Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Certificates management

News HP Operations Manager Recommended Links Troubleshooting HPOM agents Documentation HPOM 9 Env Variables
Certificate not Installed on the Node Undefined certificate state Certificate server is not set Changing OVcoreid of the node due to mismatch    
ovcert opcnode   Cookbook Humor Etc

Note: HP renamed the product called now HP operations manager way too many times. Also it is very inconsistent with using abbreviations. Here we will assume that the term "HP Operations manager" and abbreviations HPOM, OMU, and OVO  mean the same thing :-)

Security of HTTPS communication is achieved by using certificates which results in some new steps being required to install HTTPS agents.

There are two types of certificates:

A root certificate is a self-signed certificate, containing the identity of the certification authority of the certificate server. The private key belonging to the root certificate is stored on the certificate server system and protected from unauthorized access. The certification authority uses its root certificate to digitally sign all certificates.

Every HTTPS managed node in the managed environment receives a managed node certificate issued by a certificate server, a corresponding private key stored in the file system and the root certificates valid in its environment. The certificate client running on the managed node ensures this.

NOTE A managed node certificate contains the unique identity called CoreId. The following is an example of an CoreId:

d498f286-aa97-4a31-b5c3-806e384fcf6e

Each managed node can be securely authenticated through its managed node certificate. The managed node certificate can be verified by all other managed nodes in the environment using the root certificate(s) to verify the signature.

Managed node certificates are used to establish SSL-based connections between two HTTPS managed nodes that use client and server authentication, and can be configured to encrypt all communication.

The ovcert tool provided by the certificate client can be used to list the contents of the Key Store or to show information about an installed certificate. The ovcert tool is described in the ovcert man page.

The steps that you must complete are:

1. Install the HTTPS agent software on the managed node by using the inst.sh script. The node automatically sends a certificate request to the certificate server which is automatically granted. If auto-grant is disabled, the next two steps are also required.

2. The ovcm -listpending command is used to display the pending certificate request IDs. If you want that detailed information on every pending request is listed, use the -l option:

ovcm -listpending [-l]

For more information, see the ovcm man page.

3. To grant the certificate requests to the nodes, enter the following command:

ovcm -grant <requid>

The nodes for which certificates have been granted are added to the

Holding Area (default) or in the configured layout group as specified in the configuration setting OPC_CSA_LAYOUT_GROUP in the namespace opc .

To see if there are  problems with certificate use the commands

# ./ovcert -check

OvCoreId set : OK
Private key installed : OK
Certificate installed : OK
Certificate valid : OK
Trusted certificates installed : OK
Trusted certificates valid : OK

Check succeeded.
# ./ovcert -status
Status: Certificate is installed.
# ./ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
| 05e16832-e3be-7544-1c8b-edc0897fbaed (*) |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_8bc222aa-c9f8-7517-1fc6-fc9461409f3e |
+---------------------------------------------------------+

Certificate Installation Tips

If an agent is installed before it is added to the HP Operations management server node bank, a certificate request is issued from the node, but it remains in the list of pending certificate requests listed by using the ovcm -listpending command, because it cannot be automatically mapped to any node from the node bank.

When a node is uploaded or added by using the command line tool, it is added to the Holding Area. Certificate requests are then automatically mapped to that node, but they are not granted. An administrator must manually grant the certificate requests as required.

When a certificate request is granted, the certificate server signs the certificate and sends it to the certificate client. The certificate client now installs the certificate on the node.

NOTE Remote certificate deployment type can be used during manual agent installation.

After the certificate is installed on the node, either by using remote certificate deployment or by manually importing the certificate to the node, the certificate client notifies the certificate server that the certificate has been successfully installed. The certificate server notifies the certificate server adapter and certificate server adapter then sets the Node Certificate State in the database to Installed. For more detailed information about handling certificates, refer to

Security of HTTPS communication is achieved by using certificates which results in some new steps being required to install HTTPS agents.

The steps that you must complete are:

1. Install the HTTPS agent software on the managed node by using the inst.sh script. The node automatically sends a certificate request to the certificate server which is automatically granted. If auto-grant is disabled, the next two steps are also required.

