11.3 Re-Creating Certificates

You need to re-create certificates in the following scenarios:

IMPORTANT:ZENworks 10 Configuration Management SP3 currently does not support changing the external certificate to an internal certificate on Primary Servers.

11.3.1 Changing the Internal Certificate to an External Certificate on a Primary Server

On a Windows or Linux Primary Server, if you want to change the existing internal certificate to an external certificate or replace an expired server certificate with a new external certificate, perform the following tasks to create a new external certificate:

  1. Before changing the internal certificate to an external certificate, take a reliable backup of the following on all the Primary Servers in the Management Zone:

    • Content-Repo Directory: The content-repo directory is located by default in the ZENworks_installation_directory\work directory on Windows and in the /var/opt/novell/zenworks/ on Linux.

      Ensure that the images directory located within the content-repo directory has been successfully backed up.

    • Certificate Authority: For detailed information on how to take a backup of the Certificate Authority, see Section 10.3, Backing Up the Certificate Authority.

    • Embedded Database: For detailed information on how to take a backup of the embedded database, see Section 33.3, Backing Up the Embedded Sybase SQL Anywhere Database.

  2. Create a Certificate Signing Request (CSR) by providing the hostname of the Primary Server as the subject.

    For more information on how to create a CSR, see Creating an External Certificate in the ZENworks 10 Configuration Management Installation Guide.

  3. Replace the existing certificate with the newly created external certificate on all the devices in the Management Zone in the order listed below:

    1. Replacing the Existing Certificate with the New External Certificate on the Primary Servers

    2. Replacing the Existing Certificate with the New External Certificate on the Satellites

    3. Replacing the Existing Certificate with the New External Certificate on the Managed Devices

Replacing the Existing Certificate with the New External Certificate on the Primary Servers

Perform the following tasks on all the Primary Servers in the Management zone whose certificate you want to change:

  1. Reconfigure the certificates on the Primary Server whose IP address and DNS name you changed in Step 2 by entering the following command at the server’s command prompt:

    novell-zenworks-configure -c SSL -Z

    Follow the prompts.

  2. (Conditional) If the Primary Server has only ZENworks 10 Configuration Management SP3 (10.3.0) installed, perform the steps mentioned in TID 7005781that is available in the Novell Support Knowledgebase.

  3. Restart all the ZENworks services by running the following command:

    novell-zenworks-configure -c Start

    By default, all the services are selected. You must select Restart as the Action.

  4. Clear the ZENworks cache.

    On Windows: Run the following commands:

    zac cc

    delete ZENworks_installation_directory>\Novell\ZENworks\ cache\zmd\ /s

    On Linux: Run the following commands:

    zac cc

    rm -rf /var/opt/novell/zenworks/zmd/cache

  5. Restart the ZENworks Adaptive Agent Service.

    NOTE:After you perform steps 4 and 5, the agent is locally unregistered from the zone because it loses trust with the Primary Server, which has a new certificate.

  6. Register the ZENworks Adaptive Agent to the Primary Server on which the agent is installed by entering the following command at the server’s console prompt:

    zac reg https://IP_address_of_the_Primary_Server_on_which_the_agent_is_installed:port_number

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

    This replaces the server certificate in the local cache.

  7. (Conditional) If the Primary Server has only ZENworks 10 Configuration Management SP3 (10.3.0) installed, edit the initial-web-service file to change the first line to:

    https://localhost:port_number;https://127.0.0.1:port_number

    Where, port_number is the port on which the server is running.

    The initial-web-service file is located in the ZENworks_installation_directory\Novell\ZENworks\conf directory on Windows and in the /etc/opt/novell/zenworks/ directory on Linux.

