I have been trying to implement switchover on a previously stand alone system and every time i go through setup assistant, my original  Interaction Administrator will not start.
I have set the service to manual start, reboot the server, and run the gensslcertsu.exe -s command successfully. 
I then manually run NotifierU.exe, DSServerU.exe  and  Adminserveru-w64.exe  and I assume I am missing a few more exe I would need to run to get it operational.

Does anyone have a list of the exe I need to run or have a possible 'next steps'?  If i try to open IC, it allows me to log in, but then hangs with an authentication error.  I am hoping there is one or 2 manual steps to get me into IA so i can trust the other server or determine more what is wrong.

Any and all help is appreciated.
#AskMeAnything(AMA)
#Implementation
#SystemAdministration
#Unsure/Other

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

I'm assuming you are running IA on a client machine?

If so, you will need to delete the certificates on the client so that IA re-generates them when you start it. It is caused by you replacing the certs when setting up Switchover.

I forget the path offhand, but will post it when I've had a chance to look it up (or someone else may post first!)

To be clear: I am referring to deleting the certs on the Client, NOT the servers!!!!

Hello Paul,
we do not have any client machines, just a CIC server and a Media server - we only use Attendant to interact with web services.  It seems like this should be so simple.

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

Original Message:
Sent: 06-17-2021 11:53
From: Paul Simpson
Subject: manually starting system - resolving switchover implementation

I'm assuming you are running IA on a client machine?

If so, you will need to delete the certificates on the client so that IA re-generates them when you start it. It is caused by you replacing the certs when setting up Switchover.

I forget the path offhand, but will post it when I've had a chance to look it up (or someone else may post first!)

To be clear: I am referring to deleting the certs on the Client, NOT the servers!!!!

------------------------------
Paul Simpson
Senior Technical Instructor

Original Message:
Sent: 06-17-2021 10:00
From: Christopher Becker
Subject: manually starting system - resolving switchover implementation

I have been trying to implement switchover on a previously stand alone system and every time i go through setup assistant, my original  Interaction Administrator will not start.
I have set the service to manual start, reboot the server, and run the gensslcertsu.exe -s command successfully.
I then manually run NotifierU.exe, DSServerU.exe  and  Adminserveru-w64.exe  and I assume I am missing a few more exe I would need to run to get it operational.

Does anyone have a list of the exe I need to run or have a possible 'next steps'?  If i try to open IC, it allows me to log in, but then hangs with an authentication error.  I am hoping there is one or 2 manual steps to get me into IA so i can trust the other server or determine more what is wrong.

Any and all help is appreciated.
#AskMeAnything(AMA)
#Implementation
#SystemAdministration
#Unsure/Other

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

Hi Chris,

I have done this a few times and never experienced what you are. Can we verify what process you are following? At a high level here is what I have done in the past

on original CIC server launch Setup Assist --> options- switchover  and then a reboot is needed i believe. Once CIC server is up and running and working

on new CIC server, installed CIC application, but in setup assistant use switchover setup.  <-- this will ask for certs from your primary CIC server and walk you through importing them. 

thank you,
 Scott


------------------------------
Scott Williams
Missouri Higher Education Loan Authority
------------------------------

Original Message:
Sent: 06-17-2021 13:53
From: Christopher Becker
Subject: manually starting system - resolving switchover implementation

Hello Paul,
we do not have any client machines, just a CIC server and a Media server - we only use Attendant to interact with web services.  It seems like this should be so simple.

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC

Original Message:
Sent: 06-17-2021 11:53
From: Paul Simpson
Subject: manually starting system - resolving switchover implementation

I'm assuming you are running IA on a client machine?

If so, you will need to delete the certificates on the client so that IA re-generates them when you start it. It is caused by you replacing the certs when setting up Switchover.

I forget the path offhand, but will post it when I've had a chance to look it up (or someone else may post first!)

To be clear: I am referring to deleting the certs on the Client, NOT the servers!!!!

