October 8, 2010

How to remove and recreate all certificates in OMU

This procedure is very long and involves manual steps on all agents and redeployment of
policies to all agents. It should only be used in last resort when no other option is
available. For instance, this procedure may be considered if the private key of the
certificate authority has been lost or compromised.
This procedure consists of several subprocedures:
Remove all certificates on the management server
Recreate the trusted certificate on the management server
Recreate the server and node certificate on the management server
Backup the certificates and private keys on the management server
Prepare the management server for certificate and policy deployment
Redeploy policies to the management server
Redeploy policies to the agent on the management server
Recreate the certificates and redeploy policies on all the agents
These subprocedures are designed to be run in sequence. It is not safe to jump directly to
a subprocedure until you have completed all previous subprocedures. Once you have
started with the first subprocedure, you must complete all subprocedures to recover a
fully operational OVO setup.

Remove all certificates on the management server
All steps in this subprocess should be taken on the management server.
If the OVO management server runs on a cluster as a package or resource group, first put
the package or resource group into maintenance mode to avoid it from switching to
another node.
Stop all OVO management server, agent and L-core processes:
mgmtsv# ovstop opc ovoacomm
mgmtsv# ovc –kill
mgmtsv# ps –ef | grep ov
mgmtsv# ps –ef | grep opc
mgmtsv# ps –ef | grep coda
Ensure that all OVO and L-core processes have stopped. It is quite common that some
processes will not stop or that “ovc” will report an error. This is due to the fact that some
processes communicate locally through HTTPS and you are currently resolving a
problem with certificates that may adversely affect HTTPS communication. You will
have to kill these processes manually. Use “kill -9” if necessary.
Now remove all certificates on the management server:

OV Certificates Cookbook Version 1.0
Chapter 4 How to remove and recreate all certificates


NOTE: after taking the following steps the OVO setup will not be fully operational
until you proceed with all steps up to and including Recreate the certificates and
redeploy policies on all the agents, which implies manual steps on all agents and
redeployment of policies to all agents.

mgmtsv# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
| dcd0c94c-cb7d-7506-079a-9cc1b0282993 (*) |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 |
+---------------------------------------------------------+
+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
| dcd0c94c-cb7d-7506-079a-9cc1b0282993 (*) |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 (*) |
+---------------------------------------------------------+

mgmtsv#: ovcert -remove dcd0c94c-cb7d-7506-079a-9cc1b0282993
* Do you really want to remove the certificate with alias
'dcd0c94c-cb7d-7506-079a-9cc1b0282993' (yes(y)/no(n))? y
INFO: Certificate has been successfully removed.
mgmtsv# ovcert -remove CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993
* Do you really want to remove the certificate with alias
'CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993' (yes(y)/no(n))? y
INFO: Certificate has been successfully removed.
mgmtsv# ovcert -remove dcd0c94c-cb7d-7506-079a-9cc1b0282993 -ovrg server
* Do you really want to remove the certificate with alias
'dcd0c94c-cb7d-7506-079a-9cc1b0282993' (yes(y)/no(n))? y
INFO: Certificate has been successfully removed.
mgmtsv# ovcert -remove CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 -ovrg server
* Do you really want to remove the certificate with alias
'CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993' (yes(y)/no(n))? y
INFO: Certificate has been successfully removed.


You should now see the following:

mgmtsv# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
+---------------------------------------------------------+
+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
OV Certificates Cookbook Version 1.0
Chapter 4 How to remove and recreate all certificates Page 26
+---------------------------------------------------------+


You must now proceed with step Recreate the trusted certificate on the management
server.

4.2 Recreate the trusted certificate on the management server

All steps in this subprocess should be taken on the management server.
Since all generated certificates must be signed by the certificate authority, as a first step
we must recreate the trusted certificate, also referred to as the root certificate or the CA
certificate.
To recreate the trusted certificate on the server:
mgmstv# ovcm -newcacert
INFO: Generating a new CA key pair...
INFO: Installing...
INFO: Installation was successful.
You should now see the following:
mgmtsv# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
+---------------------------------------------------------+
+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 (*) |
+---------------------------------------------------------+
Now you can export the trusted certificate from the server side and import it on the node
side:
mgmtsv# ovcert -exporttrusted -file /tmp/trustedcertif -ovrg server
INFO: Trusted certificates have been successfully exported to file '/tmp/
trustedcertif'.
mgmtsv# ovcert -importtrusted -file /tmp/trustedcertif
INFO: Import operation was successful.
You should now see the following:
mgmtsv# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
OV Certificates Cookbook Version 1.0
Chapter 4 How to remove and recreate all certificates Page 27
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 |
+---------------------------------------------------------+
+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_dcd0c94c-cb7d-7506-079a-9cc1b0282993 (*) |
+---------------------------------------------------------+
You must now proceed with step Recreate the server and node certificate on the
management server.

Recreate the server and node certificate on the management
server

All steps in this subprocess should be taken on the management server, but they depend
on whether the OVO management server runs standalone or as a package or resource
group on a cluster.


IF The OVO management server runs on a cluster as a package or
resource group


Issue and import a new server certificate:
mgmtsv# ovcm -issue -file /tmp/certif -name $(hostname package/virtual node) -pass mypwd -coreid
$(ovcoreid –ovrg server)
INFO: Issued certificate was written to file '/tmp/certif'.
mgmtsv# ovcert -importcert -file /tmp/certif -pass mypwd -ovrg server
INFO: Import operation was successful.
mgmtsv# rm /tmp/certif
Issue and import a new node certificate:
mgmtsv# ovcm -issue -file /tmp/certif -name $(hostname active cluster node) -pass mypwd -coreid
$(ovcoreid)
INFO: Issued certificate was written to file '/tmp/certif'.
mgmtsv# ovcert -importcert -file /tmp/certif -pass mypwd
INFO: Import operation was successful.
mgmtsv# rm /tmp/certif.

No comments:

Post a Comment