How to backup CA certificates in HP BSM/OMi when you have more than one Data Processing server

For someone who didn’t have to deal with HP Operation Manager Agent’s and Server’s certificates, working with them might be overwhelming initially. As promised in the “How to test pattern matching expressions in HP BSM Connector policies” article I am starting a series of articles for HP BSM people that are new to the HP Operation Manager component of the application and this one is one of them.

When you install HP BSM in a multi server deployment the Data Processing (DP) server(s) becomes a Certificate Authority (CA) for the deployment. CA is used to issue certificates for all the other components of the deployment – BSM Gateways and the different data collectors (SiteScope(s), Diagnostics Commander, etc). It’s very important to backup your CA certificate since if for any reason your server is lost and a new CA certificate is created you will lose all the communication between the OMi components and the, sometimes long and painful, process of requesting certificates from the new CA authority will need to be repeated.

The problem

If you have a single DPS environment the ovcm -exportcacert will do the job properly.
The problem raises when you have a primary and a backup DPSes  set-up and the trusted certificates exchange procedure was already completed. If you will try to export the CA certificate at that stage the process will fail due to a CA certificate that was imported from the second DPS. Let’s call it an ‘alien’ certificate for future reference.

ovcm -exportcacert -file c:\temp1\server_ca -pass mypwd
ERROR:   (sec.core-27) No private key for alias
         'CA_0c04c0f2-9b82-7572-06d2-acf72549d6d3_2048' is installed.

So next time you deploy a high availability BSM environment with a primary and a backup DPSes perform the CA certificates backup procedure (separately on each DPS) before you exchange the trusted certificates.
If it’s too late for that – no worries. Here is how you can backup CA certificates in HP BSM/OMi, after the trusted certificates exchange procedure has already been completed.


Step 1 – list the installed certificates

ovcert -list
+---------------------------------------------------------+
| Keystore Content                                        |
+---------------------------------------------------------+
| Certificates:                                           |
|     5f599352-9689-7572-0b5e-887ad1cbc688 (*)            |
+---------------------------------------------------------+
| Trusted Certificates:                                   |
|     CA_0c04c0f2-9b82-7572-06d2-acf72549d6d3_2048        |
|     CA_a641bb72-9de7-7572-1a5a-946e84079aa6_2048        |
+---------------------------------------------------------+
 
+---------------------------------------------------------+
| Keystore Content (OVRG: server)                         |
+---------------------------------------------------------+
| Certificates:                                           |
|     a641bb72-9de7-7572-1a5a-946e84079aa6 (*)            |
+---------------------------------------------------------+
| Trusted Certificates:                                   |
|     CA_0c04c0f2-9b82-7572-06d2-acf72549d6d3_2048        |
|     CA_a641bb72-9de7-7572-1a5a-946e84079aa6_2048 (*)    |
+---------------------------------------------------------+

Note that in the OVRG server Trusted Certificates part you have 2 trusted certificates. The one marked with the (*) is the local CA certificate (which we want to backup). The other one is the alien CA certificate from the second DPS and we need to temporarily get rid of it in order for the ovcm -exportcacert to complete successfully.

Step 2 – export trusted certificates from the ovrg server

ovcert -exporttrusted -file c:\temp\certs\server_trusted -ovrg server
INFO:    Trusted certificates have been successfully exported to file 'c:\temp\certs\server_trusted'.

By running the above command you are backing up the trusted certificates

Step 3 – delete the alien trusted certificate from the OVRG server group

ovcert -remove -f -ovrg server CA_0c04c0f2-9b82-7572-06d2-acf72549d6d3_2048
INFO:    Certificate has been successfully removed.

Remember the “alien” CA certificate from step 2, the one without the (*). We, as promised, are getting rid of it.

 Step 4 – list the installed certificates

ovcert -list
+---------------------------------------------------------+
| Keystore Content                                        |
+---------------------------------------------------------+
| Certificates:                                           |
|     5f599352-9689-7572-0b5e-887ad1cbc688 (*)            |
+---------------------------------------------------------+
| Trusted Certificates:                                   |
|     CA_0c04c0f2-9b82-7572-06d2-acf72549d6d3_2048        |
|     CA_a641bb72-9de7-7572-1a5a-946e84079aa6_2048        |
+---------------------------------------------------------+
 
+---------------------------------------------------------+
| Keystore Content (OVRG: server)                         |
+---------------------------------------------------------+
| Certificates:                                           |
|     a641bb72-9de7-7572-1a5a-946e84079aa6 (*)            |
+---------------------------------------------------------+
| Trusted Certificates:                                   |
|     CA_a641bb72-9de7-7572-1a5a-946e84079aa6_2048 (*)    |
+---------------------------------------------------------+

Here we are just verifying that there are no “alien” CA certificates left


 Step 5 – export the CA certificate

Now we can run the  ovcm -exportcacert  without any problems.

ovcm -exportcacert -file c:\temp\certs\server_ca -pass mypwd
INFO:    CA certificate was successfully exported to file 'c:\temp\certs\server_ca'.

By the way don’t use mypwd as your password when you backup CA certificates in HP BSM/OMi (or any other application), think about something more complicated ;-).

Step 6 – import previously exported trusted certificates

Now let’s import back the trusted certificates from the export that was performed in step 2.

ovcert -importtrusted -ovrg server -file c:\temp\certs\server_trusted
WARNING: Certificate with alias 'CA_a641bb72-9de7-7572-1a5a-946e84079aa6_2048'
         is already installed.
INFO:    Import operation was successful.

You can disregard the WARNING. It appears since the export included the local CA cert and we are trying to import it again.

Step 7 – list the installed certificates

ovcert -list
+---------------------------------------------------------+
| Keystore Content                                        |
+---------------------------------------------------------+
| Certificates:                                           |
|     5f599352-9689-7572-0b5e-887ad1cbc688 (*)            |
+---------------------------------------------------------+
| Trusted Certificates:                                   |
|     CA_0c04c0f2-9b82-7572-06d2-acf72549d6d3_2048        |
|     CA_a641bb72-9de7-7572-1a5a-946e84079aa6_2048        |
+---------------------------------------------------------+
 
+---------------------------------------------------------+
| Keystore Content (OVRG: server)                         |
+---------------------------------------------------------+
| Certificates:                                           |
|     a641bb72-9de7-7572-1a5a-946e84079aa6 (*)            |
+---------------------------------------------------------+
| Trusted Certificates:                                   |
|     CA_0c04c0f2-9b82-7572-06d2-acf72549d6d3_2048        |
|     CA_a641bb72-9de7-7572-1a5a-946e84079aa6_2048 (*)    |
+---------------------------------------------------------+

Verify that you have both of the CA certificates back in the OVRG server section.


Step 8 – celebrate!

Wait,, wait, wait. Before going out to celebrate your achievement repeat the described procedure on the second DPS.

2 thoughts on “How to backup CA certificates in HP BSM/OMi when you have more than one Data Processing server”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.