criticalunexpectederror

ZENworks2020SSLManagementReferenceOctober20192LegalNoticeForinformationaboutlegalnotices,trademarks,disclaimers,warranties,exportandotheruserestrictions,U.
S.
Governmentrights,patentpolicy,andFIPScompliance,seehttps://www.
novell.
com/company/legal/.
Copyright2008-2019MicroFocusSoftwareInc.
Allrightsreserved.
TheonlywarrantiesforproductsandservicesofMicroFocusanditsaffiliatesandlicensors("MicroFocus")aresetforthintheexpresswarrantystatementsaccompanyingsuchproductsandservices.
Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.
MicroFocusshallnotbeliablefortechnicaloreditorialerrorsoromissionscontainedherein.
Theinformationcontainedhereinissubjecttochangewithoutnotice.
Contents3ContentsAboutThisGuide51SSLManagement71.
1AccessingtheCertificateDetails.
71.
2ConfiguringtheCertificateAuthority.
71.
2.
1InternalCertificateAuthority81.
2.
2ExternalCertificateAuthority81.
2.
3ViewingtheCertificateDetails91.
2.
4ChangingtheCertificateAuthority91.
2.
5CancelingaChangeCA.
141.
2.
6MovingtheCARole141.
2.
7TakingaBackupoftheCertificateAuthority141.
2.
8RestoringtheCertificateAuthority151.
2.
9RemintingtheCertificateAuthority151.
2.
10CancelingaCARemint171.
2.
11AddingexternalCertificateAuthoritytoTrustStore171.
2.
12AdditionalInformationonRemintCAandChangeCAprocessforMobileDevices181.
3ManagingtheServerCertificates.
181.
3.
1CertificateStatus.
191.
3.
2RemintingServerCertificates191.
3.
3CancelingaServerRemint25ATroubleshooting274AboutThisGuide5AboutThisGuideThisZENworksSSLManagementReferenceincludesinformationtohelpyouviewandconfigurethecertificateauthority,andthecertificatesforZENworks.
Theinformationinthisguideisorganizedasfollows:Chapter1,"SSLManagement,"onpage7AppendixA,"Troubleshooting,"onpage27AudienceThisdocumentisintendedforadministratorsorindividualswhoareconcernedwithtasksrelatedtoconfiguringandmanagingthecertificateauthorityandcertificatesforZENworks.
Tounderstandandperformtheproceduresdescribedinthisdocument,youshouldhaveaworkingknowledgeofZENworks,whichincludesexperienceininstallation,systemupdateandconfigurationofauthenticationSatelliteServerprocedures.
FeedbackWewanttohearyourcommentsandsuggestionsaboutthismanualandtheotherdocumentationincludedwiththisproduct.
PleaseusetheUserCommentsfeatureatthebottomofeachpageoftheonlinedocumentation.
AdditionalDocumentationZENworksissupportedbyotherdocumentation(inbothPDFandHTMLformats)thatyoucanusetolearnaboutandimplementtheproduct.
Foradditionaldocumentation,seetheZENworks2017documentationwebsite(http://www.
novell.
com/documentation/beta/zenworks2017).
6AboutThisGuide1SSLManagement71SSLManagementThischapterprovidesinformationonhowtoview,configureandmanagethecertificateauthorityandthecertificatesusedbyZENworksPrimaryServersandAuthenticationSatelliteServers.
BasedonhowthecertificateauthorityisinitiallyinstalledandconfiguredforZENworks,theCertificatespagewilldisplaytheactiveCA.
Itwillalsodisplaydetailsofthecertificatesissuedforservers(orotherdevices)withinthezone,whotheywereissuedby,andwhentheyexpire.
UsingtheCertificatespage,youcanalsochangethecertificateauthority.
Thischapterincludesthefollowingsections:Section1.
1,"AccessingtheCertificateDetails,"onpage7Section1.
2,"ConfiguringtheCertificateAuthority,"onpage7Section1.
3,"ManagingtheServerCertificates,"onpage181.
1AccessingtheCertificateDetailsToaccessthecertificatedetails:1LogintoZENworksControlCenter.
2ClickConfiguration>Certificates.
Thefollowingdetailsaredisplayed:ZoneCertificateAuthority:Thispaneprovidesinformationaboutthecertificateauthority,thecertificateserverdetails(iftheCAisinternal),andtheexpirationdateoftheCA.
ItalsoenablesyoutoperformoperationssuchasChangeCA,MoveCARole,RemintCA,BackupCAandRestoreCA.
Formoreinformation,seeSection1.
2,"ConfiguringtheCertificateAuthority,"onpage7.
ZENworksServerSSLCertificates:ThispaneprovidesinformationabouttheZENworksServercertificates.
Usingthispaneyoucanviewdetailsoftheservercertificatesandalsoremintthecertificates.
Formoreinformation,seeSection1.
3.
2,"RemintingServerCertificates,"onpage19.
1.
2ConfiguringtheCertificateAuthorityWhenyouinstallZENworksConfigurationManagementforthefirsttime,youarepromptedtoeithercreateaninternalCertificateAuthority(CA)orprovidetheappropriatecertificateinformationforanexternalCA.
BasedonhowthecertificateauthorityisinitiallyinstalledandconfiguredforZENworks,theCertificatespagewilldisplaytheactivecertificateauthority(CA).
TheactiveCAcanbeeitherinternalorexternal.
InternalCertificateAuthority:CertificatesareissuedbyaZENworksserverthatisassignedtheroleofcertificateauthority.
ExternalCertificateAuthority:Certificatesareissuedbyanexternalserver.
TheexternalservercertificatecanbeissuedbyasubordinateCAorarootCA.
ZENworkssupportstheuseofwildcardcertificates.
8SSLManagementThissectionprovidesinformationaboutthecurrentCertificateAuthorityanditalsoprovidesinformationaboutthevariousoperationsthatcanbeperformedontheCA:Section1.
2.
1,"InternalCertificateAuthority,"onpage8Section1.
2.
2,"ExternalCertificateAuthority,"onpage8Section1.
2.
3,"ViewingtheCertificateDetails,"onpage9Section1.
2.
4,"ChangingtheCertificateAuthority,"onpage9Section1.
2.
5,"CancelingaChangeCA,"onpage14Section1.
2.
6,"MovingtheCARole,"onpage14Section1.
2.
7,"TakingaBackupoftheCertificateAuthority,"onpage14Section1.
2.
8,"RestoringtheCertificateAuthority,"onpage15Section1.
2.
9,"RemintingtheCertificateAuthority,"onpage15Section1.
2.
10,"CancelingaCARemint,"onpage17Section1.
2.
11,"AddingexternalCertificateAuthoritytoTrustStore,"onpage17Section1.
2.
12,"AdditionalInformationonRemintCAandChangeCAprocessforMobileDevices,"onpage181.
2.
1InternalCertificateAuthorityInternalcertificatesareissuedbyaZENworksserverthathastheCArole.
ZENworksenablesyoutoperformthefollowingoperationsforanInternalCA:MoveCARole:WhenusinganinternalCA,theCAroleisgiventothefirstserverthatyouhaveinstalledinthezone.
ThisislistedastheCertificateServer.
UsingtheMoveCertificateAuthorityfeature,youcanmovetheCArolefromonePrimaryServertoanotherPrimaryServer.
Formoreinformation,seeSection1.
2.
6,"MovingtheCARole,"onpage14.
ChangeCA:TochangefromaninternalCAtoanotherinternalorexternalCA,orfromanexternalCAtoanotherexternalorinternalCA.
Formoreinformation,seeSection1.
2.
4,"ChangingtheCertificateAuthority,"onpage9.
BackupCA:Tobackupthecertificateauthority.
Formoreinformation,seeSection1.
2.
7,"TakingaBackupoftheCertificateAuthority,"onpage14.
RestoreCA:Torestorethebackedupcertificateauthority.
Formoreinformation,seeSection1.
2.
8,"RestoringtheCertificateAuthority,"onpage15.
RemintCA:Toreminttheinternalcertificateauthority.
Formoreinformation,seeSection1.
2.
9,"RemintingtheCertificateAuthority,"onpage15.
1.
2.
2ExternalCertificateAuthorityExternalcertificatesareissuedbyanexternalcertificateauthority(CA),forexample,Verisign.
UsingZENworksControlCenter,youcanchangethecurrentexternalCAtoanotherexternalorinternalCA.
Formoreinformation,seeChangingtheCertificateAuthority.
NOTE:Itisrecommendedthatyouremintthecertificatebeforeitexpires.
SSLManagement91.
2.
3ViewingtheCertificateDetailsToviewthecertificatedetails,intheZoneCertificateAuthoritypaneoftheCertificatespage,clicktheViewCertificatebutton,thefollowinginformationisdisplayed:Subject:TheCAservertowhomthecertificateisissued.
Issuedby:TheCAthatissuedthecertificate.
Validfrom:Thedateandtimefromwhichthecertificateisvalid.
Expires:Thedateandtimeatwhichthecertificatewillexpire.
Keylength:Thekeylengththatwasusedtocreatethecertificate.
MD5Fingerprint:TheMD5digestofthecertificatedata.
SHA1Fingerprint:TheSHA1digestofthecertificatedata.
CertificateStatus:Indicateswhetherthecertificateisvalidorhasexpired.
1.
2.
4ChangingtheCertificateAuthorityThisfeatureenablesyoutochangethecurrentcertificateauthority(CA)toanotherinternalorexternalCA.
