Active IQ Unified Manager Discussions

Ocum and dataontap c-cmode ca-signed certificates: "Unreachable cluster"

rtorresani
3,795 Views

Hi all,

 our netapp running dataontap 8.3 are to expiring ssl certificates.

 

I followed those instructions:

 

- "Installing a server certificate to authenticate the cluster or SVM as an SSL server" (system admin guide x cluster admins 8.3)

- KB ID: 1014389 "How to renew an SSL certificate in clustered Data ONTAP"

 

using a CA signed certificate (our internal CA).

 

System manager works fine and is using the correct certificate, but in Ocum albeit it asks me "should I trust the CA" (I answered yes of course) I started getting "Unreachable cluster".

I tried to rediscover the cluster, but the error remains.

Finally I removed the CA-signed certificate and generate a self-signed certificate, and with this one it works fine.

 

Are there any particular procedure to follow to use CA signed certs?

 

Roberto

4 REPLIES 4

argiri
3,639 Views

Can you please clarify whether the ocum is 5.x or 6.x?

 

Thanks

Giridhar

rtorresani
3,631 Views

The version involved are dataontap 8.3p2 and ocum 6.3

 

Roberto

msaravan
3,605 Views

Hi Robert,

 

Thanks for reaching out to us. I heard this problem from one of the other customer too.


Can you please provide the following information to diagnose it further: 

 

* Screen shot of the error

* Your actual certificate (If you dont want to share the information over community, please mail me the details to msaravan@netapp.com. 

* Are you using Windows CA server to sign the certificates ? Can you please brief more about the configuration of your CA server.

 

If it is of high interest to monitor this system from OCUM, you can use HTTP protocol for time being until this issue gets fixed.

 

Regards,

Saravanan

rtorresani
3,566 Views

Hello,

 yes it's a Windows CA, but I found out a strange behaviour: after 24 hours of complaining about "cluster not reachable", suddendly OCUM managed to monitor the cluster and the error went away.

 

Googling around I read something about session pooling where sessions keeps using old certificate, but I can remember where I read this.

 

Does it sounds meaningful ?

 

Cheers,

Roberto

Public