DX Unified Infrastructure Management

  • 1.  How to renew the certificate of Tunnel server Hub

    Posted Apr 21, 2018 05:23 PM

    My Tunnel server certificate is expiring within a few days.

     

     

    I would like to check the steps to renew the certificate of Tunnel server without causing connection issue to the multiple tunnel clients connections to this tunnel server.



  • 2.  Re: How to renew the certificate of Tunnel server Hub
    Best Answer

    Broadcom Employee
    Posted Apr 22, 2018 10:08 PM

    Hi 


    As part of the certificate creation process is to provide the number of days before the cert expires.
    So, to renew, a cert will need to be re-created for the tunnel. This process is described with screenshots in the following techtip:
    https://support.ca.com/us/knowledge-base-articles.TEC1636935.html

     

     

    After applying the new cert, you can remove the old cert and watch your queues to confirm that they continue to function properly.

     

    Also refer 
    http://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec000002642.html



  • 3.  Re: How to renew the certificate of Tunnel server Hub

    Posted Apr 25, 2018 03:09 AM

    Hi Frank,

     

    When I follow https://comm.support.ca.com/kb/how-to-setup-nimsoft-monitor-tunnels KB000034262 which is your second link tec000002642.

    On the first step of renewal I-Setup CA(Certificate Authority) when I perform this step all existing certs were auto deleted and two new  certs were created.

    Didn't expect the old certs to be deleted after the restart.

    I did not fully check on the status of the connected tunnel clients on the tunnel server I want to do the renew as there is another tunnel setup on the failover hub connected.

     

    Thanks for the information it work well in creating a new tunnel cert and manage to follow through.

    Now only left multiple hub and robots showing (NO LICENSE) in the IM to solve.

     



  • 4.  Re: How to renew the certificate of Tunnel server Hub

    Posted Apr 25, 2018 09:48 AM

    If you have many to do, you can create the second certificate on the tunnel server and activate it. The tunnel server will happily run with the two certs active.

     

    The next part assumes that you have come consistency to your tunnel clients: in this case, there's only one tunnel configured (identified in the <1> section, and you're creating the new tunnel in section <2>)

     

    Create a hub.cfx file with:

    <tunnel> overwrite
    <clients> overwrite
    <1> overwrite
    active = no
    </1>
    <2> overwrite
    active = yes
    host = YourTunnelServerIP 
    port = YourTunnelServerPort
    heartbeat = 1801
    cert = certs/client2.pem
    password = YourHashedCertPassword
    check_cn = no
    description = YourTunnelServerDescription
    hub = YourTunnelServerHubName
    robot = YourTunnelServerRobotName
    </2>

    </clients>

    </tunnel>

     

    Put the cfx file into a hub update package.

     

    Add a tab to the package before the hub.cfx tab and:

     

    Add the new new client cert file to the package with a path of "hub/certs".

     

    Create a file called "serial.dat" and put a "3" in it (next cert number) and add to the package with a path of "hub/certs".

     

    When you drop this package on a new client, it'll copy out the new cert, update the record keeping so you can add new certs later if necessary, add the new cert to your hub cfg file and restart your hub.

     

    -Garin



  • 5.  Re: How to renew the certificate of Tunnel server Hub

    Posted Apr 26, 2018 03:35 AM

    Hi Garin,

     

    Thanks will try configure it as a custom package for recovery or new deployment.

     

    Regards

    Guan Hua