HPE Community
Server Management - Systems Insight Manager
1752272 Members
4606 Online
108786 Solutions
New Discussion юеВ

Recreate SMH Certificate for SIM

 
T. Rectenwald
Occasional Advisor

тАО11-14-2008 05:59 AM

тАО11-14-2008 05:59 AM

Recreate SMH Certificate for SIM

Is there a way to recreate the certificate used by SMH (/etc/opt/hp/sslshare/cert.pem)? I have 100's of servers with the incorrect certificate copied over from a common Ignite image.

I need these to be correct so that I can import them into SIM (Options|Security|Certificates|Trusted Certificate), thus establishing a correct SSL certificate trust between SIM and SMH.

As of now, the only way I know how to do it would be to uninstall SMH, ensure that the certificate is deleted and then reinstall. That is a very time consuming process though, and I have several hundred systems to correct.

Thanks for any help or advice.
Tom
0 Kudos
Reply
6 REPLIES 6
marsh_1
Honored Contributor

тАО11-14-2008 07:39 AM

тАО11-14-2008 07:39 AM

Re: Recreate SMH Certificate for SIM

TOM,

if the target systems are hp-ux then the configure or repair agents option can be used to deploy a certificate.


good luck

0 Kudos
Reply
T. Rectenwald
Occasional Advisor

тАО11-14-2008 10:51 AM

тАО11-14-2008 10:51 AM

Re: Recreate SMH Certificate for SIM

Thanks for the help. The trouble is, when you run configure/repair the job actually deploys the SIM server certificate to SMH. In addition, it installs a certificate for WBEM in /etc/opt/hp/sslshare/cimserver_trust.

It doesn't change, or modify the client's SMH certificate though (/etc/opt/hp/sslshare/cert.pem (and file.pem (private)).

I'm fairly certain that cannot be done in SIM. It doesn't appear that it can be done within the SMH GUI either. Perhaps it needs to have an openssl command run.

I guess this is more of a SMH question than SIM one; didn't know which forum to post to.

My thoughts are that I may be able to remove the certificates and have them recreated by running an swconfig with the reconfigure option set. I've also noticed that, after SMH is upgraded, new certificates seem to be generated in /var/opt/smh/sslshare. Those appear valid (as the upgrade was done outside of the initial Ignite image).

I'm going to poke at it some more and will post my findings. Thanks again for the help.

Regards,
Tom
0 Kudos
Reply
Derek_56
Valued Contributor

тАО11-14-2008 11:20 AM

тАО11-14-2008 11:20 AM

Re: Recreate SMH Certificate for SIM

Tom,

Yes, if you're talking about regenerating client SMH instances' certificates, then I believe you'll need to reinstall the SMH on each system. According to the HP SMH User Guide, that is autogenerated at installation. I cannot find any documented method of regenerating this once it's installed. Sorry.
0 Kudos
Reply
Gladiator
Valued Contributor

тАО11-14-2008 05:47 PM

тАО11-14-2008 05:47 PM

Re: Recreate SMH Certificate for SIM

Hi,

There is one more unorthodox away to recreate the SMH certificate.

Just stop SMH service.
Goto /etc/opt/hp/sslshare/ and delete cert.pem.
Now restart SMH service.

It will automatically create a new SMH certificate i.e cert.pem file.

This should work fine though.

Regards
Sinto
0 Kudos
Reply
T. Rectenwald
Occasional Advisor

тАО11-17-2008 09:52 AM

тАО11-17-2008 09:52 AM

Re: Recreate SMH Certificate for SIM

I didn't have much luck with certification regeneration when stopping/starting SMH. I did manage to find that whenever SMH is upgraded, it appears to generate new certificates and stores them in /var/opt/hpsmh/sslshare. If I just copy these into place over the ones in /etc/opt/hp/sslshare that works okay (haven't tested fully yet, but they import right).

So, it looks like I can get away with doing the above, as SMH has been upgraded on all systems since the initial Ignite installs.

A reinstall works also; while non-intrusive (no reboot) it does take some time.

Anyway, thanks all for the help. If I can figure out anymore, I'll let you know. May take a look at the configure script and see what the openssl command is that it uses; not much of an expert with that.

Regards,
Tom
0 Kudos
Reply
Kasper Haitsma
Trusted Contributor

тАО04-08-2010 06:40 AM

тАО04-08-2010 06:40 AM

Re: Recreate SMH Certificate for SIM

Hi Tim,

I ran into the same issue.
I discovered there is tool to do this:

/opt/wbem/sbin/gen_wbem_certs

you need to stop cimserver (cimserver -s), you'll be warned if cimserver is still running.
gen_wbem_certs
start cimserver (cimserver)

works like a charm

regards,
Kasper Haitsma
It depends
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.