Active IQ Unified Manager Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active IQ Unified Manager Discussions

Ask a Question

Ocum and dataontap c-cmode ca-signed certificates: "Unreachable cluster"

rtorresani
‎2015-11-20 04:55 AM
3,215 Views

Hi all,

 our netapp running dataontap 8.3 are to expiring ssl certificates.

 

I followed those instructions:

 

- "Installing a server certificate to authenticate the cluster or SVM as an SSL server" (system admin guide x cluster admins 8.3)

- KB ID: 1014389 "How to renew an SSL certificate in clustered Data ONTAP"

 

using a CA signed certificate (our internal CA).

 

System manager works fine and is using the correct certificate, but in Ocum albeit it asks me "should I trust the CA" (I answered yes of course) I started getting "Unreachable cluster".

I tried to rediscover the cluster, but the error remains.

Finally I removed the CA-signed certificate and generate a self-signed certificate, and with this one it works fine.

 

Are there any particular procedure to follow to use CA signed certs?

 

Roberto

0 Kudos
View By:
Tags (3)
4 REPLIES 4

argiri
NetApp Alumni
‎2015-11-22 08:47 PM
3,059 Views

Can you please clarify whether the ocum is 5.x or 6.x?

 

Thanks

Giridhar

0 Kudos

rtorresani
‎2015-11-23 12:08 AM
In response to argiri
3,051 Views

The version involved are dataontap 8.3p2 and ocum 6.3

 

Roberto

0 Kudos

msaravan
NetApp
‎2015-11-24 03:59 AM
In response to rtorresani
3,025 Views

Hi Robert,

 

Thanks for reaching out to us. I heard this problem from one of the other customer too.


Can you please provide the following information to diagnose it further: 

 

* Screen shot of the error

* Your actual certificate (If you dont want to share the information over community, please mail me the details to msaravan@netapp.com. 

* Are you using Windows CA server to sign the certificates ? Can you please brief more about the configuration of your CA server.

 

If it is of high interest to monitor this system from OCUM, you can use HTTP protocol for time being until this issue gets fixed.

 

Regards,

Saravanan

0 Kudos

rtorresani
‎2015-11-27 01:00 AM
In response to msaravan
2,986 Views

Hello,

 yes it's a Windows CA, but I found out a strange behaviour: after 24 hours of complaining about "cluster not reachable", suddendly OCUM managed to monitor the cluster and the error went away.

 

Googling around I read something about session pooling where sessions keeps using old certificate, but I can remember where I read this.

 

Does it sounds meaningful ?

 

Cheers,

Roberto

0 Kudos
All Community Forums
Public