  8. Re-create all the default and custom deployment packages.

    Default Deployment Packages: At the server’s command prompt, enter the following command:

    novell-zenworks-configure -c CreateExtractorPacks -Z

    Custom Deployment Packages: At the server’s command prompt, enter the following command:

    novell-zenworks- configure -c RebuildCustomPacks -Z

Replacing the Existing Certificate with the New External Certificate on the Satellites

Perform the following tasks at the command prompt of each Satellite registered to the Primary Server whose certificate you changed:

  1. Run the following command to force the device to be unregistered locally:

    zac unr -f

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

  2. Clear the ZENworks cache.

    On Windows: Run the following commands:

    zac cc

    delete c:\program files\novell\zenworks\cache\zmd /s

    On Linux: Run the following commands:

    zac cc

    rm -rf /var/opt/novell/zenworks/zmd/cache

  3. Restart the ZENworks Adaptive Agent Service.

  4. Restart the Proxy DHCP services on all the Satellites.

  5. Run the following command to register the device in the Management Zone:

    zac reg https://ZENworks_Server_DNS_name:port_number

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

    This replaces the server certificate in the local cache.

  6. (Conditional) If a Satellite in the Management zone has the Authentication role configured, perform the following tasks:

    1. Remove the Authentication role from the device.

      For more information on how to remove the Authentication role from the device, see Section 7.4, Removing the Roles from a Satellite.

    2. Configure the Satellite with the new external certificates by entering the following command at the Satellite's prompt:

      zac import-authentication-cert(iac)[-pk <private-key.der>] [-c <signed-servercertificate.der>] [-ca <signing-authority-public-certificate.der>] [-ks<keystore.jks>] [-ksp <keystore-pass-phrase>] [-a <signed-cert-alias>] [-ks<signed-cert-passphrase>] [-u username] [-p password]

      For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

    3. Add the Authentication role to the device.

      For more information on how to add the Authentication role to a device, see Section 7.2.1, Authentication Role.

    4. (Conditional) If the Satellite has only the Authentication role configured, and if the device had been included in the Closest Server rule, reconfigure the Closest Server rule to include the Satellite.

      1. In the default Closest Server rule, ensure that device has been correctly placed in the Authentication Servers list. If necessary, change the placement of the device in the list.

      2. (Optional) Manually add the device to any other non-default Closest Server rule.

      For more information on working with Closest Server rules, see Section 9.0, Closest Server Rules.

Replacing the Existing Certificate with the New External Certificate on the Managed Devices

Perform the following steps at the command prompt of each managed device registered to the Primary Server whose certificate you changed:

  1. Locally unregister all the managed devices by entering the following command at the managed device’s prompt:

    zac unr -f

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

  2. Clear the cache and delete the contents of the ZENworks_installation_directory\Novell\ZENworks\cache\zmd directory by entering the following commands at each managed device’s prompt.

    zac cc

    delete ZENworks_installation_directory>\Novell\ZENworks\cache\zmd\ /s

  3. Restart the ZENworks Adaptive Agent Service.

  4. Run the following command to register the device in the Management Zone:

    zac reg https://ZENworks_Server_DNS_name:port_number

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

    This replaces the server certificate in the local cache.

11.3.2 Changing the IP Address of the Primary Server after Installing ZENworks 10 Configuration Management

If you want to change the IP address of the Primary Server after installing ZENworks 10 Configuration Management SP3, and if the CN of the certificate does not have the IP address configured, use the following steps to change the IP address of the Primary Server:

NOTE:This scenario has been tested only on the Windows Primary Server and the embedded Sybase database. In this setup, the DNS and DHCP servers are configured on the same device.

  1. Before changing the IP address of the Primary Server, take a reliable backup of the following on all the Primary Servers in the Management Zone:

    • Content-Repo Directory: The content-repo directory is located by default in the ZENworks_installation_directory\work directory on Windows and in the /var/opt/novell/zenworks/ on Linux.

      Ensure that the images directory located within the content-repo directory has been successfully backed up.

    • Certificate Authority: For detailed information on how to take a backup of the Certificate Authority, see Section 10.3, Backing Up the Certificate Authority.

    • Embedded Database: For detailed information on how to take a backup of the embedded database, see Section 33.3, Backing Up the Embedded Sybase SQL Anywhere Database.

  2. Change the IP address of the Primary Server.

    IMPORTANT:Do not change the DNS name of the server.

  3. Ensure that the new IP address of the server is correctly mapped to its existing DNS name on the DNS server.

  4. Restart all the ZENworks services by running the following command at the server’s command prompt:

    novell-zenworks-configure -c Start

    By default, all the services are selected. You must select Restart as the Action.