------------------------------
Paul Simpson
Senior Technical Instructor

Original Message:
Sent: 06-17-2021 10:00
From: Christopher Becker
Subject: manually starting system - resolving switchover implementation

I have been trying to implement switchover on a previously stand alone system and every time i go through setup assistant, my original  Interaction Administrator will not start.
I have set the service to manual start, reboot the server, and run the gensslcertsu.exe -s command successfully.
I then manually run NotifierU.exe, DSServerU.exe  and  Adminserveru-w64.exe  and I assume I am missing a few more exe I would need to run to get it operational.

Does anyone have a list of the exe I need to run or have a possible 'next steps'?  If i try to open IC, it allows me to log in, but then hangs with an authentication error.  I am hoping there is one or 2 manual steps to get me into IA so i can trust the other server or determine more what is wrong.

Any and all help is appreciated.
#AskMeAnything(AMA)
#Implementation
#SystemAdministration
#Unsure/Other

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

Hello Scott,

I have made several attempts.  Please note we are on CIC 2018R2 patch 35:
1st attempt, I installed Server B vanilla/patch  - run setup assistant as 'second server', importing certs from working Server A.  Run setup assistant on Server A to add Switchover. after restart, IA will not come up on server A (server B as vanilla has no issues rebooting.)  The servers did not see each other. I did not generate new certs on Server A. 

I restore server A, try to add switchover and generate certs, still, IA does not start on second attempt.  I try several uses of GensslcertsU and it has not seemed to help.

iteration 2 - build server B as standalone, generate it's own certs. apply switchover to server A (did not generate new certs as every attempt has failed) , reboot, apply switchover to server B, reboot, run gensslcertsu.exe -r serverB -f  (server b is just server name, not fully qualified).   Server B IA starts no problem - i trust certs (but only has server b certs)
Server A, IA does not start. I run gensslcertsu.exe -s. and exe list as above.  IA can start, but has authentication issues. All certs show as trusted. Most the expected logs are missing like tsserver.  

in reading the gensslcertsu.exe /? text, I see that many of the instructions say that it will not work if certs are missing. I know our PCI team has removed every cert not required (didnt break) by the system.  I am thinking this is the reason none of this has worked. 
We wanted to add switchover to simulate our production environment to plan our upgrade to CIC 2020 R3, but I am starting to think I should just upgrade QA first, then try to add the second server after (using a fresh install of CIC 2020 on the second server.)

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

Original Message:
Sent: 06-17-2021 14:59
From: Scott Williams
Subject: manually starting system - resolving switchover implementation

Hi Chris,

I have done this a few times and never experienced what you are. Can we verify what process you are following? At a high level here is what I have done in the past

on original CIC server launch Setup Assist --> options- switchover  and then a reboot is needed i believe. Once CIC server is up and running and working

on new CIC server, installed CIC application, but in setup assistant use switchover setup.  <-- this will ask for certs from your primary CIC server and walk you through importing them.

thank you,
 Scott


------------------------------
Scott Williams
Missouri Higher Education Loan Authority

Original Message:
Sent: 06-17-2021 13:53
From: Christopher Becker
Subject: manually starting system - resolving switchover implementation

Hello Paul,
we do not have any client machines, just a CIC server and a Media server - we only use Attendant to interact with web services.  It seems like this should be so simple.

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC

Original Message:
Sent: 06-17-2021 11:53
From: Paul Simpson
Subject: manually starting system - resolving switchover implementation

I'm assuming you are running IA on a client machine?

If so, you will need to delete the certificates on the client so that IA re-generates them when you start it. It is caused by you replacing the certs when setting up Switchover.

I forget the path offhand, but will post it when I've had a chance to look it up (or someone else may post first!)

To be clear: I am referring to deleting the certs on the Client, NOT the servers!!!!

