Importing CA Certificates of Devices

Prerequisites

• A cross-platform remote access tool, such as PuTTY, has been obtained.
• If the eReplication management server runs Linux, the password of user root or DRManager has been obtained.
• Devices' CA certificates to be added have been obtained and the certificates are in the X.509v3 format.

Context

• The eReplication Server provides key store bcm.keystore. You need to import CA certificates to the key store. The fixed save path of the key store is /opt/BCManager/Runtime/LegoRuntime/certs in Linux.
• The eReplication Server has preset CA certificates of the Agent. Therefore, you do not need to import the CA certificates of the Agent (bcmagentca).
• Note the following when importing CA certificates to the eReplication Server:
  • If there are CA certificates of multiple levels, import all the CA certificates.
  • If multiple devices use a same CA certificate, import the CA certificate once only.
• If the system reports a certificate alarm, restart the eReplication Server after CA certificates are imported.
• Stop the eReplication Server only when no protection tasks or recovery plans are being executed in eReplication.

If no CA certificate is imported or the device certificate expires, eReplication generates a certificate alarm by default. You can disable certificate alarming if you do not want eReplication to generate certificate alarms. For details about how to disable certificate alarming, see Disabling Certificate Alarming.

Procedure

• Linux
  1. Use PuTTY to log in to the eReplication Server.

     In software package-based installation mode: Log in as user root.

  2. Run the TMOUT=0 command to prevent PuTTY from exiting due to session timeout.
     

     After you run this command, the system continues to run when no operation is performed, resulting a risk. For security purposes, you are advised to run exit to exit the system after completing your operations.

  3. Run cd /opt/BCManager/Runtime/bin to enter the script save path.
     

     In Linux, the installation path of the eReplication Server is /opt/BCManager. The path is fixed.

  4. Run the sh shutdownSystem.sh command and enter y to stop the eReplication Server.
  5. Run cd /opt/BCManager/Runtime/bin to enter the script save path.
  6. Run ./jre6.0.18/bin/keytool -import -alias Certificate alias -keystore ./LegoRuntime/certs/bcm.keystore -file Certificate file to import the CA certificate.

     Certificate alias of each certificate must be unique.

     

     -file is the full path to the file, for example, /opt/BCManager/Runtime/LegoRuntime/certs/cacert/ cacert.pem.

  7. Type the CA certificate key store password of BCManager and press Enter. Ensure that the certificate information is correct.

     The following command output is displayed:

     Trust this certificate? [no]:

  8. Type yes.

     The CA certificate has been added to the key store if the following command output is displayed:

     Certificate was added to keystore

  9. Run ./jre6.0.18/bin/keytool -list -v -keystore ./LegoRuntime/certs/bcm.keystore to view information about the imported CA certificate.
  10. Type the CA certificate key store password of BCManager and press Enter. Confirm that the CA certificate has been imported successfully.
  11. Repeat 6 to 10 to import all the CA certificates of devices.
  12. Run cd /opt/BCManager/Runtime/bin to enter the script save path.
  13. Run the sh startSystem.sh command to start the eReplication Server.

Follow-up Procedure

If CA certificates of devices are updated, you need to delete original CA certificates and import new CA certificates. Before performing 6 (in Linux), perform the following operations:

• Linux
  1. Run ./jre6.0.18/bin/keytool -delete -alias Certificate alias -keystore ./LegoRuntime/certs/bcm.keystore to delete the original CA certificate.
  2. Type the CA certificate key store password of BCManager and press Enter. Ensure that the information about the CA certificate to be deleted is correct.