"ChangingtheCAtoInternal"onpage9"ChangingtheCAtoExternal"onpage11ChangingtheCAtoInternalUsingthisfeature,youcaneitherchangetheexistingexternalCAtoaninternalCAoryoucanchangetheexistinginternalCAtoanotherinternalCA.
WhenyouchangetheCA,thePrimaryServerandAuthenticationSatelliteServercertificateswillgetremintedautomatically.
YouneedtoensurethattheIPortheDNSoftheSatelliteServersarenotchangedaftertheCAremintandbeforetheactivationoftheCA.
TochangetheCAtoInternal:1IntheZoneCertificateAuthoritypane,clicktheChangeCAbutton.
2IntheChangeCertificateAuthoritydialogbox,confirmthatyouwanttochangetheCAbyselectingYes,Iwanttochangethecertificateauthority.
Theremainingfieldsarethenactivated.
3Fromthedrop-downlist,selectChangetointernalcertificateauthority.
4Specifythefollowinginformation:Certificateserver:BrowseandselectthePrimaryServer,whichmustbethenewCA.
Subject:SpecifyasubjectnamefortheCA.
Bydefault,thezonenameisdisplayed.
KeyLength:Specifythekeylength.
Validfor(years):Specifythenumberofyearsforwhichthecertificateshouldbevalid.
Specifyavaluebetween1to10.
5SelectIncludeanyadditionalDNSnamesforeachserver,ifyouwantadditionalDNSnamesconfiguredfortheserverstobepartoftheSubjectAlternativeNameoftheirrespectivecertificates.
10SSLManagementNOTE:TheadditionalDNSnamesforaservercanbeconfiguredbyselectingtheSettingstabofthedevice.
6ClickNext.
7SpecifytheCertificateactivationdateandtime.
Asapartofcertificateactivation,thenewcertificateswillbeeffectiveandfromthenonwards,theoldcertificateswillnotbeusedforcommunicationbetweendevices.
Selectanappropriatecertificateactivationdate.
Threedatesshouldbeconsidered,theremintinitiationdate,theactivationdate,andthecertificateexpirydate.
Thereshouldbeenoughtimebetweentheremintinitiationdateandtheactivationdatetoallowallthedevicesinthezonetoapplythecertificateremintsystemupdate.
Thereshouldalsobeenoughtimebetweentheactivationdateandtheexpirydatetofacilitatetroubleshootingofunexpectedissues,ifany.
Formoreinformationoncertificateactivationformobiledevices,seeAdditionalInformationonRemintCAandChangeCAprocessforMobileDevicesIMPORTANT:Changingcertificatesinthezoneisacriticalprocess,andshouldbeallowedplentyoftimetoensureeverythingworksright.
Iflesstimeisallowedfortheprocesstocomplete,thereisapossibilitythatcommunicationbetweentheZENworksagentsandserverscouldbelost.
Insuchasscenario,youwillneedtorunthestandaloneCertificateUpdaterTool.
ThistoolwillbeavailablefordownloadonallthePrimaryServersaftertheupdateiscreatedandassigned,anditwillbeavailableinthefollowinglocation:http://:/zenworks-setup.
ThestandaloneCertificateUpdatertoolwillnotbeavailablewhenthecertificateupdateisbaselinedanddeleted.
Hence,youshoulddownloadthetoolinadvancesothatitisavailablewhenneeded.
IftheCAhasalreadyexpired,theactivationtimewillbelabeledasImmediateandyouneedtoruntheCertificateUpdatedToolonallthedevices.
OnthenewCAserver,theCertificateUpdatedToolwillbelaunchedautomatically.
8ClickFinish.
AmessageisdisplayedintheZoneCertificateAuthoritypaneindicatingthattheChangeCAoperationhasbeeninitiated.
AspartoftheChangeCAprocess,ZENworkswillcreateasystemupdateandthecontentofthesystemupdatewillbereplicatedtoallthePrimaryServersandContentSatelliteServersinthezone,basedontheconfiguredcontentreplicationschedule.
TheCRTwillbecreatedonthenewCAserver.
OnotherPrimaryServers,itwillbecreatedonlyaftertheSUisassigned,toensurethatthecontentisreplicated.
Youcanclickthecurrentreplicationstatuslinktoviewthelistofserversalongandtheirrespectivecontentreplicationstatuses.
Afterthereplicationiscomplete,thesystemupdatewillbeautomaticallyassignedtoalldevicesinthezone.
Atanytimebeforetheautoassignmenthappens,youcanassignthesystemupdatemanuallybyclickingtheAssignNowlinkeventhoughthecontentisnotreplicatedtoallcontentservers.
Thesystemupdatewillgetassignedtoalldevicesinthezone.
Forsuccessfulcompletion,werecommendthatyouensurethecontentisavailableonthecontentserversbeforeassigningthesystemupdate.
Ifthesystemupdatefailsbecausethecontentisnotavailable,youneedtoredeploythesystemupdateonthefaileddevices.
SSLManagement11IMPORTANT:AssoonastheSUisassigned,theCRTwillrunonthenewCAserver,automatically.
YouneedtoremintthecertificateonthatserverfirstandthenallotherPrimaryServersshouldberemintedandafterthattheotherdevices,inanyorder.
ThesystemupdatestatusforthePrimaryServersandAuthenticationSatelliteServerscanbeviewedintheZENworksServerSSLCertificatepanel.
ThefuturecertificatefortheseserverscanbeviewedfromtheOptionscolumn.
ThesystemupdatestatusfortheotherdevicescanbetrackedfromtheSystemUpdatespage.
ChangingtheCAtoExternalUsingthisfeature,youcanchangetheexistinginternalCAtoanexternalCA,renewthesameexternalCA,oryoucanchangetheexistingexternalCAtoanewexternalCA.
NOTE:WiththeexceptionofgeneratingCSRforthePrimaryServerasmentionedinStep6,theproceduredetailedinthissectionisthesameforwildcardandnon-wildcardcertificates.
TochangetheexistingCAtoExternal:1IntheZoneCertificateAuthoritypane,clicktheChangeCAbutton.
2IntheChangeCertificateAuthoritydialogbox,confirmthatyouwanttochangetheCAbyselectingYes,Iwanttochangethecertificateauthority.
Theremainingfieldsarethenactivated.
3Fromthedrop-downlist,selectChangetoexternalcertificateauthority.
4ClickBrowsetoselectanduploadthetrustedrootcertificateprovidedbytheexternalCA.
NOTEIfitisanintermediateCA,youneedtoprovidethecompletechain.
ZENworkswillusetherootCAinthechainasthefutureCA.
Thechainshouldbeginwiththeservercertificate,theintermediateorsubordinatecertificateauthorityandthenrootca.
Thesupportedcertificateformatsare.
der,.
cer,.
crt,.
p7b,.
pem,.
certIMPORTANT:ToavoidorresolvethisissuewhenchangingtoanintermediateCA,seeSecuritypoliciesandsecuritysettingsfailafterchangingzonetointermediateCAintheZENworks2017Update4TroubleshootingPolicyDeploymentreference.
5ClickNext.
TheGenerateCSRscreenisdisplayed.
6SelecthowyouwanttogeneratetheCSRforeachserver:IwillgenerateaCSRforeachservermanually:IfyouwanttogeneratetheCSRforeachservermanually,clickNextandgotoStep7.
NOTE:IfyouwanttouseexternalwildcardcertificatesforanyofthePrimaryServers,thenyouneedtousethisoptionandgeneratetheCSRusinganyexternaltoolsuchasOpenSSL.
ZENworksdoesnotsupportthegenerationofCSRforwildcardcertificates.
Formoreinformation,seeGeneratingaCertificateSigningRequest(CSR).
12SSLManagementLetZENworksgenerateaCSRautomaticallyforeachserver:IfyouwantZENworkstogeneratetheCSRforallserversautomatically,specifythefollowinginformationandclickNext:Organization:OrganizationnameOrganizationUnit:Organizationalunitname,suchasadepartmentordivisionCity/Locality:CitynameorlocationState/Province:StateorprovincenameCountry/region:CountryorregionKeyLength:SpecifythekeylengthIncludeanyadditionalDNSnamesforeachserver:SelectthisoptionifyouwanttheadditionalDNSnamesconfiguredfortheserverstobepartoftheSubjectAlternativeNameoftheirrespectivecertificates.
NOTE:TheadditionalDNSnamesforadevicecanbeconfiguredbyselectingtheSettingstabofthePrimaryServer.
7SpecifytheCertificateactivationdateandtime.
Selectanappropriatecertificateactivationdate.
Threedatesshouldbeconsidered,theremintinitiationdate,theactivationdate,andthecertificateexpirydate.
Thereshouldbeenoughtimebetweentheremintinitiationdateandtheactivationdatetoallowallthedevicesinthezonetoapplythecertificateremintsystemupdate.
Thereshouldalsobeenoughtimebetweentheactivationdateandtheexpirydatetofacilitatetroubleshootingofunexpectedissues,ifany.
Formoreinformationoncertificateactivationformobiledevices,seeAdditionalInformationonRemintCAandChangeCAprocessforMobileDevicesIMPORTANT:Ifthecertificateactivationtimepassesbeforethesystemupdateisappliedonthedevices,thesedeviceswillnotbeabletocommunicatewiththePrimaryServersonwhichthenewcertificatehasalreadybeenactivated.
YouwillthenneedtoruntheCertificateUpdaterToolonthesedevices.
