How can I Replace my Server Certificate which is about to expire ?
Modifying SSL parameters may result to prevent any communication between BMC Client Management agents if not correctly implemented (then only solutions will be to either reinstall BCM agents or set certificates files and parameters in BCM by means of another tool).
For this reason we strongly recommend to test following procedure on your test platform before applying it on Production.
Note that in case you want to replace a current certificate this has be done till this current certificate is valid. Once certificate has expired communication with BMC Client Management agent is not possible anymore.
Also note that you can not replace an exiting certificate with a new certificate having very same name.
ex: you cannot replace "mycert" by "mycert" but you can replace it by "mycert2"
- First step is to verify that your current security configuration correspond to one of following screenshots :
Difference in "Trusted Authorities" parameter depend on previously deployed certificates. In order to use a Server Certificate you can Trust it directly or you can Trust all its Authority Certificate chain.
For example let's say we have RootAuth -> InterAuth1 -> InterAuth2 -> ServerCertificate then you can trust "ServerCertificate " only or the full chain "RootAuth,InterAuth1,InterAuth2"
- Then verify if BCM Certificate package and rules are available on your BMC Client Management Console, we are going to modify them in order to deploy your Server Certificate files and set BCM to use them.
They should be present if your Security Checklist first line is Red in BMC Client Management Console Home Dashboard:
In case BCM Certificate package and rules are not available you can create them with this procedure.
- Now, BCM Certificate package and rules are available, here are the modification you have to do in them :
Find the "bcmcertificate" package in your Console > Packages > Package Factory > Your Master > Custom Packages node. Copy and paste it, then rename the "bcmcertificate(1)" package into "mycertificate":
For next package modification you need to create a directory on your hard disk in which you put your Authority Certificate files.
For Server Certificate there are two possibilities, keep them in mind because several of the next actions depends on them :
A) Either you only deploy and trust your Server Certificate:
On your hard disk create a "certs" directory that contains both "trusted" and "user" directories.
Then in both \certs\trusted and \certs\user directories you have to place your Server Certificate .crt file.
Also put your Server Certificate .key file in \certs\user directory. Note that .key file is encrypted once received per BCM agent.
B) Or you can deploy both your Server Certificate and the Certificate Authority chain your Server Certificate is generated from in order to trust it:
On your hard disk create a "certs" directory that contains both "user" and "trusted" directories.
In both \certs\user directory you have to place your Server Certificate .crt file.
Then in \certs\trusted directory you have to place your Authority .crt file.
Note if your Authority is not a Root Authority, you have then to put .crt files for all Authorities from the Root up to the Authority you want to use in BCM.
For example let's say we have RootAuth -> InterAuth1 -> InterAuth2 -> ServerCertificate
Then you have to put both RootAuth.crt, InterAuth1.crt and InterAuth2.crt files in \certs\trusted directory.
Please also note that your .crt name have to be named like your Authority : a certificate file named notgoodname.crt for an myauthority Authority is ignored.
Then from the Console > Packages > Package Factory > Your Master > Custom Packages > mycertificate > Contents > Files node, remove the current "certs" folder and then add the "certs" directory you have created on your hard disk :
Then publish your "mycertificate" package to BCM Master:
You have now to replace the "bcmcertificate" package with the "mycertificate" package in rule "Step 1 - Trust BCM Certificate".
In order to do so go to Console > Operational Rules > BCM Certificate > Step 1 - Trust BCM Certificate > Packages node then remove "bcmcertificate" package and add "mycertificate" package :
Then from Console > Operational Rules > BCM Certificate > Step 1 - Trust BCM Certificate > Steps node, move the "Install Package" step from line 3 up to line 2 :
Still in rule "Step 1 - Trust BCM Certificate", deactivate step 1 in order to deploy your certificate on Master system too
Edit step 3 in rule "Step 1 - Trust BCM Certificate" in order to set "Trusted Authorities" parameter :
Case A, add your new certificate name to current one. Let's say your certificate name is NewServerCertificate and old value is OldValue
Case B, Add your Certificate Authority full chain. For example let's say we have NewRootAuth -> NewInterAuth1 -> NewInterAuth2 -> NewServerCertificate, then you must set :
Then modify Rule "Step 2 - Activate BCM Certificate" in order to set "User Certificate" parameter with your new Server Certificate name:
Modify rule "Step 3 - Trust BCM Certificate" in order to set "Trusted Authority" with your authority inforamtion only :
- You can then assign rule "Step 1 - Deploy BCM Certificate" to all your devices.
Once rule "Step 1 - Deploy BCM Certificate" is successfully executed on all devices you can assign rule "Step 2 - Activate BCM Certificate" on all devices.
Same way rule "Step 3" must be successfully executed on all devices before assigning rule "Step 3 - Trust BCM Certificate" to all devices.
Notes that if rules 3 is executed on some devices while rules 1 or 2 are not executed yet on some other devices, communication is broken between these two different groups of devices.
This is why we strongly recommend that you test this procedure on few devices before implementing it on all devices.