1.5 Migrating the Internal Certificate Authority Role between Primary Servers across different OS Platforms

To migrate the internal Certificate Authority (CA) role on a source Windows Primary Server to a destination Linux Primary Server and vice-versa, perform the following steps:

  1. Run the following database query to identify the Primary Server in the zone that has the internal CA role configured:

    select zsr.id,z.name,zsr.Roles as CA_Role,z.path from zZenServerRoles zsr, zZenObject z where zsr.id=z.zuid and zsr.id in (select zuid from zZenServer where Type='Primary') and zsr.Roles='CertAuth'

  2. Back up the configuration data of the source and destination Primary Servers by using the command zman zsb <path_of_backup_file> and note their pass phrases.

  3. Copy the specific files of the CA roles (zenca.keystore and caConfig.xml) from the security folder located in the source Primary Server, installation path.

    • On Windows: %zenworks_home%\conf\security

    • On Linux: /etc/opt/novell/zenworks/security

  4. Place the copied files from Step 3 into the security folder located in the destination Primary Server, installation path.

  5. Open the caConfig.xml file located under the security folder on the destination Primary Server, to update the <Keystore> tag value for the zenca.keystore file and correct the existing local path.

    By default, the zenca.keystore file is located in the following path:

    • On Windows: %zenworks_home%\conf\security

    • On Linux: /etc/opt/novell/zenworks/security

  6. Run the zman card command on the source Primary Server to disable the internal CA role. This removes the CertAuth that is the Certificate Authority role entry for the source Primary Server in the database.

    (Optional) You can move the CA files caConfig.xml and zenca.keystore to a different path.

  7. Run the zman care on the destination Primary Server to enable the CA role. This adds the CertAuth that is the Certificate Authority role entry for the source Primary Server in the database.

  8. If the destination Primary Server is Linux, you must also run the permission.sh script to set the correct ownership and permissions for configuration files that are present under the security folder.

    Ensure that the files are owned by ZENworks user and zmanusers group. Otherwise, run the command chown zenworks:zmanusers zenca.keystore caConfig.xml below the security folder to set the correct ownership.

  9. Restart the services on the source and destination Primary Servers by using the command novell-zenworks-configure –c Start

  10. Perform Step 1 to validate whether the internal CA role is moved to the correct Primary Server.

IMPORTANT:The steps above do not change the CA certificate. Therefore, new or existing managed devices in the zone use the same CA certificate minted by the source Primary Server for any communication with Primary Servers and Satellite Servers.