Description

Current versions of Veritas Operations Manager (VOM), CMS (Central Management Server) and MH (Management Host) use only 1024 length certificates to identify and establish trust between the CMS and MH entities for communication. Several security agencies have flagged 1024 key length certificates as a risk. The ability to upgrade the certificates using 2048 bit encryption is now available with the newest release.

Note: The ability to use 2048 bit length keys is available beginning with Veritas Infoscale Operations Manager 7.0. Please be aware that once the AT migration script process is started there is no roll-back. Once started, all hosts must be upgraded to use the latest 7.0 release and to use 2048 bit encryption.

To assist with upgrading to 2048 bit, without creating a new CMS and re-adding hosts, there is command line interface (CLI) script which completes the AT migration job. Using this script, the application will generate the 2048 bit certificates on the CMS and then will import the certificates on all the 7.0 MHs that are up and reporting correctly to the CMS. This AT migration script needs to be executed only once on the Central Management Server. This will push the 2048 bit keys to all the Managed Host which are actively reporting to CMS and are at the 7.0 version of Managed Host

There will be a warning to notify Administrators of the number of hosts that are not currently reachable, or are a version which is unsupported for upgrading.

Note: Before making any changes, ensure that the hosts can be upgraded to Veritas InfoScale Operations Manager 7.0. There are serious consequences to upgrading the environment if these hosts cannot be upgraded to match the CMS. They will cease to report to the CMS.

If no issues are discovered, the script will continue (Figure 1).

Figure 1 - Running the migration script


If the AT Migration script fails for few hosts, please check the logs under /var/opt/VRTSsfmh/at_migration.log on Central Management Server and /var/opt/VRTSsfmh/at_migration.log on the Managed Host.
Rerun the AT migration script manually from the Managed Host node. This is available for version 7 hosts only.


If an MH was down during the AT migration process, then the script needs to be run on the that specific MH to import the credentials, if the administrator chooses to continue.

Figure 2 - AT Migration failure

Note: Proceeding with the execution of the script when the environment contains MH of a version less than 7 will result in a need to upgrade those hosts.

To check the hosts that are still not migrated, there is a "--list" argument that shows a list of hosts on which new credentials are not yet imported.

Figure 3 - Using the "--list" argument


Servers that are currently not reporting to a Management Server, or are running older versions of the Managed Host, need to be manually upgraded to 7.0, or later, and the AT migration script needs to be manually run on the servers. For existing Management Servers, that are upgraded to 7.0, and also migrated to use 2048 bit certificates, the user can add only those MH which have the upgraded openssl version 0.9.8zc or higher installed.

Please contact Veritas Technical Support, your account representative, or your Business Critical Account Manager with any question while planning your upgrade.