2. The ovcm -listpending command is used to display the pending certificate request IDs. If you want that detailed information on every pending request is listed, use the -l option:

ovcm -listpending [-l]

For more information, see the ovcm man page.

3. To grant the certificate requests to the nodes, enter the following command:

ovcm -grant  <requid>

The nodes for which certificates have been granted are added to the Holding Area(default) or in the configured layout group as specified in the configuration setting OPC_CSA_LAYOUT_GROUP in the namespace opc .

When installing the agent on the managed node, you can set the Automatically update system resource files option to yes . If you set this option for a Windows node, the ovcdcontrol service is registered with start-up type Automatic, and the agent starts automatically after a reboot. If you do not set this option, the ovcd service is registered with start-up type Manual . In this case, you must manually start the agent after each reboot.

If you have certificate related problem verify that the ovcoreid for the node matches the one that is listed when you do the opcnode -list_id on the server? ovc -status Check if right certificate server listed and there no typo ovconfget sec.cm.client Now check if the certificate server is running on the management server. ovc -status ovcs Can you do a bbcutil -ping and from the node bbcutil -ping Are you using the default port 383 for https communication? What is the output of ovconfget ovconfget sh: ovconfget: not found. ux233:/> /opt/OV/bin/ovconfget [agtrep] ACTION_TIMEOUT=3 INSTANCE_DELETION_THRESHOLD=5 [bbc.cb] LOCAL_CONTROL_ONLY=true LOCAL_INFO_ONLY=false REQUEST_TIMEOUT=1 RESTRICT_REG=false SSL_REQUIRED=true [bbc.fx] FX_MAX_RETRIES=3 [bbc.http] LOCAL_INFO_ONLY=false LOG_SERVER_ACCESS=false MAX_CONNECTIONS=0 SERVER_PORT=0 [bbc.snf] MAX_FILE_BUFFER_SIZE=0 [coda] SSL_SECURITY=NONE [coda.comm] LOG_SERVER_ACCESS=false SERVER_BIND_ADDR=localhost SERVER_PORT=0 [conf.cluster] CLUSTER_TYPE=MC/ServiceGuard (MC/SG) MONITOR_MODE=TRUE POLLING_INTERVAL=10000 [conf.cluster.RGState.MCSG] down=offline halting=unknown starting=unknown unknown=unknown up=online [conf.cluster.RGState.MSCS] ClusterGroupFailed=offline ClusterGroupOffline=offline ClusterGroupOnline=online ClusterGroupPartialOnline=offline ClusterGroupStateUnknown=unknown [conf.cluster.RGState.RHAS] started=online [conf.cluster.RGState.SC] ERROR_STOP_FAILED=unknown OFFLINE=offline ONLINE=online PENDING_OFFLINE=unknown PENDING_ONLINE=unknown UNMANAGED=unknown [conf.cluster.RGState.VCS] OFFLINE=offline ONLINE=online _OFFLINE_=offline _ONLINE_=online _PARTIAL_=unknown _UNKNOWN_=unknown [conf.core] ASYNC_CONTROL_NOTIFY=false CACHE_CONFIGSETTINGS_POLICIES=true FORMAT_POLICY_LIST=false MERGED_POLICY_LIST_FILENAME=ov_policies.txt [conf.server] AUDIT_LOGGING=false AUDIT_LOG_MODE=ALL LOCATE_SERVER=5 NOMULTIPLEPOLICIES=mgrconf,msgforwarding,servermsi,ras PING_SERVER=15 WAIT_TIME=3 [ctrl] RUN_PROFILE=false START_ON_BOOT=true [ctrl.ovcd] ACTION_TIMEOUT=60 KILL_TIMEOUT=15 MONITOR_CHECK_INTERVAL=2000 PROCESS_TIMEOUT=120 [ctrl.sudo] OV_SUDO="" [depl] CMD_TIMEOUT=600000 DEPLOY_MECHANISMS=ssh [depl.bootstrap] BUNDLE_DIR=/var/opt/OV/share/databases/OpC/mgd_node/vendor BUNDLE_NAME=OVO-Client BUNDLE_VERSION=A.08.10.160 [depl.mechanisms.ssh] COPY=scp @: EXEC=ssh -q -2 @ [eaagt] OPC_BUFLIMIT_SEVERITY=major OPC_BUFLIMIT_SIZE=10000 OPC_HBP_INTERVAL_ON_AGENT=-1 OPC_INSTALLATION_TIME=Tue Nov 16 11:41:15 EST 2010 OPC_INSTALLED_VERSION=08.60.501 OPC_IP_ADDRESS=10.201.13.233 OPC_NODENAME=ux233.datacenter.firma-corp.com OPC_NODE_CHARSET=utf8 [eaagt.lic.data] ovoagt=1 remedyspi=0 [eaagt.sysdata] agtbits=32 cpu=2 cputype=pa-risc osbits=64 osfamily=unix osname=HP-UX ostype=HP-UX osvendor=Hewlett-Packard osversion=11.11 timestamp=Tue Jan 11 18:24:04 2011 [sec.cm.certificates] CERT_INSTALLED=TRUE LAST_CERT_UPDATE=Tue Nov 16 12:48:16 2010 LAST_TRUSTED_CERT_UPDATE=Tue Nov 16 12:48:16 2010 [sec.cm.client] CERTIFICATE_SERVER=ux106.datacenter.firma-corp.com [sec.core] CORE_ID=995d3cce-85fe-754b-185b-be17ec894222 [sec.core.auth] MANAGER=ux106.datacenter.firma-corp.com MANAGER_ID=2803e98c-ab44-754a-03ce-fa8f18be5787 [sec.core.auth.mapping.actionallow] conf=80 ctrl=4 depl=1280 eaagt.actr=1 [sec.core.auth.mapping.manager] conf=511 ctrl=15 depl=2047 eaagt.actr=1 [sec.core.auth.mapping.secondary] conf=511 ctrl=15 depl=2047 eaagt.actr=1 [xpl.log] addlocales=none apSpecifcUseParent=true handlers=none logparent=false [xpl.log.OvLogFileHandler] filecount=10 filesize=1 [xpl.trc.server] IsBindAny=YES
Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News

