Create OA certificates manually for GW’s of OBM setup

  • KM03812424
  • 31-May-2021
  • 07-Jun-2021

Summary

Create agent/node cert for a GW server using same core ID’s, and ovcert command. Repeat steps for each GW server needed.

Question

Create agent/node cert for a GW server using same core ID’s, and ovcert command. Repeat steps for each GW server needed.

Answer

1. Remove certificates if necessary:
<OV Install Dir>/bin/ovcert -list
<OV Install Dir>/bin/ovcert -remove <cert alias> -f

For the certificates from the OV shared resource group aka. OVRG_SERVER
<OV Install Dir>/bin/ovcert -remove <cert alias> -f -ovrg server

2. On the DPS where the certificate manager is running (ovcs OA process, check with ovc -status) execute:
<OV Install Dir>/bin/ovcm -issue -file C:\agent.cer -name FQDN_of_server -pass 1234 -coreid OV_core_ID
<OV Install Dir>/bin/ovcm -issue -file C:\ovrg.cer -name FQDN_of_cert_server_DPS -pass 1234 -coreid OVRG_core_ID

OV_core_ID = get this value by running ovcoreid on the server for which you need to generate certs
OVRG_core_ID = get this value by running ovcoreid -ovrg server on any of the OBM servers as all of them should have the same
FQDN_of_server = FQDN of the server for the GW which you will generate the certs
FQDN_of_cert_server_DPS = FQDN of DPS server which is cert manager

3. Copy over the just generated certificates from that same DPS to the GW server

4. Once the files are on the GW, import the certs
<OV Install Dir>/bin/ovcert -importcert -file C:\agent.cert  
It will import the agent/node cert along with its trusted cert.

# /opt/OV/bin/ovcert -importcert -file /tmp/agent.cer
       * Enter password:
INFO:    Import operation was successful.
# /opt/OV/bin/ovcert -list
+---------------------------------------------------------+
| Keystore Content                                        |
+---------------------------------------------------------+
| Certificates:                                           |
|     89058b50-6b22-75c0-0b42-c045ec025316 (*)            |
+---------------------------------------------------------+
| Trusted Certificates:                                   |
|     CA_5a4fce82-6984-75c0-155e-bd8bf26f9ca0_2048        |
+---------------------------------------------------------+
+---------------------------------------------------------+
| Keystore Content (OVRG: server)                         |
+---------------------------------------------------------+
| Certificates:                                           |
+---------------------------------------------------------+
| Trusted Certificates:                                   |
+---------------------------------------------------------+

<OV Install Dir>/bin/ovcert -importtrusted -file C:\trusted.cert –ovrg server

# /opt/OV/bin/ovcert -importcert -file /tmp/ovrg.cer -ovrg server
It will import the OVRG cert along with its trusted cert.

INFO:    Import operation was successful.
# /opt/OV/bin/ovcert -list
+---------------------------------------------------------+
| Keystore Content                                        |
+---------------------------------------------------------+
| Certificates:                                           |
|     89058b50-6b22-75c0-0b42-c045ec025316 (*)            |
+---------------------------------------------------------+
| Trusted Certificates:                                   |
|     CA_5a4fce82-6984-75c0-155e-bd8bf26f9ca0_2048        |
+---------------------------------------------------------+

+---------------------------------------------------------+
| Keystore Content (OVRG: server)                         |
+---------------------------------------------------------+
| Certificates:                                           |
|     5a4fce82-6984-75c0-155e-bd8bf26f9ca0 (*)            |
+---------------------------------------------------------+
| Trusted Certificates:                                   |
|     CA_5a4fce82-6984-75c0-155e-bd8bf26f9ca0_2048        |
+---------------------------------------------------------+