Re: HP Certificate Management : What should be granting certsificates? (435 Views)
Reply
Valued Contributor
TEX2020
Posts: 377
Registered: ‎02-02-2011
Message 1 of 9 (524 Views)

HP Certificate Management : What should be granting certsificates?

One of the things that we need to get sorted out (for OMi/Monitoring Automation) is the direction on where the certificates should be granted.  Today it seems very messy with dozens of certificates on every server that makes it challenging to manage.

 

 

 

We have multiple applications that seem to think they are the certificate authority:

 

·         BSM: multiple gateways (3), multiple data processors (2)

 

·         OM: today each OM management server grants certificates for each agent

 

·         SHR: this seems to want to grant certificates too to talk to the Remote collectors

 

 

 

All of these have OM agents too (and their dozens of certificates).

 

Is there a way to have a single certificate manager for all products by HP to do all the certifications .

 

Is there a white paper or a recommendation or best practice on how this should be set up in a large environment? 

 

Thanks,

Tex2020
HP Expert
GTrejos7
Posts: 200
Registered: ‎07-14-2011
Message 2 of 9 (519 Views)

Re: HP Certificate Management : What should be granting certsificates?

Hello Tex220,

 

In regards to this question I can tell you that BSM needs to be its own certificate server, the same thing with OMU.

SHR depends on what device it is reporting to, you can configure the certificate server accordingly.

 

Best regards,

HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
If you liked it I would appreciate KUDOs.
Valued Contributor
TEX2020
Posts: 377
Registered: ‎02-02-2011
Message 3 of 9 (481 Views)

Re: HP Certificate Management : What should be granting certsificates?

GTrejos7,

 

So, If I have 24 HPOM management servers, can I just make one of them the certificate server for all of my HPOM servers?

 

Also, can this be done for BSM? and SHR?

 

Thanks

 

 

Tex2020
HP Expert
GTrejos7
Posts: 200
Registered: ‎07-14-2011
Message 4 of 9 (471 Views)

Re: HP Certificate Management : What should be granting certsificates?

Hello Tex,

 

For OMU you can have one certificate server for all of the other Management servers (23 in your case). In the case of BSM, I am no expert on that but I asked people from the BSM team and they mentioned that as a matter of fact it needs to be done that way, one centralized certificate server for all DPS (Data processsing servers). In the case of SHR I am no expert on that either, but if it reports to an OMU management server then the certifcate request will be answered by the certificate server you have configured in your environment, the same thing in case it resports to a BSM application.

 

I hope this helps.

 

Best regards.

HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
If you liked it I would appreciate KUDOs.
HP Expert
tobias_m
Posts: 269
Registered: ‎05-06-2010
Message 5 of 9 (467 Views)

Re: HP Certificate Management : What should be granting certsificates?

Hello,

 

One clarification - the node certificate is requested from and granted by only one server. The other certificates are the "Trusted Certificates", so that the agent also trusts other management servers. But it is likely the case, that one agent got the certificate from one server, while another agent got the certificate from another server.

 

Once you have set up the trusts between all the servers (exchanging the Trusted Certificates), an agent with a new certificate (which automatically also gets all the trusted certificates) can talk to all the servers and vice versa.

 

But like GTrejos7 wrote, you can always use the same server to request and grant the certificate.

 

For OMU, if you want to minimize the number of "Trusted Certificates", you can look for the "Shared Certificate Authority Scenario" section in the OMU Admin Ref Guide.

 

I don't think you can use the certificate server for OM for BSM. As far as I know, you will still need an extra CA certificate (Trusted Certificate) for BSM.

 

I'm not familiar with SHR and don't know if it can be configured to use a shared CA.

 

Best regards,

Tobias

 

Honored Contributor
Piku
Posts: 4,136
Registered: ‎06-17-2010
Message 6 of 9 (460 Views)

Re: HP Certificate Management : What should be granting certsificates?

Hi ,

Certification server is code for each particular application and designed in that way.
You can not have single application (certification server) for all the tools/products.

Also you are supposed to grant the certificate to each mgmt server which node is bound. However there is possibility that you can grant certificate only once for each type of tool but have to complete it for different tools.


hth,
____________________________________
Assign Kudo, if found post useful and mark it accepted if solves the issue.
Valued Contributor
TEX2020
Posts: 377
Registered: ‎02-02-2011
Message 7 of 9 (452 Views)

Re: HP Certificate Management : What should be granting certsificates?

Hello All,

 

Is there any OMU Documentation and BSM Documentation for Certificate Management?

 

Any information greatly appreciated.

 

Thanks

Tex2020
HP Expert
tobias_m
Posts: 269
Registered: ‎05-06-2010
Message 8 of 9 (436 Views)

Re: HP Certificate Management : What should be granting certsificates?

Hello,

 

>> Certification server is code for each particular application and designed in that way.

 

That depends. OMU, OMW and BSM use shared components (L-Core) and thus a certificate that was created by one certificate server is accepted by the other application if a trust exists (that is, the trusted certificates were exchanged). In fact, an agent node can only have exactly one node certificate (but it may have one or more Trusted Certificates to verify trust relationships).

 

Best regards,

Tobias

HP Expert
tobias_m
Posts: 269
Registered: ‎05-06-2010
Message 9 of 9 (435 Views)

Re: HP Certificate Management : What should be granting certsificates?

Hello Tex2020,

 

There is a lot of documentation about certificate management for OMU:
- Check out the "Security Concepts" chapter in the HP Operations Manager HTTPS Agent Concepts and Configuration Guide:
http://support.openview.hp.com/selfsolve/document/KM1023353/binary/OMU9.10_HTTPS_AgentConceptsConfig...

- Like already mentioned, there is some information about "Shared Certificate Authority Scenario"
  in the Operations Manager Administrator's Reference Guide. Please check out the "Security in Flexible Management Environments" section.
http://support.openview.hp.com/selfsolve/document/KM1023350/binary/OMU9.10_AdminRef.pdf

- There is a somewhat dated white paper about certificate menagement with multiple HP Software Products.
While the versions are somewhat dated, and there is no BSM in it, the general concepts should still be applicable:
Operations Manager White Paper Certificate Management with Multiple HP Software Products:
http://support.openview.hp.com/selfsolve/document/KM813097/binary/OMU9_CertMgmt_Multi_HPProducts.pdf

Best regards,

Tobias

 

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.