Applies to:
All versions of Certificate Manager.
Summary:
From time to time you may need to change the IP address of the Certificate Manager servers. This document attempts to outline what you may need to be aware of, prior to changing the IP address.
TIP: Not all of the below suggestions will apply to your environment. We expect you to pick and choose what suggestions do apply, and only use those.
- If the Host was provided as a DNS name and only the DNS record was updated then no changes are needed to director.
- If the DNS name has changed for the DB server, then you need to run VCC and modify the Host field. More detailed steps on how to run this tool are later in this article.
- If your database is on a different server from Certificate Manager, you may need to notify the Database Administrator (DBA) of the new IP address that will be making requests to it. Some database administrators, for example, may have firewalls and/or database rules in place that only allow connections from a certain IP address, or subnet. Once this is done, you need to run vcc.exe to re-point the Certificate Manager server to the new Database server. More detailed steps on how to run this tool are later in this article.
- If you have multiple Certificate Manager servers, and only one of them are acting as a log server, you need to repoint the others to this new IP address by running the command line tool, vcc.exe. To to this, follow these steps:
- Run your windows command prompt with elevated privileges.
- Navigate down to the 'c:\Program Files\venafi\platforms' folder.
- Run vcc.exe and select the "Modify database configuration" option on the first screen
- This will take you through the Venafi Configuration wizard again, similar to when you first installed TPP, but only ask for information on the Database Configuration page, which will allow you to set a new value in the "Host" field. You can also set different values for any or all of the fields as needed for the proper connection to your database server now.
- Once you have changed the address, press the verify button to ensure it's correct, then press the Next button. The next screen will ask for Administrator credentials. Enter those and press next. A summary screen will be displayed showing what will be changed. If all looks as expected, then press finish, and the changes will be made. Press the Close button when it appears and the change is done.
- Standing up a new Director Server and retiring the old one:
- Go through the normal install process for adding the new server, ensuring that you have the correct DPAPI key.
- Configure the Service Modules appropriately. (Probably matching the old server)
- See the above steps to address the log server and agent settings.
- Decommission the old server
- In the platform tree remove the server object.
- If there is an HSM involved you will also need to ensure the Director box is able to talk to the same security world as the other systems.
- If you have an installed any of the server agents, you'll need to re-configure them before any of the above change, assuming they will be pointing to this new server/IP Address.
Comments