Use the obcm tool to export and import identity certificates. These steps are required if you do not accept the default Oracle Secure Backup security behavior, which is for the Certification Authority to issue signed certificates to new hosts over the network.

The observiced daemon on the administrative server acts as the Certification Authority. The CA has two responsibilities with respect to certificates: it accepts certificate signing requests from hosts within the administrative domain as part of the mkhost process, and sends signed certificates back to the requesting host.

In manual certificate provisioning mode, you run obcm export --certificate on the administrative server to export a signed certificate for the newly configured host. You must manually transfer this signed certificate to the newly configured host.

After manually transferring the certificate to the new host, run obcm import on the newly configured host to import the signed certificate into the host's wallet. In this case, obcm directly accesses the wallet of the host. After it has made changes to the local wallet, obcm notifies the local observiced so that the local observiced can re-create the obfuscated wallet.


You must have write permissions in the wallet directory, which by default is /usr/etc/ob/wallet on Linux and UNIX and C:\Program Files\Oracle\Backup\db\wallet on Windows. Note that obcm always accesses the wallet in this location. You cannot override the default location.


/etc/obcm [ export --certificate --file certificate_file --host hostname ]
[ import --file signed_certificate_file ]


export --certificate --file certificate_file --host hostname

Exports a signed identity certificate for the specified host to the specified text file.

import --file signed_request_file

Imports a signed identity certificate from the specified text file.


Example 5-6 exports a certificate for host new_client to the file new_client_cert.f. The utility is run on the administrative server.

Example 5-6 Exporting a Signed Certificate

obcm export --certificate --file /tmp/new_client_cert.f --host new_client 

Example 5-7 imports a signed identity certificate from the file client_cert.f. The utility is run on the host being added to the administrative domain.

Example 5-7 Importing a Signed Certificate

obcm import --file /tmp/new_client_cert.f