search cancel

How do I re-import the Certificates Files needed for the ITCM Agent?

book

Article ID: 21512

calendar_today

Updated On:

Products

CA Client Automation - IT Client Manager CA Client Automation

Issue/Introduction

It may become necessary to re-import the default Client Automation certificates due to missing or corrupt certificates on agents or other Client Automation components. 

The list of Certificate Files that get installed on an agent are found in the cfcert.ini file on the Client Automation Installation Media.

This file is located in the ...\WindowsProductFiles_x86\Manager\Program Files\CA\DSM\bin directory of DVD #1.

The associated commands to import these certificates are also listed in this file in the "Files" section of cfcert.ini.

For example, the Files section is posted below.

[Files]
itrm_dsm_r11_root.der=cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3
basic_id.p12=cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon
ccsm.p12=cacertutil import -i:ccsm.p12 -t:csm -ip:enc:IWhun2x3ys7y1FM8Byk2LMs56Rr8KmXQ
itrm_dsm_r11_cmdir_eng.p12=cacertutil import -i:itrm_dsm_r11_cmdir_eng.p12 -ip:enc:gYuzGzNcIYzWjHA6w542pW68E8FobJhv -t:dsm_cmdir_eng
itrm_dsm_r11_sd_catalog.p12=cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat
itrm_dsm_r11_agent_mover.p12=cacertutil import -i:itrm_dsm_r11_agent_mover.p12 -ip:enc:sytOQtZteLopAt1CX0jIJUJcpqBWrb7G7VegY7F7udogc1c5kLIylw -t:dsmagtmv
registration.p12=cacertutil import -i:registration.p12 -ip:enc:z5jLhmvfkaAF4DLMDp3TWuC7nG8yh3dfvmN668thfrU -t:dsm_csvr_reg
babld.p12=cacertutil import -i:babld.p12 -ip:enc:TrdWglmuNCdeOAfj2j3vMwywVbGnlIvX -t:babld_server
dsmpwchgent.p12=cacertutil import -i:dsmpwchgent.p12 -ip:enc:QWF8vknD5aZsU1j5RLzgt1NQgF5DcXj4v1vS4ewDzOA -t:ent_access
dsmpwchgdom.p12=cacertutil import -i:dsmpwchgdom.p12 -ip:enc:sqb9qO2SGjbYqzIvwM7HEbx0M6UJk8Dc82EvUoDeJmE -t:dom_access
dsmpwchgrep.p12=cacertutil import -i:dsmpwchgrep.p12 -ip:enc:x901eho57IZ19zg6g97rQetHjA1461na7nhBmJl7mcc -t:rep_access
babldstsrv.p12=cacertutil import -i:babldstsrv.p12 -ip:enc:decsZwCNcvGIN6MlopBq2QpsynMKYh9yqlxHiAlkfXg -t:babld_staging_server
babldwebsrv.p12=cacertutil import -i:babldwebsrv.p12 -ip:enc:wJGYDv5lmFCMwQMlE0tu8X5ggNO2As9dnzZuXt14pX4 -t:babld_web_service

Environment

Client Automation - All Versions

Resolution

The command to import each certificate is a subset of the lines listed under [Files] in cfcert.ini.

For example, consider this line from above:

basic_id.p12=cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon

The import command used would be:

cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon

To run this successfully, these commands must be run from the %sdroot%\..\bin directory(DSM\bin).

Make sure CAF is stopped before running the imports.

To see if the certificates are now valid you can run the following command:

cacertutil list -v

If successful for the above example, an item like the following will be in the output:

dsmcommon = CN=Generic Host Identity,O=Computer Associates,C=US

Notice that 'dsmcommon' is the string after the '-t:' in the command to generate the certificate.


Agent Certificate Install Procedure:

For the agent components you can skip the "ccsm.p12", "babldstsrv.p12 abd", and the "babldwebsrv.p12".

For other CA Client Automation components such as Scalability Servers and Domain Managers, you can verify which Certificate files need to be imported by seeing which *.p12 files are in your DSM\bin directory.

In most cases the agent should only need to run the commands below from the DSM\bin directory...

  1. cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3 -trust
     
  2. cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon -identity
     
  3. cacertutil import -i:itrm_dsm_r11_cmdir_eng.p12 -ip:enc:gYuzGzNcIYzWjHA6w542pW68E8FobJhv -t:dsm_cmdir_eng -identity
     
  4. cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat -identity
     
  5. cacertutil import -i:registration.p12 -ip:enc:z5jLhmvfkaAF4DLMDp3TWuC7nG8yh3dfvmN668thfrU -t:dsm_csvr_reg -identity
     
  6. cacertutil import -i:dsmpwchgent.p12 -ip:enc:QWF8vknD5aZsU1j5RLzgt1NQgF5DcXj4v1vS4ewDzOA -t:ent_access -identity
     
  7. cacertutil import -i:dsmpwchgdom.p12 -ip:enc:sqb9qO2SGjbYqzIvwM7HEbx0M6UJk8Dc82EvUoDeJmE -t:dom_access -identity
     
  8. cacertutil import -i:dsmpwchgrep.p12 -ip:enc:x901eho57IZ19zg6g97rQetHjA1461na7nhBmJl7mcc -t:rep_access -identity

 

Example for ITCM Agent 12.9, 14.0

cd C:\Program Files (x86)\CA\DSM\Bin 

cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3 -trust 
cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon -identity 
cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat -identity 
cacertutil import -i:itrm_dsm_mngrsgn.cer -it:x509v3 -t:ManagerSigner 


