Certificates are used to establish secure, trusted connections to the CMM and from the CMM to other servers.
For an application initiating a connection to trust the server that it is connecting to, it must have in its trust store a copy of either the server certificate or the certificate of the Certificate Authority (CA) that signed the server certificate. The CMM has a CA that signs certificates for the LDAP, HTTPS, and CIM servers of all systems management processors in the Flex System Enterprise Chassis. You can create trust between your web browser and the HTTPS servers on the management processors in the chassis by importing the CA certificate into your web browser. Additionally, when you work with an external LDAP server, you can use the CMM web interface or CLI to configure either non-mutual (server only) or mutual certificate authentication.
The CA certificate in each Flex System Enterprise Chassis is unique. You download CA certificates through the primary CMM in each chassis using the CMM web interface or CLI.
The following illustration shows the "Certificate download format" window.
After you download each CA certificate, you should import it into your web browser, so that the web browser will trust websites that have a certificate signed by the CA. If there are multiple users who will access the management processors in the Flex System Enterprise Chassis, you can share the CA certificates with the other users. You can share certificates via email or through any other file sharing mechanism. Each user that receives a CA certificate must also import it into their web browser. If your organization has a process for pushing trusted authority certificates to users, you can also use that process.
To import a CA certificate into your web browser, complete the following steps:
If you change a CA certificate, you must download the new certificate and import it into your web browser, into the Certificate Trust Store of your Flex System Manager management software, into any Systems Director servers that might be in your network, and into any external LDAP servers that might be configured for mutual authentication (see Importing an LDAP certificate with mutual authentication for information and instructions). This applies for all activities that can change a CA certificate such as manual changes or resetting the CMM to defaults.
If your web browser advises you that a connection is untrusted or a security certificate is invalid, or has any other issue that indicates a certificate exception issue relating to a certificate exception, follow the process given above to download and import the CA certificate, making sure to clear all old certificates from the Flex System Enterprise Chassis on all tabs in the certificate pages. You can also try clearing the browser cache and follow other instructions that might be suggested by the documentation for your web browser. Since some certificate issues impact only certain web browsers, you might be able to correct the condition by switching to a different web browser.
See Flex System Manager for additional information about troubleshooting certificate issues with your browser.