Running apcertmgmt
to update certificates
By default, IBM provides the certificates required for platform manager, but you can also
choose to provide your custom certificates instead. If your custom certificates expire, you can use
the apcertmgmt
command to apply new certificates for platform manager.
- cluster certificates, which are used for internal platform management communication, no endpoint accessible externally is using them
- REST certificates, which are used for externally accessible REST API (for example, ap commands use this API)
About this task
To upgrade the certificates, application downtime is required.
The system must be in state Active, that is, with the platform manager running and system application stopped. Depending on the state your system is in, you can run apstop -a to stop the system application, or apstart -p to start the platform manager only.
[apuser@node0101 ~]$ ap node
+-----------------+---------+-----------+-----------+
| Node | State | Monitored | Is Master |
+-----------------+---------+-----------+-----------+
| hadomain1.node1 | ENABLED | YES | YES |
| hadomain1.node2 | ENABLED | YES | NO |
| hadomain1.node3 | ENABLED | YES | NO |
| hadomain1.node4 | ENABLED | YES | NO |
| hadomain1.node5 | ENABLED | YES | NO |
| hadomain1.node6 | ENABLED | YES | NO |
| hadomain1.node7 | ENABLED | YES | NO |
+-----------------+---------+-----------+-----------+
The apcertmgmt command allows you to manage the certificates. Cluster certificates can be both generated and propagated to the other nodes using this tool. The REST certificate can only be propagated (it has to be generated manually). Following are the steps needed to update both types of certificates:
Procedure
What to do next
apstart
-p
). Note that the application is not started automatically. Start the system application
with the following command:apstart -a