Active IQ Unified Manager Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active IQ Unified Manager Discussions

Ask a Question

Can't add a cluster

ckeith
NetApp
‎2014-05-01 03:39 PM
20,114 Views

I just installed OCUM 6.1 and I am trying to add some clusters.  I added the first one without a problem, but when I tried to install the second one it complained that the self signed certificate had expired.  Sure enough I logged on to the cluster and the certificate was expired.  I used the following command to create a new certificate:

security certificate create -vserver add-n1-nas2 -common-name add-n1-nas2.cert -expire-days 365 -type server

Unfortunately I still received the error that the certificate was expired.  I figured it was still using the older certificate so I deleted the old one.  Apparently that was a mistake, because now OCUM is simply stating "Cannot establish communication to the host <IP> over SSL".  I tried disabling and enabling the "portal" and "ontapi" web services, (hoping that would restart the web server) all to no avail.

Anyone have any ideas what is going on?  And/or what to look at to figure this out?

Thanks,

Keith

0 Kudos
View By:
1 ACCEPTED SOLUTION

venkat3
NetApp
‎2014-05-01 09:58 PM
20,114 Views

Hi Keith Cantrell,

Welcome to communities.

Clustered dataontap ssl certificate regeneration procedure is KB'ed here.

https://kb.netapp.com/support/index?page=content&id=S:1014389&actp=LIST&showDraft=true

Please follow exact steps mentioned here.

Do let us know if the above KB isn't helping

-Srinivas

View solution in original post

8 REPLIES 8

venkat3
NetApp
‎2014-05-01 09:58 PM
20,115 Views

Hi Keith Cantrell,

Welcome to communities.

Clustered dataontap ssl certificate regeneration procedure is KB'ed here.

https://kb.netapp.com/support/index?page=content&id=S:1014389&actp=LIST&showDraft=true

Please follow exact steps mentioned here.

Do let us know if the above KB isn't helping

-Srinivas

ckeith
NetApp
‎2014-05-02 06:34 AM
In response to venkat3
20,114 Views

Yes, thank you!  Following the idea of the KB resolved the issue.  I said "Following the idea" because I assume those instructions were written for 8.1 because they are slightly different for 8.2.  Regardless, it pointed out that I had to enable the "ssl service" after I removed the certificate.

Thanks!

0 Kudos

venkat3
NetApp
‎2014-05-02 07:57 AM
In response to ckeith
20,112 Views

Am glad that you are able to add cluster to ocum 6.1 now.

i will ask the kb team to update the kb article for 8.2 as well.

Thank you for the feedback.

-Srinivas.

0 Kudos

AJHunt18
‎2016-02-03 07:11 PM
In response to venkat3
18,634 Views

Hi Venka,

 

I am having a different issue with certificate creation. I am supposed to create a certificate for our storage nodes, but when I use the create certificate commands, I get this error:

 

command failed: cannot store certificate.

 

I do not know what is the cause of the error but these storage nodes are not vservers, and in the KB you sent, certificate creation specifies a vserver:

 

    security certificate create -vserver christoh-svm1 -common-name christoh-svm1.cert -size 2048 -type server -country US -expire-days 3650 -hash-function SHA256

 

Do you have an idea how can I fix this issue?

 

Thank you!

 

Regards,

AJ

0 Kudos

Nick_Elliott
NetApp
‎2016-02-11 02:08 PM
In response to AJHunt18
18,591 Views

What version of ONTAP?

 

I've been able to execute your syntax on my lab cluster with no issues.

 

Your common-name does not require the .cert extention.  It works but it isn't required here and really doesn't fit the below from the man page:

 

 

-common-name <FQDN or Custom Common Name> - FQDN or Custom Common Name
This specifies the desired certificate name as a fully qualified domain name (FQDN) or custom common name or the name of a person.
 
Try setting expiredays to 3644 or less.  I've seen a release that doesn't like 3690 through the ONTAPI and I assume that it would occur on the command line as well.
 
0 Kudos

AJHunt18
‎2016-02-12 01:52 AM
In response to Nick_Elliott
18,568 Views

Hi, our ONTAP version is 8.3.1 and by the way, I have managed to fix this problem already.

 

Node certificate is not required in ONTAP 8.3.1, cluster certificate is enough according to this KB: https://kb.netapp.com/support/index?page=content&id=2024831&actp=LIST_RECENT&viewlocale=en_US&searchid=1454560353066

 

Thanks.

0 Kudos

BurnsideA
‎2020-07-16 04:03 AM
In response to venkat3
7,990 Views

Guys do we have the link that works for that KB - i can't see it and have a similar issue

0 Kudos

Nick_Elliott
NetApp
‎2016-02-11 02:18 PM
18,588 Views

I quickly created this powershell script to reissue expired or expiring certificates after one of my customers had several clusters with expired certs.  Just script out the connections to the clusters and have it call this function once connected and it will push out all the expiration dates.

 

 

#REQUIRES -Version 4.0 -Modules DATAONTAP
function update-netappCertificates{
<#
.SYNOPSIS
	Checks the certificates on a cluster and replaces them if they have expired or expire within N years.

.DESCRIPTION
	Checks the certificates on a cluster and replaces them if they have expired or expire within N years.

.EXAMPLE
    update-netappCertificates -Years 2

.PARAMETER Years
	
.LINK 
    Connect-NcController

.LINK 
    Get-NcSecurityCertificate

.LINK 
    New-NcSecurityCertificate

.LINK 
    Remove-NcSecurityCertificate

#>

	[CmdletBinding()]
	param(
		[Parameter(Mandatory=$True,
		    ValueFromPipeline=$False)]
		    [int]$Years
	)

	BEGIN {
        $ErrorActionPreference = 'stop'
        $today = Get-Date
        $date = $today.AddYears($Years)
        $days = 3644

        Write-verbose "Today is $today"
        Write-verbose "Looking for certificates before $date"
    }
	PROCESS {
        $certificates = Get-NcSecurityCertificate
        
        
        foreach($certificate in $certificates){
            
            if($certificate.expirationDateDT -le $date){
                
                try{
                    
                    New-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -Type $certificate.Type -Size $certificate.Size -Country $certificate.Country -ExpireDays $days -HashFunction $certificate.HashFunction -Confirm:$false
                    Remove-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -SerialNumber $certificate.SerialNumber -Type $certificate.Type -CertificateAuthority $certificate.CertificateAuthority -Confirm:$false

                }
                catch {
                    write-debug "error"
                    write-error "something happened"
                    write-error $_
                    
                }

                $newcert = Get-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -Type $certificate.Type -Size $certificate.Size

                if($newcert){

                    Set-NcSecuritySsl -Vserver $certificate.Vserver -CertificateAuthority $newcert.CertificateAuthority -CertificateSerialNumber $newcert.SerialNumber -EnableClientAuthentication $false -EnableServerAuthentication $true -Confirm:$false | Out-Null
                    
                    write-host "$($certificate.CommonName) on $($certificate.Vserver) serial number $($certificate.SerialNumber) has been replaced by $($newcert.SerialNumber) which will expire $($newcert.ExpirationDateDT)"
                    write-verbose "Certificate $($certificate.CommonName) from vserver $($certificate.Vserver) with expiration of $($certificate.ExpirationDateDT) and serial $($certificate.SerialNumber) has been updated to $($newcert.expirationDateDT) and Serial Number of $($newcert.SerialNumber)"
                    
                }
            }
        
        }

    }
	END {

        

    }
}

 

Announcements
All Community Forums
Public