Search <book_title>...

InfoScale™ Operations Manager 9.0 Installation and Configuration Guide

Last Published: 2025-04-14

Product(s): InfoScale & Storage Foundation (9.0)

Platform: AIX,HP-UX,Linux,Solaris,VMware ESX,Windows

Importing third-party certificates for xprtld

Arctera InfoScale Operations Manager (VIOM)lets you import third-party certificates for the xprtld service on Management Servers that run on Linux. It also lets you import third-party certificates for the agents on AIX, Linux, and Solaris, provided that the agent version is 7.3.1 or later. VIOM supports the use of a third-party certificate without a passphrase for xprtld that runs on port 5634. However, it only supports 2048-bit certificates.

To generate a third-party certificate for xprtld

Use the openssl command as follows to generate a private key and a certificate signing request (CSR):
openssl req -newkey rsa:2048 -nodes -keyout sfmAgentPrivateKeyFileName -out sfmAgentCSRFileName
For example:
openssl req -newkey rsa:2048 -nodes -keyout sfm_agent.private.key -out sfm_agent.csr
The openssl command prompts you to provide some information that is to be added to the CSR. Specify the exact values that are provided in the following example:
```
Country Name (2 letter code) [XX]: . 
State or Province Name (full name) []: . 
Locality Name (eg, city) [Default City]: . 
Organization Name (eg, company) [Default Company Ltd]: vx 
Organizational Unit Name (eg, section) []: sfm_domain@nameOfCMS 
Common Name (eg, your name or your server's hostname) []: sfm_agent 
Email Address []: 
```
Note:
The nameOfCMS value should match exactly with the value of the cs_config_name attribute that is present in the /etc/default/sfm_resolv.conf file on the Central Management Server (CMS).
Specify the exact values that are provided in the following example for this additional information that is also to be sent with the CSR:
```
A challenge password []: .
 An optional company name []:
```
Send the CSR file - for example, sfm_agent.csr - to your certificate signing authority and ask them to provide the corresponding certificate. The certificate should be provided in the pem format, along with the intermediate CA certificate and the root CA certificate, and it should support SSL clients. Arctera recommends that you assign a validity of 10 years to the certificate, or the maximum duration possible.
Optionally, run the following command to verify the purpose of the certificate, including the support for SSL clients:
openssl x509 -purpose -noout -in sfmAgentCertFileName
For example:
openssl x509 -purpose -noout -in sfm_agent.cert.pem
Certificate purposes:
SSL client : Yes SSL client CA :No
SSL server : Yes SSL server CA :No
Netscape SSL server : Yes Netscape SSL server CA : No

Ensure that you have the following files ready before you import the certification on a Management Server:

File	Sample file name
Private key file for `sfm_agent`	`sfm_agent.private.key`
Certificate file for `sfm_agent`	`sfm_agent.cert.pem`
Certificate file for intermediate CA	`intermediate.cert.pem`
Certificate file for root CA	`ca.cert.pem`

To import a third-party certificate on a Management Server and on the agents

Copy all the files that are mentioned in the last step of the previous procedure on the Management Server at the appropriate location, for example: /viom/certs/.
Run the following command to import the certificates:
/opt/VRTSsfmh/bin/perl /opt/VRTSsfmh/util/import_sfm_agent_certificate.pl --import_sfm_agent_cert --sfm_agent_certificate=/viom/certs/sfmAgentCertificateFileName --sfm_agent_privatekey=/viom/certs/sfmAgentPrivateKeyFileName --subCA_certificate=/viom/certs/intermediateCertificateFileName --rootCA_certificate=/viom/certs/caCertificateFileName
For example:
/opt/VRTSsfmh/bin/perl /opt/VRTSsfmh/util/import_sfm_agent_certificate.pl --import_sfm_agent_cert --sfm_agent_certificate=/viom/certs/sfm_agent.cert.pem --sfm_agent_privatekey=/viom/certs/sfm_agent.private.key --subCA_certificate=/viom/certs/intermediate.cert.pem --rootCA_certificate=/viom/certs/ca.cert.pem
The certificates are imported on the agents automatically.
Follow the instructions and provide the appropriate input at the prompts that the command displays.
You may encounter certain situations that you can address as follows:
- The certificate import process restarts all the VIOM services on the Management Server and the xprtld service on all the managed hosts. After the certificate is successfully imported, if a managed host does not yet use the new certificate, check whether that host is registered on multiple Management Servers. If so, unconfigure the managed host from the Management Servers other than the one on which this new certificate was installed, and then restart the xprtld service on the host.
- The certificate cannot be imported on the managed hosts that are on VIOM 7.3 or an earlier version. Upgrade such hosts to VIOM 8.0 or a later supported version (refer to the Arctera InfoScale Operations Manager Hardware and Software Compatibility Lists document), and then run the command to import the certificate again.
- The certificate cannot be imported on managed hosts that are unreachable from the Management Server. After the import process is complete, address the connectivity issue for the managed hosts that were unreachable. Then, add the managed hosts to the Management Server again; the new certificate gets automatically installed on the managed hosts.