TheCertificateUpdatertoolwillnotbeavailablewhenthecertificateremintupdateisbaselinedanddeleted.
Hence,youshoulddownloadthetoolinadvance,beforetheupdateisbaselined,sothatitisavailablewhenneeded.
IftheCAhasalreadyexpired,theactivationtimewillbelabeledasImmediate,andyouwillneedtoruntheCertificateUpdaterToolonallthedevices,excepttheserveronwhichtheremintwasinitiated.
Onthisserver,theCertificateUpdaterToolwillbelaunchedautomatically.
IMPORTANT:AssoonastheSUisassigned,theCRTwillrunonthenewCAserverautomatically.
YouneedtoremintthecertificateonthatserverfirstandthenallotherPrimaryServersshouldberemintedandafterthattheotherdevicesinanyorder.
8ClickFinish.
AmessageisdisplayedintheZoneCertificateAuthoritypaneindicatingthattheChangeCAoperationhasbeeninitiated.
AspartoftheChangeCAprocess,ZENworkswillcreateasystemupdatewhosecontentwillbereplicatedtoallthePrimaryServersandContentSatelliteServersinthezone,basedontheconfiguredcontentreplicationschedule.
TheCertificateUpdaterTool(CRT)willbecreatedontheserveronwhichtheremintoperationwasinitiated.
OnotherPrimaryServers,itwillbecreatedonlyaftertheSUisassigned,toensurethatthecontentisreplicated.
SSLManagement13Youcanclickthecurrentreplicationstatuslinktoviewthelistofserversalongandtheirrespectivecontentreplicationstatuses.
Afterthereplicationiscomplete,thesystemupdatewillbeautomaticallyassignedtoalldevicesinthezone.
Atanytimebeforetheautoassignmenthappens,youcanassignthesystemupdatemanuallybyclickingtheAssignNowlink.
Thisisusefulifsomeofthecontentserverscannotreplicatecontentduetovariousreasons.
Thesystemupdatewillgetassignedtoalldevicesinthezone,ignoringthesystemupdatestages,ifany,inthezone.
Forsuccessfulcompletion,werecommendthatyouensurethecontentisavailableonthecontentserversbeforeassigningthesystemupdate.
NOTE:Ifthesystemupdatefailsbecausethecontentisnotavailable,youneedtoredeploythesystemupdateonthefaileddevices.
ThesystemupdatestatusforthePrimaryServersandAuthenticationSatelliteServerscanbeviewedintheZENworksServerSSLCertificatespanel.
TheOptionscolumnwillenableyoutodownloadtheCSRs,ifany,andalsoviewthefuturecertificates.
ThesystemupdatestatusfortheotherdevicescanbetrackedfromtheSystemUpdatespage.
9IfyouselectedtheIwillgenerateaCSRforeachservermanuallyoptioninStep6,youneedtogeneratethecertificatesforthePrimaryServersandAuthenticationSatelliteServersmanually.
Thecertificate(thecompletecertificatechain)andtheprivatekeymustthenbeplacedintheremintrepositoryfolderofeachoftheseservers:OnWindows:%zenworks_home%\remint-repoOnLinux:/opt/novell/zenworks/remint-repoThefilenamehastobeserverandtheextensioncanhavethe.
der,.
cer,.
crt,.
p7b,.
pem,.
certextensions.
Thecertificatecanbederorpemencoded.
Theprivatekeyfilenameshouldbekey.
der.
IfyouselectedtheLetZENworksgenerateaCSRautomaticallyforeachserveroption,youhavetodownloadtheCSRforeachserver,getthemsignedbytheCA,andimportthefuturecertificatesusingtheImportCertificateaction.
Theactivatorwillchecktheservercertificateinthedatabaseandifitisimportedintothedatabase,itwillserializetheservercertificateasserver.
cerandplaceitintheremintrepository:OnWindows:%zenworks_home%\remint-repoOnLinux:/opt/novell/zenworks/remint-repoTheCAcertificatewillbeserializedinthesamedirectorywhileapplyingthesystemupdateasca.
cert.
NOTE:TheGenerateCSRactioncanbeusedinthefollowingscenarios:YouselectedtheIwillgenerateaCSRforeachservermanuallyoptioninStep6,butyouwanttouseZENworkstogenerateCSRsforoneormoredevices.
Inthiscase,youwillneedtoimportthecertificateforthedeviceusingtheImportCertificateaction.
YouselectedtheLetZENworksgenerateaCSRautomaticallyforeachserveroptioninStep6,butyouwanttooverridetheCSRforoneormoredevices.
YoucanthenusethenewlygeneratedCSRtorequestthefuturecertificatefromtheCA.
TogenerateCSRs,selectoneormoreservers,thenclickGenerateCSRfromtheActionsmenu.
Formoreinformation,seeGeneratingtheCSR.
14SSLManagementIMPORTANT:Ifyouhave10.
3.
4devicesinthezone,ensurethatallthemanageddevicesarerefreshedafterallthePrimaryServers'futurecertificatesareavailableinthedatabase.
Forallotherdevices,theyneedtoberefreshedifthesubjecthasbeenchangedforanyofthePrimaryServercertificates.
Ifthedevicesarenotrefreshed,communicationbetweenthemanageddevicesandthePrimaryServerswillbreak.
1.
2.
5CancelingaChangeCAWhenyouinitiateaChangeCA,intheZoneCertificateAuthoritypane,amessageisdisplayedindicatingthattheChangeCAoperationhasbeeninitiated.
ThismessageincludesaCancelbutton.
TocanceltheChangeCAoperation:1ClicktheCancelbutton.
Adialogisdisplayedaskingyoutoconfirmthatyouwanttocanceltheoperation.
2Afteryouconfirm,amessageisdisplayedindicatingtheprogressofthecanceloperation.
Ifthecancelissuccessful,allthebuttonsintheZoneCertificateAuthoritypaneareenabled.
Ifthecanceloperationfails,afailuremessageisdisplayed.
YoucanclearthemessageandtrytheCanceloperationagain.
TheChangeCAoperationiscanceledsuccessfully.
TheCancelbuttonwillbedisabledtenminutesbeforetheactivationtime.
1.
2.
6MovingtheCARoleWhenhardwarehastobeupgraded,orwhenitsapproachingend-of-life,orforvariousotherreasons,youmayneedtoselectanewcertificateauthorityforthezone.
Tomovethecertificateauthority,youmustselectanewPrimaryServerthatwillserveasthecertificateauthority,henceforth,forthezone.
Tomovethecertificate:1ClickConfiguration>Certificates.
2ClicktheMoveCARolebutton.
3IntheMoveCertificateAuthoritydialog,clickthebrowseicontoselectthePrimaryServer,whichmustbethenewCA.
4SelecttherequiredserverfromthelistofPrimaryServers.
5ClickOK.
TheCertificateserverfieldintheZoneCertificateAuthoritypanelwillreflecttheselectedserverasthenewCA.
1.
2.
7TakingaBackupoftheCertificateAuthorityUsingtheBackupCAfeatureyoucanbackuptheinternalcertificateauthorityforZENworks.
TobackuptheinternalCAcertificate:1IntheZoneCertificateAuthoritypane.
clickBackupCA.
2SpecifyaPassphrase.
SSLManagement15Thispassphraseisrequiredwhenyouwanttoperformarestore.
Thepassphraseshouldcontainatleast10characters.
3Re-typethepassphraseintheConfirmfield.
4ClickOK.
Azipfilewillbedownloadedtothebrowser'sdefaultdownloaddirectoryortheuserwillbepromptedtosavethezipfileinaparticulardirectory.
1.
2.
8RestoringtheCertificateAuthorityUsingtheRestoreCAfeatureyoucanrestoretheinternalcertificateauthorityforZENworksontothesameserverfromwhereyouhavecreatedabackuporontoanotherserver.
TorestoretheinternalCAcertificate:1IntheZoneCertificateAuthoritypane,clickRestoreCA.
2ClickBrowsetonavigatetothebackupfile,thenselectit.
3ClickthebrowseicontoselectthePrimaryServertowhichyouwanttorestorethebackedupCA.
AftertheCAisrestored,theserverwillbeassignedtheCArole.
IftheCAwasrestoredontheserverthatwasusedtobackupthefile,thentheCArolewillbeassignedtothesameserver.
However,ifyouselectedanewservertorestoretheCA,therolewillbemovedtothenewserver.
4SpecifythePassphrasethatwasusedwhilecreatingthebackup.
5ClickOK.
TheCertificateserverfieldintheZoneCertificateAuthoritypanelwillnowreflectthechosenserverasthenewCA.
1.
2.
9RemintingtheCertificateAuthorityIfthecertificateauthoritycertificateexpires,deviceswillbeunabletoestablishanSSLconnectiontotheserver.
Itisimportantthatbeforethisoccurs,youreneworreminttheinternalCAcertificateanddistributethiscertificatetoyourmanageddevices.
BeforeinitiatingtheCAremint,youneedtoensurethatthePrimaryServersandtheSatelliteServersareatthesameZENworksversion.
WhenyoureminttheCA,thePrimaryServerandAuthenticationSatelliteServercertificateswillgetremintedautomatically.
YouneedtoensurethattheIPortheDNSoftheSatelliteServersarenotchangedaftertheCAremintandbeforetheactivationoftheCA.
NOTE:InthecaseofaninternalCA,oneofthePrimaryServersinthezonewillhavetheCArole.
