Support Forums Volunteer Sysop

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
"Jared Jennings" <jaredljenningsNO@SPAMmyrealbox.com> wrote in message
news:Ejgjm.4708$7G7.4171@kovat.provo.novell.com...
> chasb73,
>
>>When i set up the new Zone i used the external certificates from the
>>other Zone during the install process. Obviously these certificates have
>>the old server name on them, but i assume thats not an issue so long as
>>the certificate on the agent matches the server certificate?

>
> Craig can correct me, but I don't think that would work. by external CA,
> we mean that an external CA not the internal CA, but like VeriSign, AD,
> EDir, etc signed the servers certificate.
>
> The only time that you can export and import certificates like that with
> the ZCM utility is if the server name stays the same. As in a backup and
> restore as part of a DR.
>
> --
> Jared Jennings
> Novell Support Forums Sysop
> Senior Systems Architect, Data Technique, Inc.
> http://www.datatechnique.com
>
> My Blog and Wiki with Tips, Tricks, and Tutorials
> http://jaredjennings.org
> Twitter@ http://twitter.com/jaredljennings



0 Likes
chasb73 Absent Member.
Absent Member.

Re: Move ZCM Certificate Authority between zones?

Thanks for the info

I will blow away the new Zone that is failing and start again using MSSQL DB and Internal Certs (10 Years should be fine).

Just something that i have noticed that hasn't been mentioned, the agent now has a "Transfer the Device to Another Zone" option in the uninstall. I presume that this would be the best option for moving the machines to the new Zone?

(Although upgrading the agents from 10.2 to 10.2.1 might be a good time to move them to the new Zone by reinstalling the agent..?)

Thanks

Charlie

Craig Wilson;1844430 wrote:
I suspect it would fail.
The client will do a forward and reverse DNS lookup on the server name in
the cert to verify the name in the cert matches the name of the server with
which its talking.
If the FQDN of the new server matched that of the old server, this may work.

Now, If you are using a True External CA and that CA does not change it
would still be trusted by the workstations.
In that case, you would likely not need to place a Cert Game with the new
server since the devices would automatically accept and use the new cert
with the new dns name.
The Docs say this may not be the case, but from what I have seen this does
indeed work.


--
Craig Wilson - MCNE, MCSE, CCNA
Novell Support Forums Volunteer Sysop

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
"Jared Jennings" <jaredljenningsNO@SPAMmyrealbox.com> wrote in message
news:Ejgjm.4708$7G7.4171@kovat.provo.novell.com...
> chasb73,
>
>>When i set up the new Zone i used the external certificates from the
>>other Zone during the install process. Obviously these certificates have
>>the old server name on them, but i assume thats not an issue so long as
>>the certificate on the agent matches the server certificate?

>
> Craig can correct me, but I don't think that would work. by external CA,
> we mean that an external CA not the internal CA, but like VeriSign, AD,
> EDir, etc signed the servers certificate.
>
> The only time that you can export and import certificates like that with
> the ZCM utility is if the server name stays the same. As in a backup and
> restore as part of a DR.
>
> --
> Jared Jennings
> Novell Support Forums Sysop
> Senior Systems Architect, Data Technique, Inc.
> Data Technique, Inc. | Information Technology Consulting Solutions
>
> My Blog and Wiki with Tips, Tricks, and Tutorials
> Main Page - ZENWorks Wiki
> Twitter@ Jared Jennings (jaredljennings) on Twitter
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Move ZCM Certificate Authority between zones?

chasb73,

>(Although upgrading the agents from 10.2 to 10.2.1 might be a good time
>to move them to the new Zone by reinstalling the agent..?)


Re-installing the agent will only include 10.2.1 if you rebuild the
install packages. Otherwise it will install 10.2 and then upgrade.

You might get the new zone all patched before you add all the devices to it.

--
Jared Jennings
Novell Support Forums Sysop
Senior Systems Architect, Data Technique, Inc.
http://www.datatechnique.com

My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
Twitter@ http://twitter.com/jaredljennings
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.