Security

I have a Clearpass cluster with two members. The database certificate has expired causing the cluster to break. I am going to renew the database certificate with a self signed one and reboot the publisher. I am looking for some help on the process required.
After i update the publisher certificate, will the subscriber rejoin the cluster or do I need to import the certificate to it first?
Will I need to drop the subscriber and re-add to the cluster?

Hi

Depending on how long time the database certificate have been invalid the subscriber can automatically reconnect to the publisher. If the certificate expired less than 24 hours ago the subscriber will hopefully connect back to the Publisher without any issues.
But if the time is more than 24 hours since the certificate become invalid, you must drop the subscriber and make it a subscriber again.

If needed to drop the subscriber, do not clear the configuration. This way you will have the correct certificates installed in the trust list needed to make it a subscriber again.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Dec 06, 2022 04:20 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

I have a Clearpass cluster with two members. The database certificate has expired causing the cluster to break. I am going to renew the database certificate with a self signed one and reboot the publisher. I am looking for some help on the process required.
After i update the publisher certificate, will the subscriber rejoin the cluster or do I need to import the certificate to it first?
Will I need to drop the subscriber and re-add to the cluster?

Ok, its more than 24 hours so I will need to drop the subscriber.
Original Message:
Sent: Dec 06, 2022 04:42 AM
From: Jonas Hammarback
Subject: Clearpass database cert renewal

Hi

Depending on how long time the database certificate have been invalid the subscriber can automatically reconnect to the publisher. If the certificate expired less than 24 hours ago the subscriber will hopefully connect back to the Publisher without any issues.
But if the time is more than 24 hours since the certificate become invalid, you must drop the subscriber and make it a subscriber again.

If needed to drop the subscriber, do not clear the configuration. This way you will have the correct certificates installed in the trust list needed to make it a subscriber again.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 06, 2022 04:20 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

I have a Clearpass cluster with two members. The database certificate has expired causing the cluster to break. I am going to renew the database certificate with a self signed one and reboot the publisher. I am looking for some help on the process required.
After i update the publisher certificate, will the subscriber rejoin the cluster or do I need to import the certificate to it first?
Will I need to drop the subscriber and re-add to the cluster?

Do I drop the subscriber first, then update the certificate or does it not matter?
Original Message:
Sent: Dec 06, 2022 07:01 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

Ok, its more than 24 hours so I will need to drop the subscriber.
Original Message:
Sent: Dec 06, 2022 04:42 AM
From: Jonas Hammarback
Subject: Clearpass database cert renewal

Hi

Depending on how long time the database certificate have been invalid the subscriber can automatically reconnect to the publisher. If the certificate expired less than 24 hours ago the subscriber will hopefully connect back to the Publisher without any issues.
But if the time is more than 24 hours since the certificate become invalid, you must drop the subscriber and make it a subscriber again.

If needed to drop the subscriber, do not clear the configuration. This way you will have the correct certificates installed in the trust list needed to make it a subscriber again.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 06, 2022 04:20 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

I have a Clearpass cluster with two members. The database certificate has expired causing the cluster to break. I am going to renew the database certificate with a self signed one and reboot the publisher. I am looking for some help on the process required.
After i update the publisher certificate, will the subscriber rejoin the cluster or do I need to import the certificate to it first?
Will I need to drop the subscriber and re-add to the cluster?

Hi

I don't think it matter, because you have already lost the communication between the two nodes.
You may need to drop the node on both from the publisher and the subscriber side due to the lost communication. Start from the publisher side and see if the subscriber can react to the operation. If not, drop it also from the subscriber.

Check also the second checkbox in the drop subscriber dialog to retain the configuration of the server.

During the operation to drop and the following operation to make it a subscriber again, the server will not be able to respond to authenitcation requests.
If your network infrastructure, such as switches and WLAN, doesn't have redundant Radius configuration you should perform the operation outside office hours.