------------------------------
Paul Simpson
Senior Technical Instructor

Original Message:
Sent: 06-17-2021 10:00
From: Christopher Becker
Subject: manually starting system - resolving switchover implementation

I have been trying to implement switchover on a previously stand alone system and every time i go through setup assistant, my original  Interaction Administrator will not start.
I have set the service to manual start, reboot the server, and run the gensslcertsu.exe -s command successfully.
I then manually run NotifierU.exe, DSServerU.exe  and  Adminserveru-w64.exe  and I assume I am missing a few more exe I would need to run to get it operational.

Does anyone have a list of the exe I need to run or have a possible 'next steps'?  If i try to open IC, it allows me to log in, but then hangs with an authentication error.  I am hoping there is one or 2 manual steps to get me into IA so i can trust the other server or determine more what is wrong.

Any and all help is appreciated.
#AskMeAnything(AMA)
#Implementation
#SystemAdministration
#Unsure/Other

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

Christoper,

Ok, so my first question is "have you tried running IA on a client PC?" From the context of your comments, it looks like you are only running it on the server itself? This isn't actually what is intended and I have seen instances where running it on the backup server actually connects to the backup, not the Primary. Try running on a client PC (which is the intent) and see if it help.

Secondly, I'm sorry I had to smile at "removed every cert not required (didnt break) by the system", I hate to point out the obvious, but it looks like it did break! This illustrates one of the issues we warn against in class. Allowing non-IC folks to mess around with IC machines (particularly servers) - whether that be manually or by the use of GPOs. What is their reason for removing these certs? These are used for internal communications between components and for TLS. All have a purpose and none of them should have anything to do with PCI - it looks to me like a case of a "blanket" imposing of a policy. If it REALLY is necessary, then I suggest you contact our Support team to get advice on how to proceed.

Keep us posted.

Hello Paul,

When i say IA - i mean Interaction Administrator, and I assume when you are saying IA, you mean interaction Attendant. Is this correct?  In our set up, we do not have any Clients - we use all custom handlers to interact with Web services and take Payments via the Interactive Attendant. Since we take Payment info via the Interactive Attendant, we are held to PCI standards and have several mandatory scans a year. These scans flag the Genesys self Signed certs as 'untrusted'.  I want to move to creating our own certs using our PKI and the GensslcertsU to remedy this, but that is a future project. In a way, I am a non-IC folk too, just learning the most I can as I can.

I have contacted the support team in early May, but i usually get my best answers from the community.  I have been waiting on a response for some time now.

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

Original Message:
Sent: 06-20-2021 14:52
From: Paul Simpson
Subject: manually starting system - resolving switchover implementation

Christoper,

Ok, so my first question is "have you tried running IA on a client PC?" From the context of your comments, it looks like you are only running it on the server itself? This isn't actually what is intended and I have seen instances where running it on the backup server actually connects to the backup, not the Primary. Try running on a client PC (which is the intent) and see if it help.

Secondly, I'm sorry I had to smile at "removed every cert not required (didnt break) by the system", I hate to point out the obvious, but it looks like it did break! This illustrates one of the issues we warn against in class. Allowing non-IC folks to mess around with IC machines (particularly servers) - whether that be manually or by the use of GPOs. What is their reason for removing these certs? These are used for internal communications between components and for TLS. All have a purpose and none of them should have anything to do with PCI - it looks to me like a case of a "blanket" imposing of a policy. If it REALLY is necessary, then I suggest you contact our Support team to get advice on how to proceed.

Keep us posted.

------------------------------
Paul Simpson
Senior Technical Instructor

Original Message:
Sent: 06-17-2021 16:57
From: Christopher Becker
Subject: manually starting system - resolving switchover implementation

Hello Scott,

I have made several attempts.  Please note we are on CIC 2018R2 patch 35:
1st attempt, I installed Server B vanilla/patch  - run setup assistant as 'second server', importing certs from working Server A.  Run setup assistant on Server A to add Switchover. after restart, IA will not come up on server A (server B as vanilla has no issues rebooting.)  The servers did not see each other. I did not generate new certs on Server A.

