If the internal server certificate of your Windows or Linux Primary Server has expired or if the server certificate key pair has been compromised, you can choose to replace the certificate with a new internal server certificate.
Before replacing an internal server certificate with a new internal server certificate, take a reliable backup of the following on all Primary Servers in the Management Zone:
Content-Repo Directory: The content-repo directory is located by default in the ZENworks_installation_directory\work directory on Windows and in the /var/opt/novell/zenworks/ on Linux.
Ensure that the images directory located within the content-repo directory has been successfully backed up.
Certificate Authority: For detailed information on how to back up the certificate authority, see Section 1.3, Backing Up the Certificate Authority.
Embedded Database: For detailed information on how to back up the embedded database, see in ZENworks 11 SP3 Database Management Reference.
ZENworks Server: For detailed information on how to back up the ZENworks Server, see Section 1.1, Backing Up a ZENworks Server.
Enforce the new certificates on the zone by running the following command on the Primary Server with CA role:
novell-zenworks-configure -c SSL -Z
Follow the prompts.
If only the Server Certificate is expired, then select option 1 for reminting just the server certificate.
If both the Server Certificate and Certificate Authority are expired, then select option 2 for reminting both Certificate Authority and Primary Server certificates.
Restart all the ZENworks services on all the Primary Servers in the zone by running the following command at the console prompt of each Primary Server in the zone:
novell-zenworks-configure -c Start
By default, all the services are selected. You must selectas the .
Run the following commands in the same sequence:
novell-zenworks-configure -Z -c MergeTruststore
novell-zenworks-configure -c EnableJMX
novell-zenworks-configure -c ZenProbe
Refresh all the devices, including the Primary Servers, in the zone.
If only one Primary Server certificate was changed, and if the CA certificate was not changed, and there is more than one Primary Server in the zone, refreshing the Server, Satellites, and managed devices will allow the agent to trust the new server certificate. Refreshes automatically on the next scheduled refresh.
If the CA certificate was changed or if there is only one Primary Server in the zone then the Primary Servers, Satellites, and managed devices need to run zac retr to reestablish the trust.
If any device is not reachable during the refresh, you must first establish a connection with the device, then run the following command at the console prompt of each device to reestablish the trust between the device and the zone:
zac retr -u zone_administrator_username -p zone_administrator_password
Configure the Authentication Satellites with the new certificates by entering the following command at the Satellite's prompt:
On Windows: zac authentication server reconfigure (asr) -t all
On Linux: zac remint-satellite-cert (rsc)
Re-create all the default and custom deployment packages for all the Primary Servers:
Default Deployment Packages: At the console prompt of each Primary Server in the zone, enter the novell-zenworks-configure -c CreateExtractorPacks -Z command:
Custom Deployment Packages: At the console prompt of each Primary Server in the zone, enter the novell-zenworks- configure -c RebuildCustomPacks -Z command
(Conditional) If your zone includes Intel AMT devices, unprovision and provision the devices.
(Conditional) If multizone is configured with the server whose certificate has got replaced as the Publisher, then update the new certificate of this server for all its Subscribers. Perform the following to update the new certificate:
Log in to ZENworks Control Center (ZCC) of subscribers.
Update the certificate.
NOTE:Because ZENworks and ZENworks Reporting does not use the same certificate, the ZENworks Reporting does not require any configuration changes if the ZENworks certificate is changed. However, if you want to replace the certificate of ZENworks Reporting with the new certificate, you must run ZENworks Reporting Configuration Tool.