HP Instant Capacity Release Notes for Version 9.x
member OS instances, the GiCAP manager, and any planned standby GiCAP manager. This
configuration attribute is not dynamic and must be set using the -p option. You must restart the
cimserver to set the value. For details, see cimconfig(1M).
Use the following commands to set sslClientVerificationMode to “optional” and restart
the cimserver:
# cimconfig -s sslClientVerificationMode=optional -p
# cimserver -s; cimserver
Use the following command to check the value of sslClientVerificationMode after a CIM
Server restart:
# cimconfig -g sslClientVerificationMode -c -p
Current value: optional
Planned value: optional
Once the Group Manager and all OS instances of a group member are upgraded to iCAP version
9.x, and the CIM Server attribute is set to “optional” for all systems, you must re-add each group
member to the group it already belongs to. For example, if group One already contains the
member member1 with hosts member1b and member1c, re-add member1 to group One by
entering the following command:
icapmanage –a –g One –m member1:member1b,member1c
This is the same command originally used to make member1 a member of GiCAP group One.
This command to re-add the member to its group does not require that the member first be
removed from its group. It does require the entry of the root passwords for the member hosts.
The icapmanage command uses these passwords to set up communication between the GiCAP
member hosts and the Group Manager with the new communication protocol. The passwords
are not saved, and further communication between the Group Manager and the member hosts
will not require a password.
GiCAP and SSL Certificates
Creation and Exchange
The Secure Socket Layer (SSL) protocol is used to facilitate secure communication between the
GiCAP active group manager and the optional standby group manager, and between the group
manager(s) and each host on a GiCAP member complex. SSL protocol requires two-way
authentication, facilitated by the exchange of digital certificates between the communication
partners. The certificates are created by the GiCAP software, typically at installation time using
the /etc/opt/iCAP/GiCAP_keygen script.
Certificates are exchanged between pairs of host systems as a result of the following operations:
• When a member is added to a group (icapmanage -a -g -m) certificates are exchanged
between the active group manager and each host specified for the new member. If a standby
manager is defined and accessible, certificates are exchanged between the standby group
manager and each host specified for the new member.
• When a host is added to a group member (icapmanage -u -m) certificates are exchanged
between the active group manager and each new host. If a standby manager is defined and
accessible, certificates are exchanged between the standby group manager and each new
host.
• When a standby manager is added (icapmanage -a -S) certificates are exchanged between
the active group manager and the standby manager, and between the standby manager and
every host of every member of every managed group.
• When a standby manager takes over a group (icapmanage -Q) certificates are exchanged
between the new active manager and any member hosts which have not already exchanged
certificates with this manager.
Whenever the GiCAP software needs to exchange SSL certificates between hosts it will prompt
for the root password so that it can exchange the certificates. If the GiCAP software needs to
36 Major Changes, New Features, and Requirements of Instant Capacity Version 9.x