You can generate certificates for nodes on the management server, and then transfer them to the nodes manually. This avoids sending certificates over the network before fully secure HTTPS communication. For example, if you do not want to transmit certificates over the network, you can export them to a file on a disk and take the disk to the node.
Normally, the agent sends a certificate request to the management server the first time it starts. You can suppress this certificate request by setting the parameter CERTIFICATE_DEPLOYMENT_TYPE=MANUAL in the sec.cm.client namespace using the HTTPS agent installation defaults.
ovowcsacm
to generate a certificate. The
syntax for this command is:
ovowcsacm -issue -name <node_name> [-file
<file_name>] [-coreid <OvCoreId>]
[-pass <password>]
Specify the options as follows:
Option | Description |
---|---|
-issue
|
Specifies that you want a certificate for a node. |
-name <node_name>
|
The primary name of the node to generate a certificate for. The node must already exist in the console. |
-file <file_name>
|
Optional. The name of the file into which the command generates the certificates. If you omit this option, the command creates a file in the following directory:
The default file name has the following format:
|
-coreid <OvCoreID>
|
Optional. The OvCoreID, which uniquely identifies the node, is used to generate the certificates. If you omit this option, the command generates an ID for the node. You need to specify the OvCoreID if the node currently exists in the console, and the HTTPS agent is already installed on the node. To find an existing node's OvCoreID:
|
-pass <password>
|
Optional. A password that the command uses to encrypt the certificate data. You need this password when you later import the certificates on the node. If you omit this option, the command prompts you for a password. |
ovowcsacm
generated on the management server.On nodes that run a UNIX or Linux operating system, ensure that the PATH variable contains the path to the agent commands.
export
PATH=/opt/OV/bin:$PATH
and then press Enter.export
PATH=/usr/lpp/OV/bin:$PATH
and then press
Enter.export
PATH=/usr/opt/OV/bin:$PATH
and then press
Enter.ovc
-stop
and then press Enter. This
stops the agent processes on the node.Use ovcert
to import the certificates from the
generated file. The syntax for this command is:
ovcert -importcert -file <file_name>
The command prompts you for the password that you specified when you generated the certificates. Type the password and press Enter. The command then notifies the management server that the certificates are installed and the management server updates the node's certificate state.
If the management server does not receive the notification for any reason, you must update the node's certificate state manually, as follows:
Type ovcoreid -set <common name field>
-force
and then press Enter.
For example, for the following warning:
WARNING: The common name field (CN) in the certificate '89aea662-b9e6-7527-148d-8a612e083f23' does not match the OvCoreId '8b2ae5c2-b99c-7527-0263-cf9a16f2aace' of the system.
the command would be:
ovcoreid -set 89aea662-b9e6-7527-148d-8a612e083f23
-force
On the node, type ovc -start
and
then press Enter. This restarts the agent
processes.
Related Topics: