Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Words and Phrases
| Search for | Example | Results |
|---|---|---|
| A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
|
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Using Boolean Operators
| Search for | Operator | Example |
|---|---|---|
|
Two or more words in the same topic |
|
|
| Either word in a topic |
|
|
| Topics that do not contain a specific word or phrase |
|
|
| Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
| A combination of search types | ( ) parentheses |
|
Using the SA Core Recertification tool
To run the Core recertification tool, enter the following:
/opt/opsware/oi_util/OpswareCertTool/recert_utils/corerecert [--phase <phase number>] [--config <complete path to the config file>] [--doit]] [-h, --help] [-v, --version] [-s, --status] [-d, --debug] [--summary] [--cancel_all_agent_recert_jobs] [--cancel_agent_recert_jobs_for_facility <facility name>] [--cancel_all_jobs] [--reason <reason for job cancellation>] [--force_resume <facility_name>]
The following topics are discussed in this section:
Arguments to the Core Recertification tool
The following table describes the valid arguments for the Core Recertification tool:
|
Argument |
Description |
|---|---|
|
|
Displays help. |
|
|
Starts a specified Core Recertification phase. The valid phase numbers are 1, 4, 6, 7, 8, 9, 12, and 13. |
|
|
The fully qualified path to the Core Recertification configuration file. The default configuration file is |
|
|
Reruns or forces a rerun of a given Core Recertification phase. This is useful when certain newly added components have missed the recertification process. It is also used to skip specified phases, such as new Agent CA push or old Agent CA removal. |
|
|
Prints out the version number of the |
|
|
Displays the current status of the recertification process. |
|
|
Sets Core Recertification to debug mode, debug logs are available in |
|
|
Prints out the current status summary, shorter version of |
|
|
Cancels all currently scheduled Agent recertification jobs. |
|
|
Cancels the Agent recertification jobs scheduled for a given facility. |
|
|
Cancels all Core and Agent Recertification jobs. |
|
|
Specifies an optional reason for the job cancellation. |
|
|
Specifies that a new job be automatically scheduled for any facilities with failed agent recertification jobs. Facilities with no failed jobs will be skipped. Alternatively, if you do not specify this parameter, you can resume the job for each facility individually. |
The /tmp/recerttool.log is not cumulative, it is rewritten with each recerttool execution. The log contains only the following information: information on starting the background processes for the current phase, parameters that the current phase uses (if applicable), and information on failure to kick off background jobs.
The core recertification background jobs rely on SA's OGSH infrastructure. See /tmp/core_recert.log (SA 9.1, 10.00 and 10.10) under OGFS of the core used to start the recertification or in /var/log/opsware/waybot/recert.log (SA 10.20 and later) for more information.
The agent recertification background jobs are run by the waybot, hence more details can be found in the twist and waybot logs on each core of the mesh.
The Software and Model Repository signature regeneration (Phase 11) will log additional information on the recert's base slice in UpdateSignatures.log and ResignJobTokens.log under /opt/opsware/oi_util/OpswareCertTool/recert_utils/ .
Adding new Core Components during Core Recertification is not recommended. Although adding new Core Components, such as the Slice Component bundle, a Satellite, etc. during Core Recertification is possible under certain circumstances, HPE does not recommend doing so unless absolutely necessary. You must first contact HPE Professional Services before adding new Core components while a Core Recertification is in progress.
Replacing SA certificates with third-party certificates (not issued by an SA CA) is not supported. During Core Recertification, third-party certificates could be overwritten if they have the same filename as an SA certificate. If you have replaced any SA certificates with certificates issued by a third-party CA, you should contact HPE Server Automation Support before performing Core Recertification.
Security considerations
Consider the following security issues:
Crypto database file
The SA Core Recertification Tool requires access to the SA crypto database file during recertification.
The SA crypto database consists of the file:
/var/opt/opsware/crypto/cadb/realm/opsware-crypto.db.e
This file is protected by the crypto material password (decrypt_passwd), which was specified during the mesh’s First Core installation. During subsequent Core installations, this file is also copied to the new Secondary Core hosts. You must protect this password as compromising the crypto database files means compromising your entire Multimaster Mesh.
The crypto database file is required only during SA installation or upgrade, but it is regenerated during Core Recertification. Therefore, HPE strongly recommends that you create procedures that protect the crypto database file. Therefore, before Core Recertification, you must back up this file to a secure location.
During Core Recertification, SA regenerates the crypto database only on the host on which you invoke the Core Recertification Tool. Core Recertification does not copy the newly generated crypto database file to any other hosts in the mesh during recertification. You should also back up this file to a secure location as soon as Core Recertification is complete.
Equally important is to strictly control root access to the Core hosts. Crypto materials (certificates and their corresponding private keys) on the Core hosts are not encrypted. They are protected by the root user account. In other words, these files are protected by the read-only access for the root user. Therefore, having root access to the Core hosts means a user has access to both the crypto material password and the crypto database files, and Core Recertification should only be performed by SA System Administrators, or someone who has legitimate root access to the Core hosts.
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to hpe_sa_docs@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: