certificates

Command to initiate the Certificates mode and to use its subcommands.

Synopsis

list [-a| --alias alias[,alias2,...,aliasn]] [-d|--detail]
add -h| --hostname EChostname -u| --username username [-p| --pass password] [-f| --force] [-n| --port portnumber]
remove -a|--alias alias[,alias2,...,aliasn]

Description

Certificates mode allows you to view and manage the list of trusted certificates for known remote EC servers. The CLI doesn't check for certificates in local connections.

Certificates are stored in a truststore file in the user directory. When connecting to an EC remotely, the CLI verifies if the certificate chain of the EC server is part of the trusted list. If the certificate chain is not in the trusted list, then the CLI request to accept the new certificate to add it to the list. If the certificate chain is not accepted, then the connection fails.

Additionally, you can set your user environment to silently accept all certificates by setting the accept_all_certificates variable to true, see the Oracle Enterprise Manager Ops Center Command Line Interface guide for more information in changing the value of the variable. You can also set your connection to silently accept all certificates by using the -a or --accept_all_certificates option with the connect command. This is especially useful for non-interactive sessions where it is not possible to interactively accept the certificate.

To enable your scripts to connect to a remote server, you can choose from the following options:

If you reinstall your EC and CLI often, modify your scripts to add the -a or --accept_all_certificates option to the connect command to make them pass-through.

If you reinstall your EC often but not the CLI, you might prefer to change the new CLI preference accept_all_certificates to automatically accept certificates at all times for all servers to which it connects. You can also add the following line at the beginning of each script to add the certificate, although this command connects to the EC and then disconnects: certificates.add -h hostname -u username [-n port] -p password -f.

If you do not reinstall your EC often, then you can connect to the EC interactively to accept the certificate at the user level which adds it to the user's truststore. In this case you will need to connect interactively to it after each reinstall of your EC to accept its new certificates.

SubCommands

list [-a|--alias alias[,alias2, ... , aliasN]] [-d|--detail]

Displays the alias, issuer, subject, and serial number. Use the -a|--alias option to display specific aliases. Use the -d|--detail option to include attributes for each alias.

add -h|--hostname hostname -u|--username username [-p|--pass password] [-f|--force] [-n|--port port_number]

Adds a certificate to the trusted list. User the -p|--pass option to execute the command without entering the user password interactively. Use the -f|--force option to execute the command without receiving any confirmation message, useful for scripts where no interaction is possible. Use the -n|--port option to specify a port number to use.

remove -a|--alias alias

Deletes a certificate from the trusted list.

Options

-a|--alias

Specifies that the subcomand acts on a specific alias.

-d|--detail

Includes certificates's attributes in the display.

-f|--force

Option to add a certificate to the trusted list without receiving any confirmation message, useful for scripts where no interaction is possible.

-h|--hostname

Option to specify the host name of the remote Enterprise Controller server.

-n|--port

Option to add a port number to use.

-p|--pass

Option to add a password to use.

-u|--username

Option to add the user name to use.

Operands

alias

The alias of the certificate.

password

Password of the user name to establish the connection to the remote Enterprise Controller server.

port_number

Port number to establish the connection to the remote Enterprise Controller server.

username

User name to establish the connection to the remote Enterprise Controller server.

Examples

Example 1   List the current accepted certificates

xvmSh/certificates > list
       Alias        |            Issuer            |           Subject            | Serial Number |
---------------------------------------------------------------------------------------------------
root@sm-36:11172|    CN=sm-36_oem-ec_ca    |    CN=sm-36_oem-ec_ca    |   385822055
root@sm-36:11172|    CN=sm-36_oem-ec_ca    |  CN=sm-36_oem-ec_agent   |   1497938285

Example 2   To add a certificate for a server interactively

xvmSh/certificates > add -h sm-37 -u root
Enter password for authentication > ********
Untrusted certificate encountered. Create an exception to accept it at each connection? [Display/Yes/No] y
Certificate chain added for root@sm-37:11172

Example 3   Delete an accepted certificate

xvmSh/certificates > remove -a root@sm-37:11172
xvmSh/certificates>

See Also

oc(5), collisions(1), controllers(1), credentials(1), deploy(1), deploy-setup(1), discover(1), fwimage(1), fwprofile(1), gear(1), groups(1), incidents(1), jobs(1), monitoring(1), networks(1), notifications(1), osimage(1), osprofile(1), reports(1), serverpools(1), stats(1), update(1), user(1), virtualization(1).