HP Instant Capacity release notes for Version 10.x (March 2011)
1. Install iCAP version 9.x (or later) on the Group Manager, any planned standby Group
Manager, and each OS instance (host) of each group member. The installations may be done
in any order.
2. Set up a CIM Server configuration property (described below) on the Group Manager, any
planned standby Group Manager, and each OS instance of each group member.
3. Re-add each group member to the group it already belongs to.
Communication between GiCAP member hosts and the GiCAP manager requires the CIM Server
configuration property sslClientVarificationMode to be set to “optional” on all GiCAP member OS
instances, the GiCAP manager, and any planned standby GiCAP manager. This configuration
attribute is not dynamic and must be set using the -p option. You must restart the cimserver to set
the value. For details, see cimconfig(1M).
Use the following commands to set sslClientVerificationMode to “optional” and restart the cimserver:
# cimconfig -s sslClientVerificationMode=optional -p
# cimserver -s; cimserver
Use the following command to check the value of sslClientVerificationMode after a CIM Server
restart:
# cimconfig -g sslClientVerificationMode -c -p
Current value: optional
Planned value: optional
Once the Group Manager and all OS instances of a group member are upgraded to iCAP version
9.x (or later), and the CIM Server attribute is set to “optional” for all systems, you must re-add each
group member to the group it already belongs to. For example, if group One already contains the
member member1 with hosts member1b and member1c, re-add member1 to group One by entering
the following command:
icapmanage –a –g One –m member1:member1b,member1c
This is the same command originally used to make member1 a member of GiCAP group One. This
command to re-add the member to its group does not require that the member first be removed
from its group. It does require the entry of the root passwords for the member hosts. The
icapmanage command uses these passwords to set up communication between the GiCAP member
hosts and the Group Manager with the new communication protocol. The passwords are not saved,
and further communication between the Group Manager and the member hosts will not require a
password.
GiCAP and SSL Certificates
Creation and Exchange
The Secure Socket Layer (SSL) protocol is used to facilitate secure communication between the
GiCAP active group manager and the optional standby group manager, and between the group
manager(s) and each host on a GiCAP member complex. SSL protocol requires two-way
authentication, facilitated by the exchange of digital certificates between the communication
partners. The certificates are created by the GiCAP software, typically at installation time using
the /etc/opt/iCAP/GiCAP_keygen script.
Certificates are exchanged between pairs of host systems as a result of the following operations:
• When a member is added to a group (icapmanage -a -g -m) certificates are exchanged
between the active group manager and each host specified for the new member. If a standby
manager is defined and accessible, certificates are exchanged between the standby group
manager and each host specified for the new member.
• When a host is added to a group member (icapmanage -u -m) certificates are exchanged
between the active group manager and each new host. If a standby manager is defined and
accessible, certificates are exchanged between the standby group manager and each new
host.
GiCAP Requirements 31