  5. Re-create all the default and custom deployment packages.

    Default Deployment Packages: At the server’s command prompt, enter the following command:

    novell-zenworks-configure -c CreateExtractorPacks -Z

    Custom Deployment Packages: At the server’s command prompt, enter the following command:

    novell-zenworks- configure -c RebuildCustomPacks -Z

  6. If the database is located on the Primary Server whose IP address you changed in Step 2, you must change the database server address on all the second Primary Servers. On all the second Primary Servers, change the value of database server address in the ZENworks_Installation_Directory\Novell\ZENworks\conf\datamodel\zdm.xml to point to the new IP address of the first Primary Server.

  7. Restart the ZENworks Adaptive Agent.

  8. Restart the Proxy DHCP services on all the Satellites.

11.3.3 Changing the DNS Name or the IP Address and DNS Name of the Primary Server after Installing ZENworks 10 Configuration Management

If you want to change only the DNS name or if you want to change both the IP address and DNS name of the Primary Server after installing ZENworks 10 Configuration Management SP3, and if the certificate’s CN has fully qualified DNS configured, use the following steps to change only the DNS name or to change both the IP address and DNS name of the Primary Server:

NOTE:This scenario has been tested only on the Windows Primary Server and the embedded Sybase database. In this setup, the DNS and DHCP servers are configured on the same device.

  1. Before changing the IP address of the Primary Server, take a reliable backup of the following on all the Primary Servers in the Management Zone:

    • Content-Repo Directory: The content-repo directory is located by default in the ZENworks_installation_directory\work directory on Windows and in the /var/opt/novell/zenworks/ on Linux.

      Ensure that the images directory located within the content-repo directory has been successfully backed up.

    • Certificate Authority: For detailed information on how to take a backup of the Certificate Authority, see Section 10.3, Backing Up the Certificate Authority.

    • Embedded Database: For detailed information on how to take a backup of the Embedded database, see Section 33.3, Backing Up the Embedded Sybase SQL Anywhere Database.

  2. Do one of the following:

    • Change the IP address and the DNS name of the Primary Server.

    • Change the DNS name only of the Primary Server.

  3. Reboot the Primary Server.

  4. Ensure that the DNS entry of the Primary Server has been updated with the new DNS name.

  5. Create a Certificate Signing Request (CSR) by providing the hostname of the Primary Server as the subject.

    For more information on how to create a CSR, see Creating an External Certificate in the ZENworks 10 Configuration Management Installation Guide.

  6. (Conditional) If the Primary Server whose DNS name you changed hosts the database, and if the database server IP address or DNS name has been changed, do the following on all Primary Servers:

    1. Ensure that the database server IP address or DNS name has been configured correctly in the zdm.xml file, which is located in the ZENworks_Installation_Directory\Novell\ZENworks\conf\datamodel\ directory on Windows, and in the /etc/opt/novell/zenworks/datamodel/ directory on Linux.

    2. Restart the following services:

      • Novell ZENworks Server

      • Novell ZENworks Loader

      • Novell ZENworks Agent Service

  7. Replace the existing certificate with the newly created external certificate on all the devices in the Management Zone in the order listed below:

    1. Replacing the Existing Certificate with the New External Certificate on the Primary Servers

    2. Replacing the Existing Certificate with the New External Certificate on the Satellites

    3. Replacing the Existing Certificate with the New External Certificate on the Managed Devices

Replacing the Existing Certificate with the New External Certificate on the Primary Servers

Perform the following tasks on all the Primary Servers in the Management zone whose certificate you want to change:

  1. Reconfigure the certificates on the Primary Server whose IP address and DNS name you changed in Step 2 by entering the following command at the server’s command prompt:

    novell-zenworks-configure -c SSL -Z

    Follow the prompts.

  2. (Conditional) If the Primary Server has only ZENworks 10 Configuration Management SP3 (10.3.0) installed, perform the steps mentioned in TID 7005781that is available in the Novell Support Knowledgebase.

  3. Restart all the ZENworks services by running the following command:

    novell-zenworks-configure -c Start

    By default, all the services are selected. You must select Restart as the Action.

