Manualshelf

HP-UX WBEM Services Release Notes, September 2010

ManualsBrandsHP ManualsSoftwareHP-UX 11i WBEM Software
11121314151617181920
Managing Certificates
During the install process, if /etc/opt/hp/sslshare/cert.pem and /etc/opt/hp/
sslshare/file.pem files are found on the system, the following messages will be generated
in the install log:
NOTE: /etc/opt/hp/sslshare/cert.pem - SSL Certificate file already
exists. New certificates are not created.
The existing files, /etc/opt/hp/sslshare/cert.pem and /etc/opt/hp/sslshare/
file.pem may have been created by an earlier installation of HP WBEM Services A.02.05 or an
installation of other management applications on the system. These files will not be overwritten.
HP-UX example:
Here are two examples of updating certificates when an earlier version of HP WBEM Services
was already installed:
Scenario 1: Using the default installed certificates from WBEM Services Version A.01.05:
It is recommended that after installing HP WBEM Services Version A.02.07, you do the
following:
1. — Delete the existing /var/opt/wbem/server_2048.pemand/or /var/opt/
wbem/server.pem files and use the certificates in /etc/opt/hp/sslshare
directory.
OR
2. — Overwrite the new certificate in /etc/opt/hp/sslshare/cert.pem and the
private key in /etc/opt/hp/sslshare/file.pem with the existing certificate
and key in either /var/opt/wbem/server_2048.pem or /var/opt/wbem/
server.pem files. Before overwriting /etc/opt/hp/sslshare/cert.pem and
/etc/opt/hp/sslshare/file.pem make sure other products are not using
the certificates in these files.
If the server certificate was copied to any other systems, then the certificate in new
/etc/opt/hp/sslshare/cert.pem should be copied over to the trust store on
those other systems replacing the earlier certificate.
NOTE: Use the ssltrustmgr command to add or remove certificates in a trust store.
For more information about the ssltrustmgr command, see the ssltrustmgr man
page.
Scenario 2: Using custom certificates:
If using either self-signed or root-signed 512-bit or 1024-bit encryption certificates, it is
strongly recommended that you create new certificates with 2048-bit encryption.
If using CA certificates that are using 2048-bit encryption, it is recommended that you keep
them. If the CA certificates are not using 2048-bit encryption, it is recommended that you
get new CA certificates with 2048-bit encryption.
Importing Server Certificates to the Trust Store
CIM client applications should maintain a trust store in a <trust_store-name>.pem file. CIM
client applications must import the certificates stored in /etc/opt/hp/sslshare/cert.pem
into a trust store file on the client machine from various CIM server machines (ones the client
wants to connect to).
With C++ CIM client libraries, the trust store should be in PEM format.
To import a server certificate, copy the public certificate from the server to the client:
Security 11