Highlighted
Super Contributor.
Super Contributor.
409 views

ZCM certificate and ZENworks 2020 upgrade

I am currently on ZENworks 2017 update 4 and I am looking to upgrade to ZENworks 2020. I am now getting a pop-up after logging into the ZENworks console indicating that my certificate will expire on 7/14/20.

I have 4 questions.

  1. Do I update the certificate before upgrading to ZENworks 2020?
  2. Will the upgrade to ZENworks 2020 update my certificate? Thus, I won't have to update the certificate itself.
  3. Will I have do update the certificate after the upgrade to ZENworks 2020 is completed?
  4. If I have to manually update the certificate myself, does anyone have any recommended way? I have found some solutions to do this, but I thought I should ask.

My environment:

  1. 4 Windows 2012R2 primary servers
  2. ZENworks version: 2017 Update 4
  3. MS SQL remote database

Thanks in advance for any replies.

Scott

Labels (1)
0 Likes
10 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: ZCM certificate and ZENworks 2020 upgrade

It is important to know WHAT certificate is expiring.

#1 - It could be one of your LDAP Servers, which means updating that is something done in eDir or AD not ZCM.  However, after you update your cert, you will want to open that User Source LDAP server and tell ZCM to update the cert info there.

#2 - It could be the "Server Cert" for one of your servers, which is relatively easy...especially if there is more than 1 primary in your zone.

#3- It could be the "Certificate Authority Cert" if you Zone has been around for close to 10 years.  Updating the CA cert requires the most caution.  When following the documented process, you should set the activation time at least TWO WEEKS in the future.   If you give it an activation time of "NOW" or "CLOSE TO NOW", you will break many things since "ALL DEVICES" need to get notification prior to the activation or they will "CEASE TO COMMUNICATE" to ZCM until you "Walk up to the Device and Fix them".

--

After we know what TYPE of Cert if expiring, I can link to docs.

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: ZCM certificate and ZENworks 2020 upgrade

Craig:

Ok. The cert is the ZENworks zone CA. I have attached a screenshot of what I am getting.

Thanks.

Scott

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ZCM certificate and ZENworks 2020 upgrade

You need to remint your CA per Craig's instructions #3.  It is a fairly simple and automated process, but as he states, it is CRITICAL that you choose an activation time far enough out that all your devices have time to check in and get the update.  I just did this earlier this year and chose a date 4 weeks out to play it safe.  Everything worked quite well.

1. I updated the certificate before upgrading to 2020.  The CA remint has a deadline, the 2020 upgrade does not.  So I chose to get the remint out of the way first.

2. The 2020 upgrade will not remint your certificate, you need to do this yourself.

3. If you remint now, you won't have to do it again after the 2020 upgrade.

4. Reminting is a simple automated process.  You answer a few questions and ZCM does its thing.  You just need to make sure all devices check in before the activation date.  You will be able to check the status, so if you are getting close to the date and some devices have not finished, you can take steps to insure they do.

The remind command is found at ZCC > configuration > certificates > zone certificate authority > remint CA

--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums within this community!
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: ZCM certificate and ZENworks 2020 upgrade

https://www.novell.com/documentation/zenworks-2017-update-4/pdfdoc/zen_certificates/zen_certificates.pdf

See Page 15 which covers reminting the CA.  I strongly recommend reading and understanding this process.

READ THE DOC and DO NOT ASSUME the Following is a full set of instructions...

At a High Level, a "New CA" will be created but not put into use right away by your server.  A "System Update" job will be pushed out to all devices to allow them to "Trust" the new CA prior to your server making use of the new CA.  On activation date, the server will start using the new CA.  Any device that did NOT run the "System Update" will CEASE talking to the ZCM servers.  There is a "manual" stand-alone updater you can download for use to update the stray device here or there.

Again, the largest issue are customers who set it to run almost immediately and wonder why not 100% of their managed devices are no longer talking to the zone.  It is imperative that enough time is given to allow nearly all of your devices to get and process the system update.

Reading the instructions is important...Do not simply use the GUI to do this process w/o reading and understanding this process.

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
Highlighted
Super Contributor.
Super Contributor.

Re: ZCM certificate and ZENworks 2020 upgrade

Ken and Craig:

Thank you for the reply. I have one follow-up question.

As I go forward with your recommendation, I am not sure that all the devices in the zone will be able to check-in before the certificate expires. I am with a school and my faculty is current not in the building. It looks like the devices might not be back on campus until mid August given the current pandemic and the current school year being officially done this upcoming Friday.

Any further thoughts?

Thanks.

Scott

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: ZCM certificate and ZENworks 2020 upgrade

There is a Stand-Alone Updater Tool you will need to run on them to allow them to start talking after the Re-mint.  Since the Current CA will expire prior to August, they will stop talking regardless.

Note: There are some "Tricks" using "Logon Scripts" (OES or AD) that can deliver restore lost communications.  This is what we have had to do for customers that say "Go Live Now...Do not wait 1 second."

Clearly it is preferable to avoid needing these work-arounds, but something "CAN" be done to help address those devices.

I'd rather cover some of that off-line, since it is very unofficial.

Try and drop me an private message with your contact info.

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: ZCM certificate and ZENworks 2020 upgrade

Just one more thing... The standalone updater (mentioned by Craig) will be available for download from the day you initiate a remint till a week after activation. Some of our customers takes a backup of the standalone updater.. And when possible, they will send this tool through other means and get it executed on the managed devices. Once this tool completed successfully, the managed devices will start talking to the server..

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: ZCM certificate and ZENworks 2020 upgrade

Craig:

What is the recommended way to pm you? I sent one(I think) a couple of days ago and hope I did it correctly.

Thank you for your assistance.

Scott

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ZCM certificate and ZENworks 2020 upgrade

Scott,

Most of our employees are working remotely which is why I chose 4 weeks out for my activation date.  At 3 weeks, I only had a few that had not checked in.  I have VPN software installed on all the remote PCs and I just contacted those users and made sure they connected to the VPN, refreshed ZCM and checked for updates.  I was able to see their status change within the ZCM Console.  Somehow all your devices will need to check in.  Craig is the expert though...so follow his advice.

--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums within this community!
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: ZCM certificate and ZENworks 2020 upgrade

Ken:

Thank you for the reply. I like having multiple options available and your solution gives me another line of thought.

Thanks.

Scott

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.