Security

Reply
Aruba
Posts: 1,540
Registered: ‎06-12-2012

Certificate Issues/Questions

[ Edited ]

!!!!First off there is a Tech Note coming on this!!!!

 

I know there has been a lot questions on certs and what is recommended.

 

Its never easy trying to put all the answer in a format that a person who has no experiences in certs can understand, but I will try my best here. 

 

Lets See if I can get this in one shot.... :smileylol:

 

 

With the previous release (6.1.2 Patch 2 and below) there is a limitation where If you are running in a cluster with auto promotion of a subscriber to publisher.

 

Again this is for onboarding and Guest where the certificate FQDN comes in to question, CPPM looks at the address to see if it matches the cert CN and the servers FQDN and if it doesn't it will post the 

 

"Onboard provisioning can not be performed at this host address. If you were redirected here, please contact a network administrator."

 

For example:


====================================================================================================

Wrong

 

VIP: FQDN=cppm.server.com IP=10.80.x.100

-----------------------------------------------------------------------------------------------------------------------------------------

Server 1: FQDN=cppm1.server.com IP= 10.80.x.101

Cert. CN=Server1FQDN

SAN= DNS: Server1FQDN,DNS:VIPFQDN,DNS: Server1FQDN,DNS: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
-----------------------------------------------------------------------------------------------------------------------------------------

Server 2: FQDN=cppm2.server.com IP= 10.80.x.102

Cert. CN=Server2FQDN

SAN= DNS: Server2FQDN,DNS:VIPFQDN,DNS: Server1FQDN,DNS: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
-----------------------------------------------------------------------------------------------------------------------------------------

If you connect to the VIP and try to onboard you will get the error "Onboard provisioning can not be performed at this host address. If you were redirected here, please contact a network administrator."

 

====================================================================================================

Right

 

VIP: FQDN=cppm.server.com IP=10.80.x.100
-----------------------------------------------------------------------------------------------------------------------------------------

Server 1: FQDN=cppm1.server.com IP= 10.80.x.101

Cert. CN=VIPFQDN

SAN= DNS: Server1FQDN,DNS:VIPFQDN,DNS: Server1FQDN,DNS: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
-----------------------------------------------------------------------------------------------------------------------------------------

Server 2: FQDN=cppm2.server.com IP= 10.80.x.102

Cert. CN=VIPFQDN

SAN= DNS: Server2FQDN,DNS:VIPFQDN,DNS: Server1FQDN,DSN: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
-----------------------------------------------------------------------------------------------------------------------------------------

 

When a client looks at a certificate it will always read the SAN entries if they are included instead of the CN value, the current release of CPPM it will look at the CN value during the onboarding process. You can name the VIP the same FQDN as the Publisher if the cost of SAN entries come into play.

 

====================================================================================================

As of 6.1.2 patch 3 and 6.2 that limitation no longer exists so you can now use the FQDN of each server as the CN so example one that is wrong you are now able to use.

 

Below is an example where VIP FQDN is the same as the Publisher FQDN.

 

VIP: FQDN=cppm.server.com IP=10.80.x.100

-----------------------------------------------------------------------------------------------------------------------------------------

Server 1: FQDN=cppm.server.com IP= 10.80.x.101

Cert. CN=cppm.server.com (VIP FQDN)

SAN= DNS: Server1FQDN,DNS:VIPFQDN,DNS: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
-----------------------------------------------------------------------------------------------------------------------------------------

Server 2: FQDN=cppm2.server.com IP= 10.80.x.102

Cert. CN=Server2FQDN

SAN= DNS: Server2FQDN,DNS:VIPFQDN,DNS: Server2FQDN,IP:10.80.x.100,IP:10.80.x.101,IP:10.80.x.102
-----------------------------------------------------------------------------------------------------------------------------------------

 

 

A couple Notes:

 

1. "make sure you set you DNS to point to the VIP. You will only be able to access the publisher by IP only or through the VIP."


2. If you use the IP address for any reason make sure you also include them in the SAN entries. If you only use FQDN then disregard the IP: entries.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: