Highlighted
Absent Member.
Absent Member.
2797 views

Promote new primary to take on role of server/Certificate Authority

ZCM 10.3.0a / SLES 10sp2 & 10sp3

We want to demote our current primary/Certificate Authority server (zcm1.domain.com, sles 10.2) and promote another live primary server to take on this role (zcm2.domain.com, sles 10.3). If possible we want to avoid changing the name of the new server to reflect the old certificate name (zcm1.domain.com). In this case, do we need to create a new certificate using zcm2.domain.com? Then, would we need to re-register all managed devices/satellite servers to ensure communication with the new primary/certificate authority server?

Is this the best solution or would you recommend another approach? Basically we are moving the “primary” primary server to our off-site data center which will have a new name and ip address.

Thanks,
Labels (2)
0 Likes
4 Replies
Highlighted
Absent Member.
Absent Member.

Re: Promote new primary to take on role of server/Certificate Authority

Andy_DeWees,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://forums.novell.com/

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Promote new primary to take on role of server/Certificat

Based on what you want to achieve, I would go down the path of adding a secondary primary server and then replacing the first primary server wit it.

This is covered in the following section of the documentation:
Novell Documentation

Good luck!
Cheers
Heath

Andy_DeWees;2068007 wrote:
ZCM 10.3.0a / SLES 10sp2 & 10sp3

We want to demote our current primary/Certificate Authority server (zcm1.domain.com, sles 10.2) and promote another live primary server to take on this role (zcm2.domain.com, sles 10.3). If possible we want to avoid changing the name of the new server to reflect the old certificate name (zcm1.domain.com). In this case, do we need to create a new certificate using zcm2.domain.com? Then, would we need to re-register all managed devices/satellite servers to ensure communication with the new primary/certificate authority server?

Is this the best solution or would you recommend another approach? Basically we are moving the “primary” primary server to our off-site data center which will have a new name and ip address.

Thanks,
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Promote new primary to take on role of server/CertificateAuthority

Heath thanks for your reply, you are refering to section 11.1 - Replacing the First Primary Server with the Second Primary Server Correct? (http://www.novell.com/documentation/zcm10/zcm10_system_admin/?page=/documentation/zcm10/zcm10_system_admin/data/boihv3o.html)
Even when our new primary server has a different host name/ip address? Do we need to keep our current certificate name (zcm1.domain.com) in dns so clients will be able to register with the new CA/primary server or do client not use this certificate for anything except a trust relationship?
This seems pretty simple, but I don’t understand certificates very well. Thanks again..
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Promote new primary to take on role of server/Certificat

Hi Andy 🙂

Andy_DeWees;2070787 wrote:
Heath thanks for your reply, you are refering to section 11.1 - Replacing the First Primary Server with the Second Primary Server Correct? (Novell Documentation)


Yes, exactly this section 🙂

Even when our new primary server has a different host name/ip address?



Correct: this is from the same section of doco:
"If you choose to replace the first Primary Server with a new server that has a different hostname and IP address, you must install ZENworks 10 Configuration Management on the new server in the same Management Zone. Consequently, the new server becomes the second Primary Server. "


Do we need to keep our current certificate name (zcm1.domain.com) in dns so clients will be able to register with the new CA/primary server or do client not use this certificate for anything except a trust relationship?


You do not need to keep the DNS name in there but you need to make sure you complete steps 5 & 7. This will ensure your devices continue to be able to work once the original server is removed. You will notice that your devices still report the original server in the agent properties as this is the one they were registered with. This is not a problem as the closest server rules control where they communicate. If you would like to tidy this up you can complete step 8, but it is not strictly necassary.



This seems pretty simple, but I don’t understand certificates very well. Thanks again..


So with the certificates (as I understand it, don't yell at me if I get it wrong 😉 you are trusting the CA that signs the certificate, not the server itself. This way you are trusting any server that has a certificate signed by that ca, hence why the new server will be trusted.

Hope this helps 🙂
Cheers
Heath
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.