Example for ITCM Agent 14.0 SP1 and SP2

cd C:\Program Files (x86)\CA\DSM\Bin 

cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3 -trust 
cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon -identity 
cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat -identity 
cacertutil import -i:itrm_dsm_mngrsgn.cer -it:x509v3 -t:ManagerSigner 
cacertutil import -i:itrm_dsm_r11_root_sha2.der -it:x509v3 -trust 
cacertutil import -i:basic_id_sha2.p12 -ip:enc:thw9f6WIkidn6KpcthVjEcVTqK6o8jc3 -h -t:dsmcommon -identity 
cacertutil import -i:itrm_dsm_r11_sd_catalog_sha2.p12 -ip:enc:8rpIyxMgMngSUcJEgkgFxeoNuncyiGpiWNciu1rUs6H6a9QQMTfWjA -t:dsmsdcat -identity 
cacertutil import -i:itrm_dsm_mngrsgn_sha2.cer -it:x509v3 -t:ManagerSigner

 

Example for ITCM Manager 14.5

- Stop process which may access certificates :
caf stop
cam change disabled
camclose
csampmux stop
cfsystray stop
hmagent stop
 
- Rename the following files in .old :
C:\Program Files (x86)\CA\SC\CBB\certstor.dat -> C:\Program Files (x86)\CA\SC\CBB\certstor.dat.old
C:\Program Files (x86)\CA\SC\CBB\cbbkstor.dat -> C:\Program Files (x86)\CA\SC\CBB\cbbkstor.dat.old
 
- Execute these commands :
cd /D C:\Program Files (x86)\CA\DSM\Bin 
cacertutil remove -allTag:itcm-anonymous
cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon -identity
cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3 -trust
cacertutil import -i:basic_id_sha2.p12 -ip:enc:thw9f6WIkidn6KpcthVjEcVTqK6o8jc3 -h -t:dsmcommon -identity
cacertutil import -i:itrm_dsm_r11_root_sha2.der -it:x509v3 -trust
cacertutil import -i:itrm_dsm_mngrsgn.cer -it:x509v3 -t:ManagerSigner
cacertutil import -i:itrm_dsm_mngrsgn_sha2.cer -it:x509v3 -t:ManagerSigner
cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat  -identity
cacertutil import -i:itrm_dsm_r11_sd_catalog_sha2.p12 -ip:enc:8rpIyxMgMngSUcJEgkgFxeoNuncyiGpiWNciu1rUs6H6a9QQMTfWjA -t:dsmsdcat  -identity
cacertutil import -i:itrm_dsm_r11_cmdir_eng.p12 -ip:enc:gYuzGzNcIYzWjHA6w542pW68E8FobJhv -t:dsm_cmdir_eng  -identity
cacertutil import -i:itrm_dsm_r11_cmdir_eng_sha2.p12 -ip:enc:7QCkAXXtGC3aRE4eWUXgS7CkRlJeNE99 -t:dsm_cmdir_eng  -identity
cacertutil import -i:dsmpwchgent.p12 -ip:enc:QWF8vknD5aZsU1j5RLzgt1NQgF5DcXj4v1vS4ewDzOA -t:ent_access -identity
cacertutil import -i:dsmpwchgdom.p12 -ip:enc:sqb9qO2SGjbYqzIvwM7HEbx0M6UJk8Dc82EvUoDeJmE -t:dom_access -identity
cacertutil import -i:dsmpwchgrep.p12 -ip:enc:x901eho57IZ19zg6g97rQetHjA1461na7nhBmJl7mcc -t:rep_access -identity
cacertutil import -i:dsmpwchgent_sha2.p12 -ip:enc:DgorY2SrGD8ik4u10sOCuAMQ0kLK1AxvGGvS4bw0F3Q -t:ent_access -identity
cacertutil import -i:dsmpwchgdom_sha2.p12 -ip:enc:QAlXPSBYaGLgz4lnaj5UxBXA2chbu94y99xC6AlTezE -t:dom_access -identity
cacertutil import -i:dsmpwchgrep_sha2.p12 -ip:enc:tRadm7qqy4e9uoZN8rfFFnDbGGfhax7GudpdbV2QKlM -t:rep_access -identity
cacertutil import -i:registration.p12 -ip:enc:z5jLhmvfkaAF4DLMDp3TWuC7nG8yh3dfvmN668thfrU -t:dsm_csvr_reg  -identity
cacertutil import -i:registration_sha2.p12 -ip:enc:eNbEbCXHqCQgevjC568oEwItLEuEAjGVxW5SYxgvrnA -t:dsm_csvr_reg  -identity
cacertutil import -i:itrm_dsm_r11_agent_mover.p12 -ip:enc:sytOQtZteLopAt1CX0jIJUJcpqBWrb7G7VegY7F7udogc1c5kLIylw -t:dsmagtmv  -identity
cacertutil import -i:itrm_dsm_r11_agent_mover_sha2.p12 -ip:enc:11P5DUHFLEPpTnfMjTM66i7BeJ6qpEM75gix9SZ4S8TnNoKbZibuTA -t:dsmagtmv  -identity
 
- Start the process :
 
csampmux start
cam change auto
caf start

Additional Information

For more details on importing certificates please review the CA Implementation guide


https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/clarity-client-automation/14-0.htmlhttps://docops.ca.com/ca-client-automation/14-0/en