About Establishing a Secure Connection Between a CMP System and a Policy Management Server

To establish a secure connection between a CMP system and a Policy Management server, both the CMP system and the Policy Management server must exchange certificates.
Exchanging Certificates
The figure shows how the SSL certificate is shared between the clusters. The following certificate exchange is done:
  1. The CMP system creates a local certificate and exports the certificate to the Policy Management server.
  2. The Policy Management server imports the peer certificate (local certificate created by the CMP system) into its trust store.
  3. The Policy Management server creates a local certificate and exports the certificate to the CMP system.
  4. The CMP system imports the peer certificate (local certificate created by the Policy Management server) into its trust store.
Note: Procedures used in this chapter may require the reboot of one or more servers. Subsequently, for high availability (HA) to operate correctly in a clustered system, the active server of the cluster must not be rebooted unless the cluster is in the online state. Before rebooting any server, check cluster status using the CMP interface. If a cluster is labeled Degraded, but the server detail does not show any failed or disconnected equipment, the server is performing a database synchronization operation and until the synchronization process has completed, the standby server cannot perform as the active server.

When a new certificate is configured, the synchronization causes the HA on the standby server to restart.

SSL certificates are created on a per-cluster basis, and to ensure that the cluster has the same certificate installed, you should force a system synchronization.

To exchange certificates in a large Policy Management network with many servers, see Bulk Certificate Exchange.