How do I re-import the Certificates Files needed for the ITCM Agent?
Article ID: 21512
Updated On:
Products
Issue/Introduction
It may become necessary to re-import the default Client Automation certificates due to missing or corrupt certificates on agents or other Client Automation components.
The list of Certificate Files that get installed on an agent are found in the cfcert.ini file on the Client Automation Installation Media.
This file is located in the ...\WindowsProductFiles_x86\Manager\Program Files\CA\DSM\bin directory of DVD #1.
The associated commands to import these certificates are also listed in this file in the "Files" section of cfcert.ini.
For example, the Files section is posted below.
[Files]
itrm_dsm_r11_root.der=cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3
basic_id.p12=cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon
ccsm.p12=cacertutil import -i:ccsm.p12 -t:csm -ip:enc:IWhun2x3ys7y1FM8Byk2LMs56Rr8KmXQ
itrm_dsm_r11_cmdir_eng.p12=cacertutil import -i:itrm_dsm_r11_cmdir_eng.p12 -ip:enc:gYuzGzNcIYzWjHA6w542pW68E8FobJhv -t:dsm_cmdir_eng
itrm_dsm_r11_sd_catalog.p12=cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat
itrm_dsm_r11_agent_mover.p12=cacertutil import -i:itrm_dsm_r11_agent_mover.p12 -ip:enc:sytOQtZteLopAt1CX0jIJUJcpqBWrb7G7VegY7F7udogc1c5kLIylw -t:dsmagtmv
registration.p12=cacertutil import -i:registration.p12 -ip:enc:z5jLhmvfkaAF4DLMDp3TWuC7nG8yh3dfvmN668thfrU -t:dsm_csvr_reg
babld.p12=cacertutil import -i:babld.p12 -ip:enc:TrdWglmuNCdeOAfj2j3vMwywVbGnlIvX -t:babld_server
dsmpwchgent.p12=cacertutil import -i:dsmpwchgent.p12 -ip:enc:QWF8vknD5aZsU1j5RLzgt1NQgF5DcXj4v1vS4ewDzOA -t:ent_access
dsmpwchgdom.p12=cacertutil import -i:dsmpwchgdom.p12 -ip:enc:sqb9qO2SGjbYqzIvwM7HEbx0M6UJk8Dc82EvUoDeJmE -t:dom_access
dsmpwchgrep.p12=cacertutil import -i:dsmpwchgrep.p12 -ip:enc:x901eho57IZ19zg6g97rQetHjA1461na7nhBmJl7mcc -t:rep_access
babldstsrv.p12=cacertutil import -i:babldstsrv.p12 -ip:enc:decsZwCNcvGIN6MlopBq2QpsynMKYh9yqlxHiAlkfXg -t:babld_staging_server
babldwebsrv.p12=cacertutil import -i:babldwebsrv.p12 -ip:enc:wJGYDv5lmFCMwQMlE0tu8X5ggNO2As9dnzZuXt14pX4 -t:babld_web_service
Environment
Client Automation - All Versions
Resolution
The command to import each certificate is a subset of the lines listed under [Files] in cfcert.ini.
For example, consider this line from above:
basic_id.p12=cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon
The import command used would be:
cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon
To run this successfully, these commands must be run from the %sdroot%\..\bin directory(DSM\bin).
Make sure CAF is stopped before running the imports.
To see if the certificates are now valid you can run the following command:
cacertutil list -v
If successful for the above example, an item like the following will be in the output:
dsmcommon = CN=Generic Host Identity,O=Computer Associates,C=US
Notice that 'dsmcommon' is the string after the '-t:' in the command to generate the certificate.
Agent Certificate Install Procedure:
For the agent components you can skip the "ccsm.p12", "babldstsrv.p12 abd", and the "babldwebsrv.p12".
For other CA Client Automation components such as Scalability Servers and Domain Managers, you can verify which Certificate files need to be imported by seeing which *.p12 files are in your DSM\bin directory.
In most cases the agent should only need to run the commands below from the DSM\bin directory...
- cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3 -trust
- cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon -identity
- cacertutil import -i:itrm_dsm_r11_cmdir_eng.p12 -ip:enc:gYuzGzNcIYzWjHA6w542pW68E8FobJhv -t:dsm_cmdir_eng -identity
- cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat -identity
- cacertutil import -i:registration.p12 -ip:enc:z5jLhmvfkaAF4DLMDp3TWuC7nG8yh3dfvmN668thfrU -t:dsm_csvr_reg -identity
- cacertutil import -i:dsmpwchgent.p12 -ip:enc:QWF8vknD5aZsU1j5RLzgt1NQgF5DcXj4v1vS4ewDzOA -t:ent_access -identity
- cacertutil import -i:dsmpwchgdom.p12 -ip:enc:sqb9qO2SGjbYqzIvwM7HEbx0M6UJk8Dc82EvUoDeJmE -t:dom_access -identity
- cacertutil import -i:dsmpwchgrep.p12 -ip:enc:x901eho57IZ19zg6g97rQetHjA1461na7nhBmJl7mcc -t:rep_access -identity
Example for ITCM Agent 12.9, 14.0
cd C:\Program Files (x86)\CA\DSM\Bin
cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3 -trust
cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon -identity
cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat -identity
cacertutil import -i:itrm_dsm_mngrsgn.cer -it:x509v3 -t:ManagerSigner
Example for ITCM Agent 14.0 SP1 and SP2
cd C:\Program Files (x86)\CA\DSM\Bin
cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3 -trust
cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon -identity
cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat -identity
cacertutil import -i:itrm_dsm_mngrsgn.cer -it:x509v3 -t:ManagerSigner
cacertutil import -i:itrm_dsm_r11_root_sha2.der -it:x509v3 -trust
cacertutil import -i:basic_id_sha2.p12 -ip:enc:thw9f6WIkidn6KpcthVjEcVTqK6o8jc3 -h -t:dsmcommon -identity
cacertutil import -i:itrm_dsm_r11_sd_catalog_sha2.p12 -ip:enc:8rpIyxMgMngSUcJEgkgFxeoNuncyiGpiWNciu1rUs6H6a9QQMTfWjA -t:dsmsdcat -identity
cacertutil import -i:itrm_dsm_mngrsgn_sha2.cer -it:x509v3 -t:ManagerSigner
Example for ITCM Manager 14.5
cam change disabled
camclose
csampmux stop
cfsystray stop
hmagent stop
C:\Program Files (x86)\CA\SC\CBB\cbbkstor.dat -> C:\Program Files (x86)\CA\SC\CBB\cbbkstor.dat.old
cacertutil remove -allTag:itcm-anonymous
cacertutil import -i:basic_id.p12 -ip:enc:
cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3 -trust
cacertutil import -i:basic_id_sha2.p12 -ip:enc:
cacertutil import -i:itrm_dsm_r11_root_sha2.der -it:x509v3 -trust
cacertutil import -i:itrm_dsm_mngrsgn.cer -it:x509v3 -t:ManagerSigner
cacertutil import -i:itrm_dsm_mngrsgn_sha2.cer -it:x509v3 -t:ManagerSigner
cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:
cacertutil import -i:itrm_dsm_r11_sd_catalog_
cacertutil import -i:itrm_dsm_r11_cmdir_eng.p12 -ip:enc:
cacertutil import -i:itrm_dsm_r11_cmdir_eng_
cacertutil import -i:dsmpwchgent.p12 -ip:enc:
cacertutil import -i:dsmpwchgdom.p12 -ip:enc:
cacertutil import -i:dsmpwchgrep.p12 -ip:enc:
cacertutil import -i:dsmpwchgent_sha2.p12 -ip:enc:
cacertutil import -i:dsmpwchgdom_sha2.p12 -ip:enc:
cacertutil import -i:dsmpwchgrep_sha2.p12 -ip:enc:
cacertutil import -i:registration.p12 -ip:enc:
cacertutil import -i:registration_sha2.p12 -ip:enc:
cacertutil import -i:itrm_dsm_r11_agent_mover.
cacertutil import -i:itrm_dsm_r11_agent_mover_
cam change auto
caf start
Additional Information
For more details on importing certificates please review the CA Implementation guide
Feedback
