Importing a Peer Certificate

This procedure imports a certificate to a Policy Management server and enables a secure connection. This includes certificates generated by other servers including certificates signed by a third party or similar.

After you have exported the local certificate, to import the peer certificate (that is, the certificate you exported) to the certificate keystore of a Policy Management server:

  1. Log in to the platcfg utility using one of two methods, either from the system console using root or through an SSH remote session using admusr.
    • To access the platcfg utility from the system console:
      1. Log in as root.
      2. Enter su - platcfg.
    • To access the platcfg utility through an SSH remote session:
      1. Log in as admusr.
      2. Enter sudo su - platcfg.

    Note: The dash (-) is required in the su - platcfg or the sudo su - platcfg command to ensure proper permissions.

  2. Select Policy Configuration from the Main Menu screen and press Enter.
  3. Select SSL Key Configuration from the Policy Configuration Menu screen and press Enter.
  4. Select Configure cacerts from the Configure SSL keys Menu screen and press Enter.
  5. Select Import trusted key from the Operate keystore Menu screen and press Enter.
  6. Enter the Keystore Password, select OK, and press Enter.
  7. Enter the import location and Alias for the certificate, as set previously for the CN name, select OK, and press Enter.

    Import Certificate
    You are then presented with the certificate data for verification. Ensure that the CN name, Owner, and Issuer names of the input file name match that of the previous export file.

  8. After you have verified that the certificate data is correct, select OK and press Enter.

    When the certificate is imported, a successful import message displays.

  9. Press Enter.
  10. Select Cluster File Sync from the Policy Configuration Menu screen and press Enter.

    The imported peer certificate is synchronized to the others servers of the cluster.

  11. Select Restart Application from the Policy Configuration Menu screen and press Enter.

    The Policy Management application (the qp_procmgr process) on the active server restarts.

Tip: You can verify that SSH keys have been fully exchanged between servers by logging in to the active CMP server as admusr and entering the following commands:
sudo su - /opt/camiant/bin/qpSSHKeyProv.pl --check --verbose

Once certificates are exchanged, to enable an HTTPS connection to the Policy Management cluster, log on to the active CMP server, select the cluster, select the Secure Connection check box from the Policy Server tab, and click Save. You are prompted, "The configuration was applied successfully," and Secure Connection displays Yes. See the appropriate CMP User's Guide for more information.

Tip: If instead you are prompted that the Policy server is unavailable, there may be a problem with the certificates.