ThecertificatesforallPrimaryServerswillbeissuedbytheCAServer.
ToreminttheinternalCAcertificate:1IntheZoneCertificateAuthoritypane,clickRemintCA.
2ConfirmthatyouwanttoreminttheCAbyselectingYes,Iwanttoremintthecertificateauthority.
Theremainingfieldsareactivated.
16SSLManagement3Specifythefollowinginformation:Commonname:SpecifyacommonnamefortheCA.
Bydefault,thezonenameisdisplayed.
Keylength:Specifythekeylength.
Validfor(years):Specifythenumberofyearsforwhichthecertificateshouldbevalid.
Specifyavaluebetween1to10.
4SelectIncludeanyadditionalDNSnamesforeachserver,ifyouwanttheadditionalDNSnamesconfiguredfortheserverstobepartoftheSubjectAlternativeNameoftheirrespectivecertificates.
NOTE:TheadditionalDNSnamesforadevicecanbeconfiguredbyselectingtheSettingstabofthedevice.
5SpecifytheCertificateactivationdateandtime.
YoucanselectanydatethatispriortotheexpirationofthecurrentCA.
Ensurethatyouincludeadequatetimefortheassociatedsystemupdatetobeappliedonallthedevices.
IMPORTANT:Ifthecertificateactivationtimepassesbeforethesystemupdateisappliedonallthedevices,thepending-updatedevices,willnotbeabletocommunicatewithPrimaryServersonwhichthenewcertificatehasalreadybeenactivated.
YouwillthenneedtorunthestandaloneCertificateUpdaterTooltoupdatetheCAonthesedevices.
ThestandaloneCertificateUpdatertoolwillnotbeavailablewhenthecertificateremintupdateisbaselinedanddeleted.
Hence,youshoulddownloadthetoolinadvance,beforetheupdateisbaselined,sothatitisavailablewhenneeded.
IftheCAhasalreadyexpired,theactivationtimewillbelabeledasImmediate,andyouwillneedtoruntheCertificateUpdaterToolonallthedevicesapartfromthenewCAserver.
OnthenewCAserver,theCertificateUpdaterToolwillbelaunchedautomatically.
ForadditionalinformationontheRemintCAprocessformobiledevices,seeAdditionalInformationonRemintCAandChangeCAprocessforMobileDevices.
6ClickOK.
AmessageisdisplayedintheZoneCertificateAuthoritypane,indicatingthattheRemintCAoperationhasbeeninitiated.
AspartoftheRemintCAprocess,ZENworkswillcreateasystemupdate,thecontentofwhichwillbereplicatedtoallthePrimaryServersandContentSatelliteServersinthezone,basedontheconfiguredcontentreplicationschedule.
Youcanclickthecurrentreplicationstatuslinktoviewthelistofserversalongwiththeirrespectivecontentreplicationstatuses.
Afterthereplicationiscomplete,thesystemupdatewillbeautomaticallyassignedtoalldevicesinthezone.
TheCRTwillbecreatedonthenewCAserver.
OnotherPrimaryServers,itwillbecreatedonlyaftertheSUisassigned,toensurethatthecontentisreplicated.
Atanytimebeforetheautoassignmenthappens,youcanassignthesystemupdatemanuallybyclickingtheAssignNowlink.
Thesystemupdatewillgetassignedtoalldevicesinthezone.
Forsuccessfulcompletion,werecommendthatyouensurethatthecontentisavailableonthecontentserversbeforeassigningthesystemupdate.
NOTE:Ifthesystemupdatefailsbecausethecontentisnotavailable,youneedtoredeploythesystemupdateonthefaileddevices.
SSLManagement17ThesystemupdatestatusforthePrimaryServersandAuthenticationSatelliteServerscanbeviewedintheZENworksServerSSLCertificatepanel.
ThefuturecertificatefortheseserverscanbeviewedfromtheOptionscolumn.
ThesystemupdatestatusfortheotherdevicescanbetrackedfromtheSystemUpdatespage.
IMPORTANT:Ifthedevicesare10.
3.
4makesureallthemanageddevicesarerefreshedafterallthePrimaryServers'futurecertificatesareavailableinthedatabase.
Forallotherdevices,theyneedtoberefreshedifthesubjecthasbeenchangedforanyofthePrimaryServercertificates.
Ifthedevicesarenotrefreshed,communicationbetweenthemanageddevicesandthePrimaryServerswillbreak.
1.
2.
10CancelingaCARemintWhenyouInitiateaCAremint,intheZoneCertificateAuthoritypane,amessageisdisplayedindicatingthattheCAremintoperationhasbeeninitiated.
ThismessageincludesaCancelbutton.
TocanceltheCAremint:1ClicktheCancelbutton.
Adialogisdisplayedaskingyoutoconfirmthatyouwanttocanceltheoperation.
2Afteryouconfirm,amessageisdisplayedindicatingtheprogressofthecanceloperation.
Ifthecancelissuccessful,allthebuttonsintheZoneCertificateAuthoritypaneareenabled.
Ifthecanceloperationfails,afailuremessageisdisplayed.
YoucanclearthemessageandtrytheCanceloperationagain.
TheCAremintoperationiscanceledsuccessfully.
TheCancelbuttonwillbedisabledtenminutesbeforetheactivationtime.
ThoughyoucannotcanceltheCARemint,youcancancelthesystem-updateforthedeviceusingtheIgnoreDeviceoptionfromSystemUpdatepage.
1.
2.
11AddingexternalCertificateAuthoritytoTrustStoreTheAddExternalCAToTrustStoreconfigureactionaddsanexternalCAcertificatetotheZENworkstruststore.
Theconfigureactionacceptsthefollowingparameters:filepath:PathtothenewexternalCAfile.
Thisisamandatoryfield.
alias:Aliasisauniqueidentifierthatshouldbeusedforthecertificatefile.
Thisisanoptionalfield.
Theconfigureactioncanbeexecutedinanyofthefollowingway:novell-zenworks-configure-cAddExternalCAToTrustStoreThiscommandaddsanexternalCAcertificatetotheZENworkstruststore.
Ifacertificatewithsamealiasalreadyexists,thenthiscommanddoesnotoverridestheexistingcertificateinthetruststore.
novell-zenworks-configure-cAddExternalCAToTrustStore-ZThiscommandaddsanexternalCAcertificatetotheZENworkstruststore.
Ifacertificatewithsamealiasalreadyexists,thenthiscommandoverridestheexistingcertificateinthetruststore.
NOTE:Afterremintingthecertificate,ensurethatyouexecutetheAddExternalCAToTrustStorecommandagain.
18SSLManagement1.
2.
12AdditionalInformationonRemintCAandChangeCAprocessforMobileDevicesDuringaRemintCAorChangeCAoperation,thenewCAcertificateisissuedtomobiledevicesthatsyncwiththeZENworksMDMServerattheUpdateAssignedstageandbeforetheCAcertificateactivationdate.
AfterobtainingtheCAcertificate,thesedevicesmovetothePendingCertificateActivationstage.
Atthisstage,afterthenewservercertificateisactivatedontheserver,thenewMDMidentitycertificateisissuedtomobiledevicesthatsyncwiththeZENworksMDMServer.
ThedeviceswillstartcommunicatingwiththeMDMServerusingthisnewcertificate.
EnrolledmobiledevicescansyncwiththeZENworksMDMServerinanyoneofthefollowingways:Automatically:basedonthespecifiedmobiledevicerefreshschedule.
Manually:byinitiatingaRefreshDevicequicktaskfromZCCorbyclickingtheRefreshiconeitherontheZENworksAgentappforanAndroiddeviceortheEnd-userportalforaniOSdevice.
NOTE:WhilespecifyingtheCAactivationdate,ensurethatyouprovideadequatetimeforallthedevicesinthezonetosyncwiththeZENworksMDMServer.
However,ifcertainmobiledevicesareofflineanddoesnotsyncwiththeZENworksserverduringthesystemupdate(asapartoftheRemintCAorChangeCAoperation)process,thenbasedonthestageatwhichthesedevicesareoffline,youneedtoperformtherelevantaction:IfthedeviceisofflinewhenthestatusofthedeviceisUpdateAssignedforcertificateupdateandtheCAactivationdatehaspassed:Thedeviceshavetobere-enrolledsothattheycancontinuetocommunicatewiththeMDMServerusingthenewcertificate.
IfthedeviceisofflinewhenthestatusofthedeviceisPendingCertificateActivationandtheCAactivationdatehaspassed:Noactionneedstobeperformed.
AssoonasthedevicessyncwiththeZENworksMDMServer,thenewMDMidentitycertificateisissuedtothedevices.
ThedeviceswillcommunicatewiththeMDMServerusingthisnewcertificate.
1.
3ManagingtheServerCertificatesTheZENworksServerSSLCertificatespaneinZCCenablesyoutoviewinformationabouttheSSLcertificatesthatareissuedtotheZENworksPrimaryServersandAuthenticationSatelliteServersinthezone.
Usingthispanel,youcanviewandremintcertificatesforoneormoredevices.
Theinformationthatisdisplayedincludesthefollowing:IssuedTo:Theservertowhichthecertificateisissued.
Clicktheservertoviewitsdetails.
Subject:TheFullyQualifiedDomainName(FQDN)oftheservertowhichthecertificateisissued.
IssuedBy:TheCAthatissuedthecertificate.
ValidFrom-Thedateandtime,intheuser'stimezone,fromwhichthecertificateisvalid.
