Deploy certificates manually

You can generate certificates for nodes on the management server, and then transfer them to the nodes manually. This avoids sending certificates over the network before fully secure HTTPS communication. For example, if you do not want to transmit certificates over the network, you can export them to a file on a disk and take the disk to the node.

Normally, the agent sends a certificate request to the management server the first time it starts. You can suppress this certificate request by setting the parameter CERTIFICATE_DEPLOYMENT_TYPE=MANUAL in the sec.cm.client namespace using the HTTPS agent installation defaults.

To deploy certificates manually

1. Log in to the management server with an account that is a member of the HPOM administrators group. Open a command prompt.
2. Use ovowcsacm to generate a certificate. The syntax for this command is:

   ovowcsacm -issue -name <node_name> [-file <file_name>] [-coreid <OvCoreId>] [-pass <password>]

   Specify the options as follows:

   Option	Description
   -issue	Specifies that you want a certificate for a node.
   -name <node_name>	The primary name of the node to generate a certificate for. The node must already exist in the console.
   -file <file_name>	Optional. The name of the file into which the command generates the certificates. If you omit this option, the command creates a file in the following directory: %OvShareDir%server\certificates The default file name has the following format: <node_name>-<OvCoreId>.p12.
   -coreid <OvCoreID>	Optional. The OvCoreID, which uniquely identifies the node, is used to generate the certificates. If you omit this option, the command generates an ID for the node. You need to specify the OvCoreID if the node currently exists in the console, and the HTTPS agent is already installed on the node. To find an existing node's OvCoreID: In the console tree, right-click the node, and then click Properties. The node properties dialog appears. In the General tab, click Advanced Configuration. The Advanced Configuration dialog appears, which shows the ID that you need.
   -pass <password>	Optional. A password that the command uses to encrypt the certificate data. You need this password when you later import the certificates on the node. If you omit this option, the command prompts you for a password.

3. If the HTTPS agent is not already installed on the node, install it. If you manually install the agent, use a profile. This ensures that the agent uses the same OvCoreID that ovowcsacm generated on the management server.
4. Log in to the node with the same account used to install the node. Open a command or shell prompt.
5. Securely transfer the generated file to the node.

6. On nodes that run a UNIX or Linux operating system, ensure that the PATH variable contains the path to the agent commands.

   • On HP-UX, Solaris, or Linux, type export PATH=/opt/OV/bin:$PATH and then press Enter.
   • On AIX, type export PATH=/usr/lpp/OV/bin:$PATH and then press Enter.
   • On Tru64, type export PATH=/usr/opt/OV/bin:$PATH and then press Enter.
7. If the agent is running on the node, type ovc -stop and then press Enter. This stops the agent processes on the node.

8. Use ovcert to import the certificates from the generated file. The syntax for this command is:

   ovcert -importcert -file <file_name>

   The command prompts you for the password that you specified when you generated the certificates. Type the password and press Enter. The command then notifies the management server that the certificates are installed and the management server updates the node's certificate state.

   If the management server does not receive the notification for any reason, you must update the node's certificate state manually, as follows:

   1. In the console-tree, right-click the node, and then click Properties. The Node properties dialog appears.
   2. In the General tab, click Advanced Configuration. The Advanced Configuration dialog appears.
   3. Select the Modify Certificate State check box, and then select Installed in the list of certificate states.
   4. Click OK.
   NOTE:
   If the node's OvCoreID does not match the OvCoreID in the certificate, you see a warning on the node that the common name field in the certificate does not match the OvCoreID of the system. If the node is new (you are not reinstalling or migrating the agent on an existing node), you can change the node's OvCoreID as follows:

   1. Copy the certificate's common name field from the warning.

   2. Type ovcoreid -set <common name field> -force and then press Enter.

   For example, for the following warning:

   WARNING: The common name field (CN) in the certificate
   		 '89aea662-b9e6-7527-148d-8a612e083f23' does not match the OvCoreId
   		 '8b2ae5c2-b99c-7527-0263-cf9a16f2aace' of the system.
   

   the command would be:

   ovcoreid -set 89aea662-b9e6-7527-148d-8a612e083f23 -force

9. On the node, type ovc -start and then press Enter. This restarts the agent processes.

10. Securely delete any copies of the file that contains the certificates. Depending on how you generate and transfer the file, you may, for example, have copies in the following locations:
    • on the management server
    • on a floppy disk, CD, or other portable media
    • on the node
11. Optional. If you enabled automatic policy deployment for the node, the policy deployment jobs may have failed before you installed the certificate. To restart a failed job:
    1. In the console tree, expand Policy managementDeployment jobs.
    2. Right-click the failed job, and then click All TasksRestart job.

Related Topics:

• Create new nodes
• Manually install an HTTPS agent with a profile
• Configure HTTPS agent installation defaults
• Configure general information for managed nodes