I restore server A, try to add switchover and generate certs, still, IA does not start on second attempt.  I try several uses of GensslcertsU and it has not seemed to help.

iteration 2 - build server B as standalone, generate it's own certs. apply switchover to server A (did not generate new certs as every attempt has failed) , reboot, apply switchover to server B, reboot, run gensslcertsu.exe -r serverB -f  (server b is just server name, not fully qualified).   Server B IA starts no problem - i trust certs (but only has server b certs)
Server A, IA does not start. I run gensslcertsu.exe -s. and exe list as above.  IA can start, but has authentication issues. All certs show as trusted. Most the expected logs are missing like tsserver.

in reading the gensslcertsu.exe /? text, I see that many of the instructions say that it will not work if certs are missing. I know our PCI team has removed every cert not required (didnt break) by the system.  I am thinking this is the reason none of this has worked.
We wanted to add switchover to simulate our production environment to plan our upgrade to CIC 2020 R3, but I am starting to think I should just upgrade QA first, then try to add the second server after (using a fresh install of CIC 2020 on the second server.)

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC

Original Message:
Sent: 06-17-2021 14:59
From: Scott Williams
Subject: manually starting system - resolving switchover implementation

Hi Chris,

I have done this a few times and never experienced what you are. Can we verify what process you are following? At a high level here is what I have done in the past

on original CIC server launch Setup Assist --> options- switchover  and then a reboot is needed i believe. Once CIC server is up and running and working

on new CIC server, installed CIC application, but in setup assistant use switchover setup.  <-- this will ask for certs from your primary CIC server and walk you through importing them.

thank you,
 Scott


------------------------------
Scott Williams
Missouri Higher Education Loan Authority

Original Message:
Sent: 06-17-2021 13:53
From: Christopher Becker
Subject: manually starting system - resolving switchover implementation

Hello Paul,
we do not have any client machines, just a CIC server and a Media server - we only use Attendant to interact with web services.  It seems like this should be so simple.

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC

Original Message:
Sent: 06-17-2021 11:53
From: Paul Simpson
Subject: manually starting system - resolving switchover implementation

I'm assuming you are running IA on a client machine?

If so, you will need to delete the certificates on the client so that IA re-generates them when you start it. It is caused by you replacing the certs when setting up Switchover.

I forget the path offhand, but will post it when I've had a chance to look it up (or someone else may post first!)

To be clear: I am referring to deleting the certs on the Client, NOT the servers!!!!

------------------------------
Paul Simpson
Senior Technical Instructor

Original Message:
Sent: 06-17-2021 10:00
From: Christopher Becker
Subject: manually starting system - resolving switchover implementation

I have been trying to implement switchover on a previously stand alone system and every time i go through setup assistant, my original  Interaction Administrator will not start.
I have set the service to manual start, reboot the server, and run the gensslcertsu.exe -s command successfully.
I then manually run NotifierU.exe, DSServerU.exe  and  Adminserveru-w64.exe  and I assume I am missing a few more exe I would need to run to get it operational.

Does anyone have a list of the exe I need to run or have a possible 'next steps'?  If i try to open IC, it allows me to log in, but then hangs with an authentication error.  I am hoping there is one or 2 manual steps to get me into IA so i can trust the other server or determine more what is wrong.

Any and all help is appreciated.
#AskMeAnything(AMA)
#Implementation
#SystemAdministration
#Unsure/Other

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------

I actually mean Interaction Administrator, but it applies to Attendant as well. (In fact all of the client applications.)

I believe you can set the system up to use an externally signed certificate, for the CA, but all of the certificates that are there are, IMHO necessary.

HTH

Regarding the external certificates issue, please see this recent community thread.

Hi Chris,

I have looked through my notes and this is the process i followed:

Built CIC Server 2 as standalone
Server 1 ran setup assistant to install switchover, generated new certs rebooted server
 Once Server 1 is up run setup assistant on server 2, imported certs that was generated on Server 1 and rebooted
On server 1 launched switchover control application and verify primary and secondary show connected.