ExpiresOn:Thedateandtime,intheuser'stimezone,onwhichthecertificateexpires.
MD5Fingerprint:TheMD5digestofthecertificatedata.
SHA1Fingerprint:TheSHA1digestofthecertificatedata.
SSLManagement19CertificateStatus:Showsthestatusofthecurrentcertificateasactiveorexpired.
Ifaremintisinprogress,thecertificate-creationstatusisdisplayed.
Formoreinformation,seeCertificateStatus.
Options:ProvidesoptionstoviewthefuturecertificateanddownloadtheCSRbasedontheremintoperationthatisinprogress.
UpdateStatus:Ifaremintoperationisinprogress,thestatusoftheassociatedsystemupdateisdisplayed.
Version:TheversionofZENworksinstalledontheservers.
ForinformationontheChangeCAorRemintCAprocess,seeConfiguringtheCertificateAuthority.
Thissectionprovidesthefollowinginformation:Section1.
3.
1,"CertificateStatus,"onpage19Section1.
3.
2,"RemintingServerCertificates,"onpage19Section1.
3.
3,"CancelingaServerRemint,"onpage251.
3.
1CertificateStatusWhenaservercertificateremintisinprogress,thecertificatestatuscanbeanyofthefollowing:ForInternalCertificates:Newcertificatecreated-Thefuturecertificateisavailable.
Creatingcertificatefailed-Anerroroccurredwhilecreatingthefuturecertificate.
ForExternalCertificates:CSRgenerated-TheCertificateSigningRequest(CSR)isgeneratedforthefuturecertificate.
ThisstatusindicatesthatCSRisgeneratedforthecorrespondingserverandtheadministratorhastodownloadtheCSRusingthedownloadbuttonandthengetitsignedbytheexternalcertificateauthority.
AfterreceivingthenewservercertificatethatcorrespondswiththeCSRtheadministratorshouldimportthecertificateusingZENworksControlCenter.
CSRgenerationFailed-AnerroroccurredwhilegeneratingtheCSR.
Insuchascenario,theadministratorcanmanuallyselecttheserverforwhichtheCSRgenerationhasfailedandgeneratetheCSRagain,aftercorrectingthereasonsforfailure,ifanyorredeploythesystemupdateforthedevice.
Newcertificateuploaded-Thefuturecertificatehasbeenimportedintothedatabase.
1.
3.
2RemintingServerCertificatesIfyourservercertificateexpires,deviceswillbeunabletoestablishanSSLconnectiontotheserver.
Itisimportantthatbeforethisoccurs,youreneworremintthecertificateanddistributethiscertificatetoyourmanageddevices.
TheproceduredetailedinthissectionisthesameforazonewithoneormorePrimaryServers.
"RemintServerCertificatesWhentheCAIsInternal"onpage20"RemintServerCertificatesWhentheCAIsExternal"onpage2120SSLManagementIfaservercertificatehasalreadyexpired,thenadialogboxwiththefollowingerrormessageisdisplayed:"Thefollowingcertificatesareabouttoexpireorhaveexpired.
Youshouldupdatethecertificatesassoonaspossibletoavoidalossofcommunicationbetweendevicesandservices.
servercertificatehasexpired".
Formoreinformationonremintinganexpiredservercertificate,seeAservercertificatehasexpiredintheTroubleshootingsection.
RemintServerCertificatesWhentheCAIsInternalToreneworreminttheinternalservercertificates,selectoneormoreservers,thenclickRemintCertificate.
NOTE:Basedontheoperation(s)initiatedfromtheCertificatespage,theRemintCertificateoptionmightnotbeenableduntiltheseoperationsarecomplete.
Forexample,whenaRemintCAorChangeCAisinprogress,thisoptionwillnotbeavailable.
1ConfirmthatyouwanttoremintthecertificatebyselectingYes,Iwanttoremintthecertificateforthisserver.
Theremainingfieldsarethenactivated.
2SpecifytheCommonnameforthecertificate.
Bydefault,theFullyQualifiedDomainName(FQDN)oftheserverisdisplayed.
Ifyouhaveselectedmultipleservers,oriftheselectedserverhasassociatedsatellites,thisfieldwillnotbedisplayed.
3SpecifytheKeylength.
4SelectIncludeanyadditionalDNSnamesforeachserver,ifyouwanttheadditionalDNSnamesconfiguredfortheserverstobepartoftheSubjectAlternativeNameoftheirrespectivecertificates.
NOTE:Ifyouselectedasingleserver,theadditionalDNSnamesconfiguredforthisserveraredisplayed.
However,iftherearenoadditionalDNSnamesconfiguredfortheserver,youcannotselectthisoption.
TheadditionalDNSnamesforthedevicecanbeconfiguredbyselectingtheSettingstabofthedevice.
5SpecifytheCertificateactivationdateandtime.
YoucanselectanydatethatispriortotheexpirationofthecurrentCA.
Ensurethatyouincludeadequatetimefortheassociatedsystemupdatetobeappliedonallthedevices.
6Specifyanameforthesystemupdatethatwillbecreatedtoremintthecertificate.
7ClickOK.
AmessageisdisplayedintheZENworksSSLCertificatespane,indicatingthattheRemintCertificateoperationhasbeeninitiated.
AspartoftheRemintCertificateprocess,ZENworkswillcreateasystemupdate,thecontentofwhichwillbereplicatedtoallthePrimaryServersandContentSatelliteServersinthezone,basedontheconfiguredcontentreplicationschedule.
Youcanclickthecurrentreplicationstatuslinktoviewthelistofserversalongwiththeirrespectivecontentreplicationstatuses.
Afterthereplicationiscomplete,thesystemupdatewillbeautomaticallyassignedtotheselecteddevices.
SSLManagement21Atanytimebeforetheautoassignmenthappens,youcanassignthesystemupdatemanuallybyclickingtheAssignNowlink.
Thesystemupdatewillgetassignedtotheselecteddevices.
Forsuccessfulcompletion,werecommendthatyouensurethatthecontentisavailableonthecontentserversbeforeassigningthesystemupdate.
AfterclickingtheAssignNowlink,awarningmessageisdisplayed,withaselectedserverslink,whenyouclickonthislink,itwilldisplayapopupmessagewithalistoftheserversforwhichthereminthasbeeninitiated.
NOTE:Ifthesystemupdatefailsbecausethecontentisnotavailable,youneedtoredeploythesystemupdateonthefaileddevices.
ThesystemupdatestatusforthetargetedserverscanbeviewedintheZENworksServerSSLCertificatepanel.
ThefuturecertificatefortheseserverscanbeviewedfromtheOptionscolumn.
NOTE:ItisnotmandatoryformobiledevicestosyncwiththeserverbeforetheMDMServercertificateisactivated.
RemintServerCertificatesWhentheCAIsExternalToremintservercertificateswhentheCAisexternal,youneedtofirstdeploytheRemintsystemupdatetothedevice,thenallowZENworkstogeneratetheCSR,ormanuallygeneratetheCSR.
IfyouchoosetomanuallygeneratetheCSR,youwillneedtogeneratetheCSRandthenimportthecertificatetothedevice.
Whenyoureminttheservercertificate,youneedtogettheservercertificateissuedbythecurrentzoneCA(rootCA)oranysubordinateCAofthecurrentzoneCA.
IfthecertificateisissuedbyasubordinateCA,youneedtoprovidethecompletecertificatechain.
Thissectionincludesthefollowinginformation:"RemintingtheServerCertificate"onpage21"GeneratingtheCSR"onpage23"ImportingtheCertificate"onpage24RemintingtheServerCertificate1Toreneworreminttheexternalservercertificates,selectoneormoreservers,thenclickRemintCertificate.
2SelecthowyouwanttogeneratetheCSRforeachserver:IwillgenerateaCSRforeachservermanually:IfyouwanttogeneratetheCSRforeachservermanually,clickNextandgotoStep3.
LetZENworksgenerateaCSRautomaticallyforeachserver:IfyouwantZENworkstogeneratetheCSRforalltheserversautomatically,specifythefollowinginformation,thenclickNext:Commonname:TheFullyQualifiedDomainName(FQDN)oftheserver.
Ifyouhaveselectedmultipleservers,thisfieldwillnotbedisplayed.
Organization:OrganizationnameOrganizationunit:Organizationalunitname,suchasadepartmentordivision.
22SSLManagementCity/Locality-CitynameorlocationState/Province:StateorprovincenameCountry/region:Countryorregion.
Forexample,US.
KeyLength:SpecifythekeylengthIncludeanyadditionalDNSnamesforeachserver:SelectthisoptionifyouwanttheadditionalDNSnamesconfiguredfortheserverstobepartoftheSubjectAlternativeNameoftheirrespectivecertificates.
NOTE:TheadditionalDNSnamesforadevicecanbeconfiguredbyselectingtheSettingstabofthedevice.
3SpecifytheCertificateactivationdateandtime.
Youcanselectanydatethatispriortotheexpirationoftheserverthathastheearliestexpirationdateamongtheselectedservers.
Ensurethatyouincludeadequatetimefortheassociatedsystemupdatetobeappliedonallofthedevices.
4Specifyanameforthesystemupdatethatwillbecreatedtoremintthecertificate.
5ClickFinish.
AmessageisdisplayedintheZENworksSSLCertificatespane,indicatingthattheRemintCertificateoperationhasbeeninitiated.
AspartoftheRemintCertificateprocess,ZENworkswillcreateasystemupdatewhichwillbereplicatedtoallthePrimaryServersandContentSatelliteServersinthezone,basedontheconfiguredcontentreplicationschedule.
Youcanclickthecurrentreplicationstatuslinktoviewthelistofserversalongwiththeirrespectivecontentreplicationstatuses.
Afterthereplicationiscomplete,thesystemupdatewillbeautomaticallyassignedtotheselecteddevices.
TheCRTwillbecreatedontheserveronwhichtheremintoperationwasinitiated.
OnotherPrimaryServers,itwillbecreatedonlyaftertheSUisassigned,toensurethatthecontentisreplicated.
Atanytimebeforetheautoassignmenthappens,youcanassignthesystemupdatemanuallybyclickingtheAssignNowlink.
Thesystemupdatewillgetassignedtotheselecteddevices.
Forsuccessfulcompletion,werecommendthatyouensurethatthecontentisavailableonthecontentserversbeforeassigningthesystemupdate.
AfterclickingtheAssignNowlink,awarningmessageisdisplayed,withaselectedserverslink,whenyouclickonthislink,itwilldisplayapopupmessagewithalistoftheserversforwhichthereminthasbeeninitiated.
NOTE:Ifthesystemupdatefailsbecausethecontentisnotavailable,youneedtoredeploythesystemupdateonthefaileddevices.
ThesystemupdatestatusforthetargetedserverscanbeviewedintheZENworksServerSSLCertificatepanel.
TheOptionscolumnwillenableyoutodownloadtheCSRs,ifany,andalsoviewthefuturecertificates.
NOTE:ItisnotmandatoryformobiledevicestosyncwiththeserverbeforetheMDMServercertificateisactivated.
6IfyouselectedtheIwillgenerateaCSRforeachservermanuallyoptioninStep2,youneedtogeneratethecertificatesforthePrimaryServersandAuthenticationSatelliteServersmanually.
Thecertificate(completecertificatechain)andprivatekeymustthenbeplacedintheremintrepositoryfolderoneachoftheseservers.
OnWindows:%zenworks_home%\remint-repoSSLManagement23OnLinux:/opt/novell/zenworks/remint-repoThefilenamehastobeserverandtheextensioncanhavethe.
der,.
cer,.
crt,.
p7b,.
pem,.
certextensions.
Thecertificatecanbederorpemencoded.
Theprivatekeyfilenameshouldbekey.
der.
IfyouselectedtheLetZENworksgenerateaCSRautomaticallyforeachserveroption,youhavetodownloadtheCSRsforeachoftheservers,getthemsignedbytheCA,andthenimportthefuturecertificatesusingtheImportCertificateaction.
NOTE:TheGenerateCSRactioncanbeusedinthefollowingscenarios:YouselectedtheIwillgenerateaCSRforeachservermanuallyoptioninStep2,butyouwanttouseZENworkstogenerateCSRsforoneormoredevices.
Inthiscase,youwillneedtoimportthecertificateforthedeviceusingtheImportCertificateaction.
YouselectedtheLetZENworksgenerateaCSRautomaticallyforeachserveroptioninStep2,butyouwanttooverridetheCSRforoneormoredevices.
YoucanusethenewlygeneratedCSRtorequestthefuturecertificatefromtheCA.
TogenerateCSRs,selectoneormoreservers,thenclickGenerateCSRfromtheActionsmenu.
Formoreinformation,seeGeneratingtheCSR.
Basedontheoperation(s)initiatedfromtheCertificatespage,theRemintCertificateoptionmightnotbeenableduntiltheseoperationsarecomplete.
Afterareminthasbeeninitiated,thefollowingActionsareenabled:GenerateCSR:IfyouhaveselectedtheIwillgenerateaCSRforeachservermanuallyoption,youcanusethisactiontogeneratetheCSR.
However,ifyouhaveselectedtheLetZENworksgenerateaCSRautomaticallyforeachserveroption,youcanusethisactiontooverridetheCSRthatwasgeneratedbyZENworks.
TogeneratetheCSR,selectoneormoreservers,thenclickGenerateCSRfromtheActionsmenu.
Formoreinformation,seeGeneratingtheCSR.
ImportCertificate:ThisoptionisavailableafteraCSRhasbeengeneratedfortheselectedserver.
AftertheCSRissubmittedtotheCAandtheCAissuesanewcertificate,youcanimportthecertificatetoZENworksusingthisaction.
Toimportthecertificate,selecttherelevantserver,thenclickImportCertificatefromtheActionsmenu.
Formoreinformation,seeImportingtheCertificate.
DownloadCSRstoZipFile:ThisoptionisavailableifmultipleserversareselectedandCSRsareavailableforeachoftheseservers.
TodownloadtheCSRs,selecttherequiredservers,thenclickDownloadCSRstoZipFilefromtheActionsmenu.
GeneratingtheCSRThisfeatureenablesyoutogenerateCertificateSigningRequests(CSRs)foroneormoredevices.
WhenmovingtoanexternalCA,aCSRmustbegeneratedforeachPrimaryServerorSatelliteServerintheZone.
YoucangenerateaCSRautomaticallyforallserversinthezone,oryoucangenerateitmanuallyforeachserver,oneatatime.
24SSLManagementTheGenerateCSRactioncanbeusedinthefollowingscenarios:YouhaveselectedtheIwillgenerateaCSRforeachservermanuallyoption,butyouwanttouseZENworkstogenerateCSRsforoneormoredevices.
Inthiscase,youwillneedtoimportthecertificateforthedeviceusingtheImportCertificateaction.
YouhaveselectedtheLetZENworksgenerateaCSRautomaticallyforeachserveroptioninStep1,butyouwanttooverridetheCSRforoneormoredevices.
YoucanusethenewlygeneratedCSRtorequestforthefuturecertificatefromtheCA.
TogenerateaCSR:1LogintoZENworksControlCenter.
2NavigatetoConfiguration>Certificates.
3FromtheZENworksServerSSLCertificatespane,selectoneormoreservers.
4ClickActions>GenerateCSR.
5Specifythefollowinginformation:CommonName(CN):TheFullyQualifiedDomainNameoftheZENworksPrimaryServer.
Forexample,mail.
novell.
com.
Ifyouhaveselectedmultipleservers,thisfieldwillnotbedisplayed.
NOTE:Thisfieldisnotdisplayedwhenmultipleserversareselected.
Organization(O):Organizationname.
OrganizationalUnit(OU):Organizationalunitname,suchasadepartmentordivision.
CityorLocality(L):Citynameorlocation.
StateorProvince(ST):Stateorprovincename.
CountryorRegion:Two-lettercountrycodeorregion.
Forexample,US.
Keylength:Specifytherequiredkeylength.
6ClickOK.
TheCSRisgeneratedandthestatusoftheserverischangedtoreflectthattheCSRisnowavailabletodownload.
ImportingtheCertificateThisfeatureenablesyoutoimportthecertificatesintoZENworks,afteryougettheCSRsignedbythecertificateauthority(CA).
Toimportthecertificate:1ClickBrowse,thenselectthecertificate.
2ClickOK.
Theselectedcertificateisimportedtothedatabase.
Thesupportedcertificateformatsare.
pem,.
der,and.
p7b.
SSLManagement25IMPORTANT:Ifthedevicesare10.
3.
4makesureallthemanageddevicesarerefreshedafterallthePrimaryServers'futurecertificatesareavailableinthedatabase.
Forallotherdevices,theyneedtoberefreshedifthesubjecthasbeenchangedforanyofthePrimaryServercertificates.
Ifthedevicesarenotrefreshed,communicationbetweenthemanageddevicesandthePrimaryServerswillbreak.
1.
3.
3CancelingaServerRemintWhenyouinitiateaservercertificateremint,intheZENworksSSLCertificatespane,amessageisdisplayedindicatingthattheRemintCertificateoperationhasbeeninitiated.
ThismessageincludesaCancelbutton.
Tocancelaserverremint:1ClicktheCancelbutton.
Adialogisdisplayedaskingyoutoconfirmthatyouwanttocanceltheoperation.
2Afteryouconfirm,amessageisdisplayedindicatingtheprogressofthecanceloperation.
Ifthecancelissuccessful,allthebuttonsintheZoneCertificateAuthoritypaneareenabled.
Ifthecanceloperationfails,afailuremessageisdisplayed.
YoucanclearthemessageandtrytheCanceloperationagain.
TheRemintServerCertificateoperationiscanceledsuccessfully.
TheCancelbuttonwillbedisabledtenminutesbeforetheactivationtime.
ThoughyoucannotcanceltheServerRemint,youcancancelthesystem-updateforthedeviceusingtheIgnoreDeviceoptionfromSystemUpdatepage.
26SSLManagementATroubleshooting27ATroubleshootingThefollowingsectionsprovidesolutionstotheproblemsyoumightencounterwhileusingtheSSLManagementfeature.
