Regenerating or restoring the Lenovo XClarity Administrator internally-signed server certificate

You can generate a new certificate authority or server certificate to replace current internally-signed certificates or to reinstate a Lenovo XClarity Administrator-generated certificate if XClarity Administrator currently uses a customized externally-signed server certificate. The new internally-signed server certificate is then used by the authentication, HTTPS, and CIM servers on the XClarity Administrator. It is also automatically provisioned to all managed devices.

Before you begin

If the XClarity Administrator internal CA certificate is installed in the trust store of the managed devices, there will be no connectivity disruption when the server certificate is regenerated.

If a new CA certificate is generated, the new CA certificate is automatically deployed to the trust store in each CMM and baseboard management controller in all managed chassis, rack servers, and tower servers to maintain trusted authentication-server connections. If an error occurs while deploying the CA root certificate, download it from the Certificate Authority page and import it manually into the trust store of any managed devices to which it was not successfully provisioned before generating a new server certificate.

If you plan to regenerate the CA certificate, reserve time to regenerate the CA, resolve any provisioning errors, and regenerate the server certificate within a short period of time.

After generating a new CA root certificate, communication errors might occur or you might not be able to log in to a device until after the server certificate is regenerated and signed.

Important: For XClarity Administrator v1.1.1 and earlier, you must import the CA root certificate into the trust store of each CMM and management controller. See the documentation for the CMM and management controller for more information about importing the CA root certificate

Procedure

Complete the following steps to restore an internally-signed server certificate on XClarity Administrator.

Note: The server certificate that is currently in use on XClarity Administrator, whether internally-signed or externally-signed, remains in use until new server certificate is regenerated and signed.

  1. Optional: Generate a new CA root certificate.
    1. From the XClarity Administrator menu bar, click Administration > Security to display the Security page.
    2. Click Certificate Authority under the Certificate Management section.
    3. Click Regenerate Certificate Authority Root Certificate.

    If the CA key and certificate are successfully regenerated, then a dialog is displayed showing the status of jobs to provision that certificate as an LDAP trusted certificate to all CMMs and management controllers (for Converged, NeXtScale, and System x servers). This dialog as well as the job monitoring page shows the success or failure of each of those provisioning jobs.

    If any of the provisioning jobs fail, complete the following steps to download the CA root certificate, then manually import the root certificate as a trusted LDAP certificate in any device for which the job failed.

  2. Optional: Download the CA root certificate to the host system and import it into your web browser.
    1. From the XClarity Administrator menu bar, click Administration > Security to display the Security page.
    2. Click Certificate Authority under the Certificate Management section.
    3. Click Download Certificate Authority Root Certificate. The current CA root certificate is displayed in the Certificate Authority Root Certificate dialog.
    4. Click Save to File to save the CA root certificate to the host system.
    5. Follow the instructions for your web browser and the web browser of other users who will access XClarity Administrator to import the certificate as a trusted root authority.
  3. Regenerate a new server certificate and sign the certificate with the new CA root certificate.
    1. From the Security page, click Server Certificate under the Certificate Management section.
    2. Click the Regenerate Server Certificate tab.
    3. Fill in the fields in the Regenerate Server Certificate page:
      • Country
      • State or Province
      • City or Locality
      • Organization
      • Organization Unit
      • Common Name
      • Not valid before date
      • Not valid before time
      • Not valid after date
      • Not valid after time
    4. Click Regenerate Certificate.
    5. If regenerating self-signed certificates on the managed CMMs and management controllers (for Converged, NeXtScale, ThinkSystem, and System x servers), after regenerating the certificate on each device, import the new device certificate into the XClarity Administrator trust store (see Resolving an untrusted server certificate). Alternatively, you can manually download the certificate from the device and import it into XClarity Administrator on the Trusted Certificates page.

    For XClarity Administrator v1.1.0 and earlier, the web server restarts and automatically terminates all browser sessions after regenerating a certificate. For XClarity Administrator v1.1.1 and later, XClarity Administrator begins using the new certificate without terminating existing sessions. New sessions are established using the new certificate. To see the new certificate in use, restart your web browser.

  4. If regenerating self-signed certificates on the managed CMMs and management controllers (for Converged, NeXtScale, ThinkSystem, and System x servers), after regenerating the certificate on each device, import the new device certificate into the XClarity Administrator trust store (see Resolving an untrusted server certificate). Alternatively, you can manually download the certificate from the device and import it into XClarity Administrator on the Trusted Certificates page.