How to recreate WBEM/SMH Certificates?
Abstract
Recreating certificates is actually a WBEM process, even though this is usually confused as a SMH process. This is because both applicattions cooperate very close with each other to complete a common task.
Short host names issue
While cold-installing HP WBEM Services, the SSL certificates are generated with short host names. These certificates cannot be used by the WBEM Service clients. The following warning message is logged in the swagent.log file:
Note: Cannot find the fully-qualified domain name (FQDN) for this system...
As the message details, SSL certificates for WBEM Services are created with the short hostname. Correct this either by editing the /etc/hosts file or by making the appropriate DNS registration. If not corrected, the created certificates may not be acceptable to the WBEMService clients that expect a FQDN in the common name field of the SSL certificate.
What To Do?
After the hostname(FQDN) is configured, run /opt/wbem/sbin/gen_wbem_certs to create SSL certificates for WBEMServices. The existing certificates /etc/opt/hp/sslshare/cert.pem and /etc/opt/hp/sslshare/file.pem will be moved to /etc/opt/hp/sslshare/cert.pem.bak and /etc/opt/hp/sslshare/file.pem.bak respectively.
This solution can be used in several other scenarios.
Default Certificate locations
In a previous sections, We specified /etc/opt/hp/sslshare (cert.pem and file.pem) as the location for these certificates, but you should be careful with the location depending on the OS version and SMH version.
- The original file certific ate for MS Windows: \hp\sslshare\cert.pem
- HP-UX: /opt/hpsmh/sslshare/cert.pem and /opt/hp/sslshare/cert.pem (/etc/opt/hp/sslshare/cert.pem in HP SMH 2.1.3 and later on Linux x86 and x86_64)
Reference
