SCM and CG Unix Agent co-existence

  • Document ID:7023134
  • Creation Date:27-Jun-2018
  • Modified Date:03-Jul-2018
    • Micro Focus Products:
      Change Guardian
      Secure Configuration Manager

Environment

Change Guardian 5.0
Secure Configuration Manager for Unix 7.5.1

Situation

SCM component registration fails after upgrade to 7.6. UA and Manual registration workaround
has to be applied for a second time

Resolution

Step 1: Install SCM 7.x on machine 1 [Windows]

 

Step 2: Install CG Server 5.x  on machine 2 [Suse\Linux]

 

Step 3: Install Security Agent for Unix 7.5.1 and later with CG an SCM components using the CG AM and configure the SCM core IP field [Suse\Linux].

 

Step 4: Open the SCM console and verify that the installed SCM Security Agent for Unix appears as ‘Unregistered’ under Unix assets. Follow the steps below to register.

 

Step 5: Install Cygwin into a windows box to install OpenSSL. Alternatively you may only install OpenSSL.

 

Step 6: Copy the javosca-bundle.pem from folder /…/netiq/cg/javos/security/profiles/profile_javos/ on the CG server machine into the machine on which OpenSSL is installed as indicated above.

 

Step 7: Open the command prompt and drill down into the directory where the javosca-bundle.pem certificate has been copied. Now create a certificate in .der format using OpenSSL and the following command:

openssl x509 -outform der -in javosca-bundle.pem -out certificate.der

 

Step 8:

Import the certificate (certificate.der) created above into the SCM keystore following the steps below. Please note that the command below will prompt for a password available with the support team.

Copy the generated certificate.der file into your SCM installation directory

1.     In a non-FIPS environment:

a)     Paste the certificate to:

 \...\ NetIQ\Secure Configuration Manager\Core Services\jre\bin         

b)     Open the command prompt and traverse to “\...\ NetIQ\Secure Configuration Manager\Core Services\jre\bin” and run the following command to import the certificate into your SCM keystore -

keytool -import -alias javosca -keystore vssla.keystore -file certificate.der

2.     In a FIPS environment:

a)     Paste certificate to:

\...\ NetIQ\Secure Configuration Manager\Core Services\bin

c)     Open the command prompt and traverse to “\...\ NetIQ\Secure Configuration Manager\Core Services\bin” and run the following command to import the certificate into your keystore -

certutil.exe -A -d C:\SCMNSS\etc -i "C:\certificate.der" -n "certificate" -t "CT,CT,CT"

 

Step 9: Restart the SCM Core service.

 

Step 10: Now re-register the installed Security Agents for Unix and reconfigure or upgrade using CG AM

or 

Manually trigger the wcRegister script available in /usr/netiq/bin under the Security Agent for Unix machine. The registration should succeed this time.

 


Cause

The Registration to the SCM core for SCM agent fails after upgrade from 7.5. 1 to 7.6 although the Workaround for manual registration of SCM has been applied before the upgrade itself at 7.5.1 level where the server is at 5.0

Whenever an upgrade is done, the Certificates are generated in which cases the registration fails for SCM and has to be Re-registered.