HP Instant Capacity Release Notes for Version 9.x
exchange SSL certificates it will remove any existing certificates with the same “Issuer” and
“Subject” attributes as the certificates the GiCAP software wishes to install. WBEM does not
allow the installation of certificates with the same Issuer and Subject as previously installed
certificates. The GiCAP software uses private certificates with an Issuer and Subject that should
not conflict with other certificates.
Note that the addition of the -n option to the icapmanage -Q command means certificates will
not be exchanged and no password prompting will occur. This option is provided for situations
where certificates have already been exchanged and the icapmanage command must be
embedded in a control script.
Use the cimtrust -l command to list all WBEM certificates on a host system.
Status Considerations
You can use the icapmanage -s -v command on a group manager system to evaluate if the
SSL certificates have been properly exchanged for the group. The -v (verbose) option checks
each member host to make sure that two-way communication has been established between the
manager and the host. If there is a problem, a note at the end of the display will indicate which
hosts might have a problem with group communication. It is recommended that you do this
check periodically on both the active manager and on any standby manager that you have defined,
particularly if you want to be prepared for any failover from the active group manager to any
standby manager. Only the icapmanage -s command with the -v option does this complete
communication check though all icapmanage -s operations report on communication problems
uncovered as icapmanage -s fetches the information it needs from the various group members.
The icapstatus command on a member host does not check that two-way communication has
been established but it will report on problems trying to contact the active group manager. (It
does not try to contact a standby manager if one is defined.)
Lost Certificates
SSL certificates allow the secure exchange of information between two hosts without the use of
passwords. Each host maintains the SSL key information necessary to connect to the other host.
If you inadvertently remove these SSL keys (for example by reigniting a member system or by
accidentally deleting certificate files) you have broken the ability to communicate with the other
host. Fixing this problem may involve multiple steps.
Consider the case where someone accidently deletes the certificate files in the /etc/opt/iCAP
directory on a GiCAP member (GiCAPcert.pem and GiCAPpkey.pem). An icapstatus on
such a system will show errors similar to the following:
Member xyz in GiCAP group One
-------------------------------------------------
Active Group Manager: gm1.oa.hp.com
Standby Group Manager: gm2.ba.hp.com
ERROR: Unexpected error
PGS00415: SSL EXCEPTION: PGS09207: CANNOT GET SERVER CERTIFICATE.
While /etc/opt/iCAP/GiCAP_keygen will create new copies of these files (as will a
re-installation of iCAP), this is insufficient to restore communication between the member host
and its GiCAP group manager. Instead of the message above, icapstatus will report something
similar to:
Member xyz in GiCAP group One
-------------------------------------------------
Active Group Manager: gm1.oa.ff.com
Standby Group Manager: gm2.ba.ff.com
ERROR: Unexpected error
HTTP Error (401 Unauthorized).
To complete the repair you must either re-add the member to the group using a command on
the active group manager similar to:
GiCAP Requirements 37