"CertificateupdatefailsonZENworks11SP2andearlierversionsoftheagent"onpage27"AWindowsagentisnotabletolaunchtheCertificateActivatorexecutable"onpage29"WhentheCertificateUpdaterToolisdownloaded,theupdatepackagesaretreatedasmalicioussoftware"onpage29"Manageddevicethatwasre-imagedduringremintisnotcommunicatingwiththePrimaryServer"onpage30"Theactivatorforafailedcertificateactivationwillonlybetriggeredafteranagentrefresh"onpage30"TheCertificateUpdaterToolfailsonadevicewhenthePrimaryServertowhichitisregistered,hasacertificatechain"onpage30"TheCertificateUpdaterToolisnotcreatedonPrimaryServers"onpage30"AfteraServerRemintthemanageddeviceisnotabletocommunicatewiththeserver"onpage31"CertificateUpdaterToolfailsontheCAServer"onpage31"TheAgentVersionisnotgettingdisplayedintheZENworksServerSSLCertificatespanel"onpage31"Afteraremint,securitypolicyversionsareincremented"onpage32"Aservercertificatehasexpired"onpage32CertificateupdatefailsonZENworks11SP2andearlierversionsoftheagentExplanation:WhenyoudeploycertificateremintupdatestoZENworks11SP2andearlierversionoftheagent,theSystemUpdatestatusisdisplayedasErrorontheagentsandinZENworksControlCenter,evenaftertheupdateisappliedsuccessfully.
Symptom:Anexceptionsimilartotheexampledisplayedbelowisloggedinthesystemupdatelogsontheagent:28TroubleshootingUnexpectederroroccurredduringsystemupdateType:System.
ArgumentExceptionMessage:Requestedvalue'(INFO)(10/01/201801:37:59.
781)(1168)(ZENUpdater)()(SYSTEM)(SystemUpdate)(FINISHED)(FINISHED)ZENworks)'wasnotfound.
StackTrace:atSystem.
Enum.
Parse(TypeenumType,Stringvalue,BooleanignoreCase)atNovell.
Zenworks.
SystemUpdate.
UpdateStatusReader.
parseStatusMessage(StringstatusString,UpdateStatus&status,StatusMessage&message,String&messageDetails)atNovell.
Zenworks.
SystemUpdate.
UpdateStatusReader.
readLastStatus(FileInfoupdateStatusFile,StringupdateID,UpdateStatus&status,StatusMessage&message,String&details)atNovell.
Zenworks.
SystemUpdate.
SystemUpdateModule.
ApplyUpdate(AssignedSystemUpdatesResponseAssignedSystemUpdateupdate)NOTE:Dependingonthedatabase,youcanuseanyofthefollowingquerytolistagentsonwhichthesystemupdatehasfailedandthenverifythesystemupdatelogsonthesedevicesfortheexceptionmentionedabove:OnSybaseselectd.
hostname,d.
zuid,d.
agentversion,s.
updatestatusfromzsystemupdatedeviceinfos,zdevicedwheres.
updatestatus='ERROR'ands.
updateuid=0xands.
deviceuid=d.
zuidWhereisthesystemupdateGUID.
Example:selectd.
hostname,d.
zuid,d.
agentversion,s.
updatestatusfromzsystemupdatedeviceinfos,zdevicedwheres.
updatestatus='ERROR'ands.
updateuid=0x5017040000fc50000000002018111501ands.
deviceuid=d.
zuidOnPostgreSQLselectd.
hostname,d.
zuid,d.
agentversion,s.
updatestatusfromzsystemupdatedeviceinfos,zdevicedwheres.
updatestatus='ERROR'ands.
updateuid='\x'ands.
deviceuid=d.
zuidWhereisthesystemupdateGUID.
Example:selectd.
hostname,d.
zuid,d.
agentversion,s.
updatestatusfromzsystemupdatedeviceinfos,zdevicedwheres.
updatestatus='ERROR'ands.
updateuid='\x5017040000fc50000000002018111501'ands.
deviceuid=d.
zuidOnMicrosoftSQLselectd.
hostname,d.
zuid,d.
agentversion,s.
updatestatusfromzsystemupdatedeviceinfos,zdevicedwheres.
updatestatus='ERROR'ands.
updateuid=0xands.
deviceuid=d.
zuidWhereisthesystemupdateGUID.
Troubleshooting29Example:selectd.
hostname,d.
zuid,d.
agentversion,s.
updatestatusfromzsystemupdatedeviceinfos,zdevicedwheres.
updatestatus='ERROR'ands.
updateuid=0x5017040000FC50000000002018111501ands.
deviceuid=d.
zuidOnOracleselectd.
hostname,d.
zuid,d.
agentversion,s.
updatestatusfromzsystemupdatedeviceinfos,zdevicedwheres.
updatestatus='ERROR'ands.
updateuid=''ands.
deviceuid=d.
zuidWhereisthesystemupdateGUID.
Example:selectd.
hostname,d.
zuid,d.
agentversion,s.
updatestatusfromzsystemupdatedeviceinfos,zdevicedwheres.
updatestatus='ERROR'ands.
updateuid='5017040000FC50000000002018111501'ands.
deviceuid=d.
zuidAction:Ignoretheupdateonagents,onwhichtheupdatehasfailed,andwaitforthenewcertificatetogetactivatedontheagents(activationdate).
Afterthecertificateisactivated,verifytheagent-servercommunication.
Iftheagentandserverareabletocommunicatewitheachother,thenignorethedisplayedCertificateUpdatestatus.
AWindowsagentisnotabletolaunchtheCertificateActivatorexecutableSource:ZENworks;SSLManagement.
Explanation:Whenyouinitiatearemint,asystemupdateisassignedtoalldevices,andthefuturesecurityfilesarecreated.
Atthetimeofactivation,theagentlaunchestheCertificateActivator.
exetoactivatethecertificate.
ThisexecutablefileisnotlaunchingduetoanissuewithWindows.
Action:Youneedtoapplyahotfix(http://support.
microsoft.
com/en-us/kb/2701373),andrestartthedevice.
DuringthenextagentrefreshtheCertificateActivatorexecutablewillgetlaunched.
WhentheCertificateUpdaterToolisdownloaded,theupdatepackagesaretreatedasmalicioussoftwareSource:ZENworks;SSLManagement.
Explanation:WhenyoudownloadtheCertificateUpdaterTool,theupdatepackagesaretreatedasmalicioussoftwarebytheanti-virussoftware.
Consequently,theupdateabruptlystops.
Action:DothefollowingonthemanageddevicewhereyouwanttoinstalltheCertificateUpdaterTool:1ManuallyaddSystem_drive:\windows\novell\zenworkstotheexclusionlistoftheanti-virussoftwareinstalledonthemanageddevice.
2DownloadtheCertificateUpdaterTool.
30TroubleshootingManageddevicethatwasre-imagedduringremintisnotcommunicatingwiththePrimaryServerSource:ZENworks;SSLManagement.
Explanation:Afteraremintsystemupdateiscompletedonadevice,beforetheactivationdate,ifthedeviceisre-imagedandregistered,itwillnotbeabletocommunicatewiththePrimaryServer,postactivation.
ThisisbecausethenewservercertificateisalreadyactivatedonthePrimaryServerandthedevicedoesnothavethenewcertificatebecausethesystemupdateisnotsenttothedeviceagain.
Action:Youneedtounregisterandre-registerthedeviceandthenusetheCertificateUpdaterTooltorunthesystemupdateagainonthependingdevices.
NOTE:Iftheupdateisbaselinedbeforeitisappliedonallthedevices,youcanstillusetheCertificateUpdaterTooltorunthesystemupdateonthependingdevices,providedthetoolisdownloadedbeforebaseliningtheupdate.
TheactivatorforafailedcertificateactivationwillonlybetriggeredafteranagentrefreshSource:ZENworks;SSLManagement.
Explanation:Whencertificateactivationfailsduetoanyerror,youhavetowaittillthenextagentrefreshtohappenfortheactivatortogettriggered.
Action:Youcantriggertheactivatorbeforethenextrefreshbyrunningthezacrefreshcommand.
Formoreinformation,seetheStatusCommandsintheZENworksCommandLineUtilitiesReference.
TheCertificateUpdaterToolfailsonadevicewhenthePrimaryServertowhichitisregistered,hasacertificatechainSource:ZENworks;SSLManagement.
Explanation:IfthedeviceisregisteredwithaserverwhosecertificateissignedbyanintermedidateCAandyoutrytodownloadtheCertificateUpdaterToolfromaserverwhichhasacertificatewithlessernumberofchainsthantheregisteredserver,youwillreceivethefollowingerror:CAcertificatesubjectfromtheCACertificatechaindoesnotmatchservercertificateissuer.
Action:YouneedtodownloadtheCertificateUpdaterToolfromtheregisteredPrimaryServerorfromaPrimaryServerthathasthemostnumberofchains.
TheCertificateUpdaterToolisnotcreatedonPrimaryServersSource:ZENworks;SSLManagement.
Explanation:TheCertificateUpdaterToolmightnotbecreatedonallPrimaryServersifthecontentisnotreplicatedonthoseservers.
Troubleshooting31Action:Basedonthescenario,theCRTcanbedownloadedfromthefollowinglocations:DuringaCARemint,theCRTwillbeavailableonthecurrentCAserver.
DuringaChangeCAtoInternal,theCRTwillbeavailableonthenewCAserver.
DuringaChangeCAtoexternal,theCRTwillbeavailableontheserveronwhichtheremintisinitiated.
DuringaServerRemint,ifthecurrentCAisinternal,theCRTwillbeavailableonthecurrentCAserver.
IfthecurrentCAisexternal,itwillbeavailableontheserveronwhichtheremintisinitiated.
AfteraServerRemintthemanageddeviceisnotabletocommunicatewiththeserverSource:ZENworks;SSLManagement.
Explanation:IfweremintaPrimaryservercertificate,theinitialwebservicefileonthemanageddevicesthatareregisteredtothisPrimaryServerwillnotbeupdatedwiththenewcertificate.