------------------------------
Scott Williams
Missouri Higher Education Loan Authority
------------------------------

Original Message:
Sent: 06-17-2021 16:57
From: Christopher Becker
Subject: manually starting system - resolving switchover implementation

Hello Scott,

I have made several attempts.  Please note we are on CIC 2018R2 patch 35:
1st attempt, I installed Server B vanilla/patch  - run setup assistant as 'second server', importing certs from working Server A.  Run setup assistant on Server A to add Switchover. after restart, IA will not come up on server A (server B as vanilla has no issues rebooting.)  The servers did not see each other. I did not generate new certs on Server A.

I restore server A, try to add switchover and generate certs, still, IA does not start on second attempt.  I try several uses of GensslcertsU and it has not seemed to help.

iteration 2 - build server B as standalone, generate it's own certs. apply switchover to server A (did not generate new certs as every attempt has failed) , reboot, apply switchover to server B, reboot, run gensslcertsu.exe -r serverB -f  (server b is just server name, not fully qualified).   Server B IA starts no problem - i trust certs (but only has server b certs)
Server A, IA does not start. I run gensslcertsu.exe -s. and exe list as above.  IA can start, but has authentication issues. All certs show as trusted. Most the expected logs are missing like tsserver.

in reading the gensslcertsu.exe /? text, I see that many of the instructions say that it will not work if certs are missing. I know our PCI team has removed every cert not required (didnt break) by the system.  I am thinking this is the reason none of this has worked.
We wanted to add switchover to simulate our production environment to plan our upgrade to CIC 2020 R3, but I am starting to think I should just upgrade QA first, then try to add the second server after (using a fresh install of CIC 2020 on the second server.)

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC

Original Message:
Sent: 06-17-2021 14:59
From: Scott Williams
Subject: manually starting system - resolving switchover implementation

Hi Chris,

I have done this a few times and never experienced what you are. Can we verify what process you are following? At a high level here is what I have done in the past

on original CIC server launch Setup Assist --> options- switchover  and then a reboot is needed i believe. Once CIC server is up and running and working

on new CIC server, installed CIC application, but in setup assistant use switchover setup.  <-- this will ask for certs from your primary CIC server and walk you through importing them.

thank you,
 Scott


------------------------------
Scott Williams
Missouri Higher Education Loan Authority

Original Message:
Sent: 06-17-2021 13:53
From: Christopher Becker
Subject: manually starting system - resolving switchover implementation

Hello Paul,
we do not have any client machines, just a CIC server and a Media server - we only use Attendant to interact with web services.  It seems like this should be so simple.

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC

Original Message:
Sent: 06-17-2021 11:53
From: Paul Simpson
Subject: manually starting system - resolving switchover implementation

I'm assuming you are running IA on a client machine?

If so, you will need to delete the certificates on the client so that IA re-generates them when you start it. It is caused by you replacing the certs when setting up Switchover.

I forget the path offhand, but will post it when I've had a chance to look it up (or someone else may post first!)

To be clear: I am referring to deleting the certs on the Client, NOT the servers!!!!

------------------------------
Paul Simpson
Senior Technical Instructor

Original Message:
Sent: 06-17-2021 10:00
From: Christopher Becker
Subject: manually starting system - resolving switchover implementation

I have been trying to implement switchover on a previously stand alone system and every time i go through setup assistant, my original  Interaction Administrator will not start.
I have set the service to manual start, reboot the server, and run the gensslcertsu.exe -s command successfully.
I then manually run NotifierU.exe, DSServerU.exe  and  Adminserveru-w64.exe  and I assume I am missing a few more exe I would need to run to get it operational.

Does anyone have a list of the exe I need to run or have a possible 'next steps'?  If i try to open IC, it allows me to log in, but then hangs with an authentication error.  I am hoping there is one or 2 manual steps to get me into IA so i can trust the other server or determine more what is wrong.

Any and all help is appreciated.
#AskMeAnything(AMA)
#Implementation
#SystemAdministration
#Unsure/Other

------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------