HP Instant Capacity Version 10.x Release Notes (5900-1580, March 2011)
Consider the case where someone accidently deletes the certificate files in the /etc/opt/iCAP
directory on a GiCAP member (GiCAPcert.pem and GiCAPpkey.pem). An icapstatus on
such a system will show errors similar to the following:
Member xyz in GiCAP group One
-------------------------------------------------
Active Group Manager: gm1.oa.hp.com
Standby Group Manager: gm2.ba.hp.com
ERROR: Unexpected error
PGS00415: SSL EXCEPTION: PGS09207: CANNOT GET SERVER CERTIFICATE.
While /etc/opt/iCAP/GiCAP_keygen will create new copies of these files (as will a
re-installation of iCAP), this is insufficient to restore communication between the member host and
its GiCAP group manager. Instead of the message above, icapstatus will report something similar
to:
Member xyz in GiCAP group One
-------------------------------------------------
Active Group Manager: gm1.oa.ff.com
Standby Group Manager: gm2.ba.ff.com
ERROR: Unexpected error
HTTP Error (401 Unauthorized).
To complete the repair you must either re-add the member to the group using a command on the
active group manager similar to:
icapmanage -a -m xyz:x,y,z -g One
Or use:
icapmanage -Q
The icapmanage -Q command will not reestablish communication between the member host and
any standby manager. If a standby manager is being used, you must specify the standby manager
again with a command such as:
icapmanage -a -S gm2.ba.ff.com
The icapmanage -Q command is particularly useful if you should accidentally delete certificates
on a group manager or reignite it. (In the reignite case, even if you restore the GiCAP database
from a backup file, you will need to reexchange certificates.) First create new SSL keys on the
group manager using /etc/opt/iCAP/GiCAP_keygen. Then you can either re-add every
member to every group (multiple commands), or use the single icapmanage -Q command on
the active manager. Note that you can issue the icapmanage -Q command on an active manager
even if a standby manager has not been defined. If there is a standby manager defined, you must
subsequently reestablish the standby manager with the icapmanage -a -S operation invoked
on the active group manager.
If you should delete certificates on a standby manager, the only steps necessary are to run /etc/
opt/iCAP/GiCAP_keygen on the standby manager (or do an installation of iCAP on that system),
and then reestablish the standby manager by invoking the icapmanage -a -S command on
the active group manager.
Manual Regeneration of Certificates and Time Skew
SSL keys contain a timestamp indicating when they were created. SSL keys cannot be installed if
the time on the system on which they are installed is earlier than the key's timestamp. This can be
a problem if there is a time skew between the system on which the keys are created and the systems
on which the keys are installed. Since the GiCAP software creates its SSL keys at installation time
there is usually enough time between key creation and key installation to avoid a time skew issue.
However, should you manually create new SSL keys for GiCAP and the clocks between GiCAP
hosts are not synchronized you may encounter this problem when doing an operation that exchanges
SSL keys. If so, you can simply wait until enough time has passed to avoid the time skew problem
and then retry the operation. HP recommends that clocks be coordinated between host systems in
a GiCAP group.
GiCAP Requirements 29