[Nov 11, 2010] How to remove and recreate all certificates in HPOM

October 8, 2010 | HP OpenView

This procedure is very long and involves manual steps on all agents and redeployment of policies to all agents. It should only be used in last resort when no other option is available. For instance, this procedure may be considered if the private key of the certificate authority has been lost or compromised.

This procedure consists of several subprocedures:
Remove all certificates on the management server
Recreate the trusted certificate on the management server
Recreate the server and node certificate on the management server
Backup the certificates and private keys on the management server
Prepare the management server for certificate and policy deployment
Redeploy policies to the management server
Redeploy policies to the agent on the management server
Recreate the certificates and redeploy policies on all the agents
These subprocedures are designed to be run in sequence. It is not safe to jump directly to
a subprocedure until you have completed all previous subprocedures. Once you have
started with the first subprocedure, you must complete all subprocedures to recover a
fully operational OVO setup.

Remove all certificates on the management server
All steps in this subprocess should be taken on the management server.
If the OVO management server runs on a cluster as a package or resource group, first put
the package or resource group into maintenance mode to avoid it from switching to
another node.
Stop all OVO management server, agent and L-core processes:
mgmtsv# ovstop opc ovoacomm
mgmtsv# ovc –kill
mgmtsv# ps –ef | grep ov
mgmtsv# ps –ef | grep opc
mgmtsv# ps –ef | grep coda
Ensure that all OVO and L-core processes have stopped. It is quite common that some
processes will not stop or that "ovc" will report an error. This is due to the fact that some
processes communicate locally through HTTPS and you are currently resolving a
problem with certificates that may adversely affect HTTPS communication. You will
have to kill these processes manually. Use "kill -9" if necessary.
Now remove all certificates on the management server:

OV Certificates Cookbook Version 1.0
Chapter 4 How to remove and recreate all certificates