  4. Clear the ZENworks cache.

    On Windows: Run the following commands:

    zac cc

    delete ZENworks_installation_directory>\Novell\ZENworks\ cache\zmd\ /s

    On Linux: Run the following commands:

    zac cc

    rm -rf /var/opt/novell/zenworks/zmd/cache

  5. Restart the ZENworks Adaptive Agent Service.

    NOTE:After you perform steps 4 and 5, the agent is locally unregistered from the zone because it loses trust with the Primary Server, which has a new certificate.

  6. Register the ZENworks Adaptive Agent installed on the Primary Server to the correct Primary Server by entering the following command at the device’s command prompt:

    zac reg https://IP_address_of_the_correct_Primary_Server:port_number

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

    This replaces the server certificate in the local cache.

  7. (Conditional) If the Primary Server has only ZENworks 10 Configuration Management SP3 (10.3.0) installed, edit the initial-web-service file to change the first line to:

    https://localhost:port_number;https://127.0.0.1:port_number

    Where, port_number is the port on which the server is running.

    The initial-web-service file is located in the ZENworks_installation_directory\Novell\ZENworks\conf directory on Windows and in the /etc/opt/novell/zenworks/ directory on Linux.

  8. Re-create all the default and custom deployment packages.

    Default Deployment Packages: At the server’s command prompt, enter the following command:

    novell-zenworks-configure -c CreateExtractorPacks -Z

    Custom Deployment Packages: At the server’s command prompt, enter the following command:

    novell-zenworks- configure -c RebuildCustomPacks -Z

Replacing the Existing Certificate with the New External Certificate on the Satellites

Perform the following tasks at the command prompt of each Satellite registered to the Primary Server whose certificate you changed:

  1. Run the following command to force the device to be unregistered locally:

    zac unr -f

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

  2. Clear the ZENworks cache.

    On Windows: Run the following commands:

    zac cc

    delete c:\program files\novell\zenworks\cache\zmd /s

    On Linux: Run the following commands:

    zac cc

    rm -rf /var/opt/novell/zenworks/zmd/cache

  3. Restart the ZENworks Adaptive Agent Service.

  4. Restart the Proxy DHCP services on all the Satellites.

  5. Run the following command to register the device in the Management Zone:

    zac reg https://ZENworks_Server_DNS_name:port_number

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

    This replaces the server certificate in the local cache.

  6. (Conditional) If a Satellite in the Management zone has the Authentication role configured, perform the following tasks:

    1. Remove the Authentication role from the device.

      For more information on how to remove the Authentication role from the device, see Section 7.4, Removing the Roles from a Satellite.

    2. Configure the Satellite with the new external certificates by entering the following command at the Satellite's prompt:

      zac import-authentication-cert(iac)[-pk <private-key.der>] [-c <signed-servercertificate.der>] [-ca <signing-authority-public-certificate.der>] [-ks<keystore.jks>] [-ksp <keystore-pass-phrase>] [-a <signed-cert-alias>] [-ks<signed-cert-passphrase>] [-u username] [-p password]

      For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

    3. Add the Authentication role to the device.

      For more information on how to add the Authentication role to a device, see Section 7.2.1, Authentication Role.

    4. (Conditional) If the Satellite has only the Authentication role configured, and if the device had been included in the Closest Server rule, reconfigure the Closest Server rule to include the Satellite.

      1. In the default Closest Server rule, ensure that device has been correctly placed in the Authentication Servers list. If required, change the placement of the device in the list.

      2. (Optional) Manually add the device to any other non-default Closest Server rule.

      For more information on working with Closest Server rules, see Section 9.0, Closest Server Rules.

Replacing the Existing Certificate with the New External Certificate on the Managed Devices

Perform the following steps at the command prompt of each managed device registered to the Primary Server whose certificate you changed:

  1. Locally unregister all the managed devices by entering the following command at the managed device’s prompt:

    zac unr -f

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

  2. Clear the cache and delete the contents of the ZENworks_installation_directory\Novell\ZENworks\cache\zmd directory by entering the following commands at each managed device’s prompt.

    zac cc

    delete ZENworks_installation_directory>\Novell\ZENworks\cache\zmd\ /s

  3. Restart the ZENworks Adaptive Agent Service.

  4. Run the following command to register the device in the Management Zone:

    zac reg https://ZENworks_Server_DNS_name:port_number

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 10 Configuration Management Command Line Utilities Reference.

    This replaces the server certificate in the local cache.