Replacing expired LDAP and CIMOM certificates

Expired CIMOM or LDAP certificates must be replaced.

Context

CIMOM and LDAP certificates can expire. When this happens, they must be replaced. If you get an error saying: "Invalid key in truststore," you must update your LDAP certificate.

To determine when your certificates expire, you can examine the truststore as a simple Java™ keystore. To use the tools provided on the metadata server, enter the following command:
/opt/IBMJava2-131/jre/bin/keytool -list -v -alias cimomserver -keystore /usr/tank
/admin/truststore -storepass <truststore passwd from tank.properties> 
The following example output shows a truststore that expires on May 25, 2005:
Alias name: cimomserver 
Creation date: Tue May 25 16:27:43 PDT 2004 
Entry type: keyEntry 
Certificate chain length: 1 
Certificate[1]: 
Owner: CN=SANFS, OU=Software Development, O=IBM Corporation, C=US 
Issuer: CN=SANFS, OU=Software Development, O=IBM Corporation, C=US 
Serial number: 40b3d66f 
Valid from: Tue May 25 16:27:43 PDT 2004 until: Wed May 25 16:27:43 PDT 2005 
Certificate fingerprints: 
  MD5: D0:04:24:BB:44:4F:BC:9C:05:EB:35:EA:61:1E:B3:AA 
  SHA1: 3C:A8:71:C7:09:F0:49:6F:04:2C:97:8D:57:D7:F3:8C:CD:E1:67:2A

Steps

  1. Obtain the current certificate. You can get these from the LDAP administrator. CIMOM certificates are created by the mktruststore command. See step 4.
  2. On each engine, run stopConsole, then stopCimom.
  3. On the master engine, change to /usr/tank/admin.
  4. Run bin/mktruststore. As a parameter, use the path and file name of the LDAP certificate, if it exists.
  5. Use scp to copy the truststore into /usr/tank/admin.
    Important: Do not run the mktruststore command on each engine. You must copy the truststore to each engine.
  6. On each engine, run /usr/tank/admin/bin/startCimom. Then run /usr/tank/admin/bin/startConsole.
  7. If needed, you can now extract the CIMOM certificate for your third-party CIM application.

Parent topic: Resolution procedures

Library | Support | Terms of use | Feedback
(C) Copyright IBM Corporation 2003, 2004. All Rights Reserved.
IBM TotalStorage SAN File System v2.2