NOTE: after taking the following steps the OVO setup will not be fully operational
until you proceed with all steps up to and including Recreate the certificates and
redeploy policies on all the agents, which implies manual steps on all agents and
redeployment of policies to all agents.

mgmtsv# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
| dcd0c94c-cb7d-7506-079a-9cc1b0282993 (*) |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 |
+---------------------------------------------------------+
+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
| dcd0c94c-cb7d-7506-079a-9cc1b0282993 (*) |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 (*) |
+---------------------------------------------------------+

mgmtsv#: ovcert -remove dcd0c94c-cb7d-7506-079a-9cc1b0282993
* Do you really want to remove the certificate with alias
'dcd0c94c-cb7d-7506-079a-9cc1b0282993' (yes(y)/no(n))? y
INFO: Certificate has been successfully removed.
mgmtsv# ovcert -remove CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993
* Do you really want to remove the certificate with alias
'CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993' (yes(y)/no(n))? y
INFO: Certificate has been successfully removed.
mgmtsv# ovcert -remove dcd0c94c-cb7d-7506-079a-9cc1b0282993 -ovrg server
* Do you really want to remove the certificate with alias
'dcd0c94c-cb7d-7506-079a-9cc1b0282993' (yes(y)/no(n))? y
INFO: Certificate has been successfully removed.
mgmtsv# ovcert -remove CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 -ovrg server
* Do you really want to remove the certificate with alias
'CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993' (yes(y)/no(n))? y
INFO: Certificate has been successfully removed.


You should now see the following:

mgmtsv# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
+---------------------------------------------------------+
+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
OV Certificates Cookbook Version 1.0
Chapter 4 How to remove and recreate all certificates Page 26
+---------------------------------------------------------+


You must now proceed with step Recreate the trusted certificate on the management
server.

4.2 Recreate the trusted certificate on the management server

All steps in this subprocess should be taken on the management server.
Since all generated certificates must be signed by the certificate authority, as a first step
we must recreate the trusted certificate, also referred to as the root certificate or the CA
certificate.
To recreate the trusted certificate on the server:
mgmstv# ovcm -newcacert
INFO: Generating a new CA key pair...
INFO: Installing...
INFO: Installation was successful.
You should now see the following:
mgmtsv# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
+---------------------------------------------------------+
+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 (*) |
+---------------------------------------------------------+
Now you can export the trusted certificate from the server side and import it on the node
side:
mgmtsv# ovcert -exporttrusted -file /tmp/trustedcertif -ovrg server
INFO: Trusted certificates have been successfully exported to file '/tmp/
trustedcertif'.
mgmtsv# ovcert -importtrusted -file /tmp/trustedcertif
INFO: Import operation was successful.
You should now see the following:
mgmtsv# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
OV Certificates Cookbook Version 1.0
Chapter 4 How to remove and recreate all certificates Page 27
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 |
+---------------------------------------------------------+
+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 (*) |
+---------------------------------------------------------+
You must now proceed with step Recreate the server and node certificate on the
management server.

Recreate the server and node certificate on the management
server

All steps in this subprocess should be taken on the management server, but they depend
on whether the OVO management server runs standalone or as a package or resource
group on a cluster.


IF The OVO management server runs on a cluster as a package or
resource group


Issue and import a new server certificate:
mgmtsv# ovcm -issue -file /tmp/certif -name $(hostname package/virtual node) -pass mypwd -coreid
$(ovcoreid –ovrg server)
INFO: Issued certificate was written to file '/tmp/certif'.
mgmtsv# ovcert -importcert -file /tmp/certif -pass mypwd -ovrg server
INFO: Import operation was successful.
mgmtsv# rm /tmp/certif
Issue and import a new node certificate:
mgmtsv# ovcm -issue -file /tmp/certif -name $(hostname active cluster node) -pass mypwd -coreid
$(ovcoreid)
INFO: Issued certificate was written to file '/tmp/certif'.
mgmtsv# ovcert -importcert -file /tmp/certif -pass mypwd
INFO: Import operation was successful.
mgmtsv# rm /tmp/certif.

Recommended Links

OV Certificates Cookbook 1.0



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019