Security

last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).

Clarification of CPPM database server certificate requirements prior to CPPM upgrade

This thread has been viewed 2 times
  • 1.  Clarification of CPPM database server certificate requirements prior to CPPM upgrade

    Posted Jun 23, 2020 07:32 AM

    Having just gone through a nightmare CPPM upgrade  ( something that has just worked for years) I'm trying to ascertain if there are any specific  database cert requirements  that need to be set up b4 an upgrade

    Our cluster nodes each have a locally generated cert with a SaN entry containing

    DNS:<IP address of cluster node>

     

    Think the reason for the SaN entry was to do with a failure to sync all the cluster nodes .. you had to have the DNS ... ( not IP ...) SaN entry for node synchronisation

    With our dev cluster, when trying to resolve the upgrade issue, TAC added these self signed certs to the certifiate trust list.

     

    On our  production cluster while we have the self signed  db certs ,they aren't in the cert  trust list.

     

    Understandably I'm a bit concerned that I don't have the same meltdown on our production cluster that happened on our dev one... took days to fix and involved copy/pasting configs from 1 (standalone) server to another and then recreating our cluster, not to mention readding all our licenses

     

    For the dev system, it was simple to point our building switches etc at the prodn cluster.... not so easy if we have to do the same thing from prodn -> dev!

     

    (FYI the issue I had was the MP upgraded successfully  but the seondary kept failing because it couldn't determine the version of the master. a revert of  master to same release as sec didn't result in db synchronisation.  Ended up with what looked like a  correctly configured cluster, but any external RADIUS auths resulted in cppm sending back an ICMP no route to host. Solution was to trash the db and  type config in as TAC thought the backup was corrupt in some way. This was 6.8.4 -> 6.8.5 BTW

     

    After everything was restored ... a 6.8.5 -> 6.8.6 "just worked" as ususal

     

    Prodn is 6.8.4 and plannning on uprade to 6.8.6

    A