Bulk Certificate Exchange

Before beginning this procedure, you must have created self-signed certificates (see Creating a Self-signed Certificate).

This procedure imports certificates from multiple MPE andMRA clusters and enables a secure connection. You would use this procedure, in place of the procedures Exporting a Local Certificate to a Policy Management Server and Importing a Peer Certificate, to save time when exchanging certificates in a large Policy Management network.

You cannot use this procedure for connections between a Network Configuration Management Platform (NW-CMP) system and a System Configuration Management Platform (S-CMP) system.

From the primary site active CMP or S-CMP server:

  1. Log in as admusr.
  2. Enter sudo su -.
  3. To exchange SSH keys between the CMP system and MPE and MRA servers, enter /opt/camiant/bin/qpSSHKeyProv.pl --prov --relax.

    The argument --relax causes SSH keys to be provisioned from MPE and MRA systems to the CMP system.

  4. Enter /opt/camiant/bin/qpRunInTopo.py --cmd="sslKeyUtil --exportToCmp --target=active_cmp_addr" --pool-size=1 --prod=mpe,mra --ha-role=Active [--show].

    The optional argument --show displays execution details.

    The utility sslKeyUtil executes on the active server of each MPE and MRA cluster. It exports the certificate from the local keystore to a local file; copies the file to the specified CMP server; and imports the file into the certificate keystore on the CMP server.

  5. Synchronize the certificates across the other servers in the CMP cluster. For more information, see Synchronizing Cluster Files.

Example

This example shows a successful execution of qpRunInTopo.py. The certificate file mpe-a.cer is imported from the MPE server mpe01 to the active CMP server at IP address nn.nn.nn.nn.

# /opt/camiant/bin/qpRunInTopo.py --cmd="sslKeyUtil --exportToCmp --target=nn.nn.nn.nn" --pool-size=1 --prod=mpe,mra --ha-role=Active --show
Command will be run on following servers:
["mpe01"]
Continue? [yes|no]: yes
[   {   'errput': 'FIPS integrity verification test failed.\r\nCertificate stored in file </tmp/mpe01_mpe-a.cer>\n',
        'id': 'admusr@mpe01: sslKeyUtil --exportToCmp --target=nn.nn.nn.nn',
        'output': 'Export to cmp\n\Going to export key mpe-a\n\Importing to cacerts.jks in target nn.nn.nn.nn\nSSHRun returns 0\n',
        'ret_code': 0}]
=======================================
Suceeded.
# 

Once certificates are exchanged, to enable an HTTPS connection, log on to the active CMP server, select the Policy Management cluster, and select the Secure Connections check box, located on the Policy Server tab. See the appropriate CMP User's Guide for more information.