Also keep in mind that if the cluster have VIP addresses configured, you need to remove the VIP configuration from the subscriber before the drop is tried.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Dec 06, 2022 08:07 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

Do I drop the subscriber first, then update the certificate or does it not matter?
Original Message:
Sent: Dec 06, 2022 07:01 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

Ok, its more than 24 hours so I will need to drop the subscriber.
Original Message:
Sent: Dec 06, 2022 04:42 AM
From: Jonas Hammarback
Subject: Clearpass database cert renewal

Hi

Depending on how long time the database certificate have been invalid the subscriber can automatically reconnect to the publisher. If the certificate expired less than 24 hours ago the subscriber will hopefully connect back to the Publisher without any issues.
But if the time is more than 24 hours since the certificate become invalid, you must drop the subscriber and make it a subscriber again.

If needed to drop the subscriber, do not clear the configuration. This way you will have the correct certificates installed in the trust list needed to make it a subscriber again.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 06, 2022 04:20 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

I have a Clearpass cluster with two members. The database certificate has expired causing the cluster to break. I am going to renew the database certificate with a self signed one and reboot the publisher. I am looking for some help on the process required.
After i update the publisher certificate, will the subscriber rejoin the cluster or do I need to import the certificate to it first?
Will I need to drop the subscriber and re-add to the cluster?

Thanks for this. Just a couple more things to confirm please :)
If I need to drop the subscriber from the subscriber side it would be via the CLI using 'cluster drop-subscriber' command? I don't think there is a way via the GUI
and lastly, I only need to update the database certificate on the Publisher, correct? Or do I need to do something on the subscriber too?​
Original Message:
Sent: Dec 06, 2022 08:19 AM
From: Jonas Hammarback
Subject: Clearpass database cert renewal

Hi

I don't think it matter, because you have already lost the communication between the two nodes.
You may need to drop the node on both from the publisher and the subscriber side due to the lost communication. Start from the publisher side and see if the subscriber can react to the operation. If not, drop it also from the subscriber.

Check also the second checkbox in the drop subscriber dialog to retain the configuration of the server.

During the operation to drop and the following operation to make it a subscriber again, the server will not be able to respond to authenitcation requests.
If your network infrastructure, such as switches and WLAN, doesn't have redundant Radius configuration you should perform the operation outside office hours.

Also keep in mind that if the cluster have VIP addresses configured, you need to remove the VIP configuration from the subscriber before the drop is tried.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 06, 2022 08:07 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

Do I drop the subscriber first, then update the certificate or does it not matter?
Original Message:
Sent: Dec 06, 2022 07:01 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

Ok, its more than 24 hours so I will need to drop the subscriber.
Original Message:
Sent: Dec 06, 2022 04:42 AM
From: Jonas Hammarback
Subject: Clearpass database cert renewal

Hi

Depending on how long time the database certificate have been invalid the subscriber can automatically reconnect to the publisher. If the certificate expired less than 24 hours ago the subscriber will hopefully connect back to the Publisher without any issues.
But if the time is more than 24 hours since the certificate become invalid, you must drop the subscriber and make it a subscriber again.

If needed to drop the subscriber, do not clear the configuration. This way you will have the correct certificates installed in the trust list needed to make it a subscriber again.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 06, 2022 04:20 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

I have a Clearpass cluster with two members. The database certificate has expired causing the cluster to break. I am going to renew the database certificate with a self signed one and reboot the publisher. I am looking for some help on the process required.
After i update the publisher certificate, will the subscriber rejoin the cluster or do I need to import the certificate to it first?
Will I need to drop the subscriber and re-add to the cluster?

If you need to drop on the subscriber node you can do it both from GUI and the CLI.
From the GUI you find the option under Administration\Server Manager\Server Configuration. Select the radio button for the subscriber and click the Drop Subscriber button to the far right.

If the database certificate for the subscriber is ok, you do not need to update this certificate.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Dec 06, 2022 08:37 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

Thanks for this. Just a couple more things to confirm please :)
If I need to drop the subscriber from the subscriber side it would be via the CLI using 'cluster drop-subscriber' command? I don't think there is a way via the GUI
and lastly, I only need to update the database certificate on the Publisher, correct? Or do I need to do something on the subscriber too?​
Original Message:
Sent: Dec 06, 2022 08:19 AM
From: Jonas Hammarback
Subject: Clearpass database cert renewal

Hi

I don't think it matter, because you have already lost the communication between the two nodes.
You may need to drop the node on both from the publisher and the subscriber side due to the lost communication. Start from the publisher side and see if the subscriber can react to the operation. If not, drop it also from the subscriber.