Ifthedeviceisnotcommunicatingwiththeserver,theagentwillnotbeabletofallbacktotheinitialwebservicefilebecausethecertificateisnotupdated.
Action:Runthefollowingcommandstoun-registerandregisterthedevice:ToUnregisterthedevice:zacunrToregisterthedevice:zacreghttps://:CertificateUpdaterToolfailsontheCAServerSource:ZENworks;SSLManagement.
Explanation:IftheCAcertificatehasexpiredandyouperformtheRemintoperation,theCRTthatislaunchedontheCAservermightfail.
Ifyouthendouble-clicktheCRT,itwillfailagain.
Action:Performthefollowingsteps:OnWindows:LaunchZENworks_home\install\downloads\system-update\certificate-update\ZENworks_Certificate_Update_Windows.
exewith-pZENworks_home\conf\securit\ca.
certOnLinux:Launch/opt/novell/zenworks/install/downloads/system-update/certificate-update/ZENworks_Certificate_Update_Linux.
binwith-p/etc/opt/novell/zenworks/security/ca.
certTheAgentVersionisnotgettingdisplayedintheZENworksServerSSLCertificatespanelSource:ZENworks;SSLManagement.
32TroubleshootingExplanation:TheVersioncolumnintheZENworksServerSSLCertificatespanelmightbeemptyassoonastheserverisinstalled.
Action:None.
Oncetheagentisregisteredsuccessfully,theVersioncolumnwillgetpopulated.
Afteraremint,securitypolicyversionsareincrementedSource:ZENworks;SSLManagement.
Explanation:Securitypolicies(EndpointSecurityManagementandFullDiskEncryption)areencrypted.
Afteraremint,allpublishedpoliciesareresignedandincremented.
Sandboxpoliciesarenotincremented.
Action:Noactionrequired.
Theincrementedpoliciesareautomaticallyappliedtodevicesduringthenextdevicerefresh.
AservercertificatehasexpiredExplanation:AservercertificatehasexpiredduetowhichthedevicesareunabletoestablishanSSLconnectionwiththeserver.
CertificateremintofanexpiredservercertificatecannotbeperformedinZCC.
Action:Youneedtomanuallyreplacetheexpiredservercertificatewithanewservercertificatebyperformingthefollowingsteps:ReplacinganinternalservercertificatewithanewinternalservercertificateIftheinternalservercertificateofyourWindowsorLinuxPrimaryServerhasexpiredyoucanchoosetoreplacethecertificatewithanewinternalservercertificate.
1Beforereplacinganinternalservercertificatewithanewinternalservercertificate,takeareliablebackupofthefollowingonallPrimaryServersintheManagementZone:Content-RepoDirectory:Thecontent-repodirectoryislocatedbydefaultintheZENworks_installation_directory\workdirectoryonWindowsandinthe/var/opt/novell/zenworks/onLinux.
Ensurethattheimagesdirectorylocatedwithinthecontent-repodirectoryhasbeensuccessfullybackedup.
CertificateAuthority:Fordetailedinformationonhowtobackupthecertificateauthority,seeBackingUptheCertificateAuthority.
EmbeddedDatabase:Fordetailedinformationonhowtobackuptheembeddeddatabase,seeBackingUpaZENworksServer.
2EnforcethenewcertificatesonthezonebyrunningthefollowingcommandonanyPrimaryServerwhosecertificatehasexpired:novell-zenworks-configure-cSSL-ZTroubleshooting33Followtheprompts.
DonotreminttheCertificateauthority,justtheservercertificate.
NOTE:IfboththeServerCertificateandCertificateAuthority(CA)haveexpired,thenusetheRemintCAoptionintheZCCUItoreminttheCA,whichwillreminttheexpiredservercertificateaswell.
3RestartalltheZENworksservicesonallthePrimaryServersinthezonebyrunningthefollowingcommandattheconsolepromptofeachPrimaryServerinthezone:novell-zenworks-configure-cStartBydefault,alltheservicesareselected.
YoumustselectRestartastheAction.
4Refreshallthedevices,includingthePrimaryServers,inthezone.
IfonlyonePrimaryServercertificatewaschanged,andiftheCAcertificatewasnotchanged,andthereismorethanonePrimaryServerinthezone,refreshingtheServer,Satellites,andmanageddeviceswillallowtheagenttotrustthenewservercertificate.
Refreshesautomaticallyonthenextscheduledrefresh.
IfthereisonlyonePrimaryServerinthezonethenthePrimaryServers,Satellites,andmanageddevicesneedtorunzacretrtoreestablishthetrust.
Ifanydeviceisnotreachableduringtherefresh,youmustfirstestablishaconnectionwiththedevice,thenrunthefollowingcommandattheconsolepromptofeachdevicetoreestablishthetrustbetweenthedeviceandthezone:zacretr-uzone_administrator_username-pzone_administrator_password5ConfiguretheAuthenticationSatelliteswiththenewcertificatesbyenteringthefollowingcommandattheSatellite'sprompt:OnWindows:zacauthenticationserverreconfigure(asr)-tallOnLinux:zacremint-satellite-cert(rsc)6Re-createallthedefaultandcustomdeploymentpackagesforallthePrimaryServers:DefaultDeploymentPackages:AttheconsolepromptofeachPrimaryServerinthezone,enterthenovell-zenworks-configure-cCreateExtractorPacks-Zcommand:CustomDeploymentPackages:AttheconsolepromptofeachPrimaryServerinthezone,enterthenovell-zenworks-configure-cRebuildCustomPacks-Zcommand34TroubleshootingReplacinganexternalservercertificatewithanewexternalservercertificateIftheexternalservercertificateofyourWindowsorLinuxPrimaryServerhasexpiredyoucanchoosetoreplacethecertificatewithanewexternalservercertificateissuedbyyourcurrentzoneCA.
1Beforereplacinganexternalservercertificatewithanewexternalservercertificate,takeareliablebackupofthefollowingonallPrimaryServersintheManagementZone:Content-RepoDirectory:Thecontent-repodirectoryislocatedbydefaultintheZENworks_installation_directory\workdirectoryonWindowsandinthe/var/opt/novell/zenworks/onLinux.
Ensurethattheimagesdirectorylocatedwithinthecontent-repodirectoryhasbeensuccessfullybackedup.
EmbeddedDatabase:Fordetailedinformationonhowtobackuptheembeddeddatabase,seeBackingUptheEmbeddedSybaseSQLAnywhereDatabase.
2Createacertificatesigningrequest(CSR)byprovidingthehostname(FQDN)ofthePrimaryServerasthesubject.
UsingthisCSR,getthenewservercertificateissuedbytheexternalCA.
FormoreinformationonhowtocreateaCSR,see"CreatinganExternalCertificate"intheZENworksServerInstallationGuide.
3Deletetherecordoftheserverwhosecertificateisbeingrenewed,fromthezCertificatetableinthedatabasebyusingthequery"deletefromzCertificatewhereSubjectUID=4AttheconsolepromptofaPrimaryServer,runthefollowingcommandwiththeforce(-f,--force)option.
zmansacert-fPath_of_the_Primary_Server_in_ZENworks_Control_CenterPath_of_Primary_Server_CertificateFormoreinformationaboutzman,viewthezmanmanpage(manzman)onthedeviceorsee"zman(1)"intheZENworksCommandLineUtilitiesReference.
ThisaddsthecertificateofthePrimaryServerthatyouspecifiedinthecommandtotheZENworksdatabaseandcertificatestore.
NOTE:Youmustrunthecommandforeachserverwhosecertificateyouwanttoreplace.
5Refreshallthedevices,includingthePrimaryServers,inthezone.
ThePrimaryServercertificatesthatwereimportedinStep4aresenttothedevicesasconfigurationdata.
6EnforcethenewcertificatesonthezonebyrunningthefollowingcommandonanyPrimaryServerwhosecertificatehasexpired:novell-zenworks-configure-cSSL-ZTroubleshooting35Followtheprompts.
7RestartalltheZENworksservicesonthecurrentPrimaryServerinthezonebyrunningthefollowingcommandattheconsolepromptofthePrimaryServer:novell-zenworks-configure-cStartBydefault,alltheservicesareselected.
YoumustselectRestartastheAction.
8Refreshallthedevices,includingthePrimaryServers,inthezone.
Ifanydeviceisnotreachableduringtherefresh,youmustfirstestablishaconnectionwiththedevice,thenrunthefollowingcommandattheconsolepromptofeachdevicetoreestablishthetrustbetweenthedeviceandthezone:zacretr-uzone_administrator_username-pzone_administrator_password9ConfiguretheSatelliteswiththenewexternalcertificatesbyenteringthefollowingcommandattheSatellite'sprompt:zaciac-pkprivate-key.
der-csigned-server_certificate.
der-casigning-authority-public-certificate.
der-kskeystore.
jks-kspkeystore-pass-phrase-asigned-cert-alias-kssigned-cert-passphrase-uusername-ppassword-rc10Re-createallthedefaultandcustomdeploymentpackagesforallthePrimaryServers:DefaultDeploymentPackages:AttheconsolepromptofeachPrimaryServerinthezone,enterthefollowingcommand:novell-zenworks-configure-cCreateExtractorPacks-ZCustomDeploymentPackages:AttheconsolepromptofeachPrimaryServerinthezone,enterthefollowingcommand:novell-zenworks-configure-cRebuildCustomPacks-Z36Troubleshooting