Recovery Scripts

This topic describes the following procedures:


Use this script on the EP server in the following cases:

  • None of the root partition client appliances have a valid root partition certificate.
  • You need to update the list of EP alternative names stored in its certificate.

sudo /opt/ekm/bin/
[-n,--names <arg>] // CSV list of the local appliance's alternative names
[-s,--self <arg>] // local appliance identifier (hostname or ip)
[-o <port>] // EP Bootstrap-Port
[-w,--password <arg>] // the client PFX password

The -n option allows updating the comma-separated list of the alternative EP names (Subject Alternative Names) in the EP's certificate (/etc/ekm/ssl/cert.crt) as follows:

  • Valid IP addresses are stored and tagged with the "IP Address =" tag.
  • Valid hostname strings are stored and tagged with the "DNS Name=" tag.
  • Everything else on the list is ignored.


sudo /opt/ekm/bin/ \
--name ekmloadbalancer.demo.local,

To run the in sudo-less installation, see Running CORE Scripts in Sudo-less Installation


To reset the root SOClosedSecurity officer - UKC partition administrator role. password, run the following script:

sudo /opt/ekm/bin/
[-n,--name <arg>] // the SO name (default: so)
-w,--password <arg> // the new root so password
[-s,--self <arg>] // EP Certified-IP
[-o <port>] // EP Bootstrap-Port.


Forcefully adjust the specified partition's quorum size to the number of non-blocked SOs in the specified partition.

sudo /opt/ekm/bin/
[-n,--name <arg>] name of the partition
[-s,--self <arg>] // EP Certified-IP
[-o <port>] // EP Bootstrap-Port.