You can generate a new certificate authority or server
certificate to replace current self-signed certificates or to reinstate
a Lenovo XClarity Administrator-generated certificate if XClarity Administrator currently uses a customized externally-signed server certificate.
The new self-signed server certificate is then used by the authentication,
HTTPS, and CIM servers on the XClarity Administrator. It is also automatically provisioned to all managed devices.
Before you
begin
When you regenerate or upload the XClarity Administrator certificate, XClarity Administrator is restarted.
If a new CA certificate
is generated, the new CA certificate is automatically deployed to
the trust store in each CMM and baseboard management controller in
all managed chassis, rack servers, and tower servers to maintain trusted
authentication-server connections. If an error occurs while deploying
the CA root certificate, download it from the Certificate Authority
page and import it manually into the trust store of any managed devices
to which it was not successfully provisioned before generating a new
server certificate.
If you plan to regenerate the CA certificate,
reserve time to regenerate the CA, resolve any provisioning errors,
and regenerate the server certificate within a short period of time.
After generating a new CA root certificate, communication errors
might occur, or you might not be able to log in to a device until
after the server certificate is regenerated and signed.
Important: For XClarity Administrator v1.1.1 and earlier, you must import the CA root certificate
into the trust store of each CMM and management controller. See the
documentation for the CMM and management controller for more information
about importing the CA root certificate
Procedure
Complete the following steps to restore a self-signed server certificate
on XClarity Administrator.
Note: The server certificate that is currently in
use on XClarity Administrator, whether self-signed or externally-signed, remains in
use until new server certificate is regenerated and signed.
- Optional: Generate a new CA root certificate.
- From the XClarity Administrator menu bar, click to display the Security page.
- Click Certificate Authority under
the Certificate Management section.
- Click Regenerate Certificate Authority Root
Certificate.
If the CA key and certificate are successfully regenerated,
then a dialog is displayed showing the status of jobs to provision
that certificate as an LDAP trusted certificate to all CMMs and management
controllers (for Converged, NeXtScale, and System x servers). This
dialog as well as the job monitoring page shows the success or failure
of each of those provisioning jobs.
If any of the provisioning
jobs fail, complete the following steps to download the CA root certificate,
then manually import the root certificate as a trusted LDAP certificate
in any device for which the job failed.
- Optional: Download the CA root certificate to the host system and import it
into your web browser.
- From the XClarity Administrator menu bar, click to display the Security
page.
- Click Certificate Authority under
the Certificate Management section.
- Click Download Certificate Authority Root
Certificate. The current CA root certificate is displayed
in the Certificate Authority Root Certificate dialog.
- Click Save to File to save the
CA root certificate to the host system.
- Follow the instructions for your web browser and the
web browser of other users who will access XClarity Administrator to import the certificate as a trusted root authority.
- Regenerate a new server certificate and sign the certificate
with the new CA root certificate.
- From the Security page, click Server Certificate under the Certificate Management section.
- Click the Regenerate Server Certificate tab.
- Fill in the fields in the Regenerate Server Certificate
page:
- Country or Region
- State or Province
- City or Locality
- Organization
- Organization Unit
- Common Name
- Not valid before date
- Not valid before time
- Not valid after date
- Not valid after time
- Click Regenerate Certificate.
- If regenerating self-signed certificates on the managed
CMMs and management controllers (for Converged, NeXtScale, ThinkSystem,
and System x servers), after regenerating the certificate on each
device, import the new device certificate into the XClarity Administrator trust store (see Resolving an untrusted server certificate). Alternatively, you
can manually download the certificate from the device and import it
into XClarity Administrator on the Trusted Certificates page.
For XClarity Administrator v1.1.0 and earlier, the web server restarts and automatically
terminates all browser sessions after regenerating a certificate.
For XClarity Administrator v1.1.1 and later, XClarity Administrator begins using the new certificate without terminating existing
sessions. New sessions are established using the new certificate.
To see the new certificate in use, restart your web browser.
- If regenerating self-signed certificates on the managed
CMMs and management controllers (for Converged, NeXtScale, ThinkSystem,
and System x servers), after regenerating the certificate on each
device, import the new device certificate into the XClarity Administrator trust store (see Resolving an untrusted server certificate). Alternatively, you
can manually download the certificate from the device and import it
into XClarity Administrator on the Trusted Certificates page.