Check also the second checkbox in the drop subscriber dialog to retain the configuration of the server.

During the operation to drop and the following operation to make it a subscriber again, the server will not be able to respond to authenitcation requests.
If your network infrastructure, such as switches and WLAN, doesn't have redundant Radius configuration you should perform the operation outside office hours.

Also keep in mind that if the cluster have VIP addresses configured, you need to remove the VIP configuration from the subscriber before the drop is tried.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 06, 2022 08:07 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

Do I drop the subscriber first, then update the certificate or does it not matter?
Original Message:
Sent: Dec 06, 2022 07:01 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

Ok, its more than 24 hours so I will need to drop the subscriber.
Original Message:
Sent: Dec 06, 2022 04:42 AM
From: Jonas Hammarback
Subject: Clearpass database cert renewal

Hi

Depending on how long time the database certificate have been invalid the subscriber can automatically reconnect to the publisher. If the certificate expired less than 24 hours ago the subscriber will hopefully connect back to the Publisher without any issues.
But if the time is more than 24 hours since the certificate become invalid, you must drop the subscriber and make it a subscriber again.

If needed to drop the subscriber, do not clear the configuration. This way you will have the correct certificates installed in the trust list needed to make it a subscriber again.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 06, 2022 04:20 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

I have a Clearpass cluster with two members. The database certificate has expired causing the cluster to break. I am going to renew the database certificate with a self signed one and reboot the publisher. I am looking for some help on the process required.
After i update the publisher certificate, will the subscriber rejoin the cluster or do I need to import the certificate to it first?
Will I need to drop the subscriber and re-add to the cluster?

Great thank you. I think the subscriber cert is out of date too so will update it as well.
Original Message:
Sent: Dec 06, 2022 08:50 AM
From: Jonas Hammarback
Subject: Clearpass database cert renewal

If you need to drop on the subscriber node you can do it both from GUI and the CLI.
From the GUI you find the option under Administration\Server Manager\Server Configuration. Select the radio button for the subscriber and click the Drop Subscriber button to the far right.

If the database certificate for the subscriber is ok, you do not need to update this certificate.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 06, 2022 08:37 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

Thanks for this. Just a couple more things to confirm please :)
If I need to drop the subscriber from the subscriber side it would be via the CLI using 'cluster drop-subscriber' command? I don't think there is a way via the GUI
and lastly, I only need to update the database certificate on the Publisher, correct? Or do I need to do something on the subscriber too?​
Original Message:
Sent: Dec 06, 2022 08:19 AM
From: Jonas Hammarback
Subject: Clearpass database cert renewal

Hi

I don't think it matter, because you have already lost the communication between the two nodes.
You may need to drop the node on both from the publisher and the subscriber side due to the lost communication. Start from the publisher side and see if the subscriber can react to the operation. If not, drop it also from the subscriber.

Check also the second checkbox in the drop subscriber dialog to retain the configuration of the server.

During the operation to drop and the following operation to make it a subscriber again, the server will not be able to respond to authenitcation requests.
If your network infrastructure, such as switches and WLAN, doesn't have redundant Radius configuration you should perform the operation outside office hours.

Also keep in mind that if the cluster have VIP addresses configured, you need to remove the VIP configuration from the subscriber before the drop is tried.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 06, 2022 08:07 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

Do I drop the subscriber first, then update the certificate or does it not matter?
Original Message:
Sent: Dec 06, 2022 07:01 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

Ok, its more than 24 hours so I will need to drop the subscriber.
Original Message:
Sent: Dec 06, 2022 04:42 AM
From: Jonas Hammarback
Subject: Clearpass database cert renewal

Hi

Depending on how long time the database certificate have been invalid the subscriber can automatically reconnect to the publisher. If the certificate expired less than 24 hours ago the subscriber will hopefully connect back to the Publisher without any issues.
But if the time is more than 24 hours since the certificate become invalid, you must drop the subscriber and make it a subscriber again.

If needed to drop the subscriber, do not clear the configuration. This way you will have the correct certificates installed in the trust list needed to make it a subscriber again.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Dec 06, 2022 04:20 AM
From: Stewart Smith
Subject: Clearpass database cert renewal

I have a Clearpass cluster with two members. The database certificate has expired causing the cluster to break. I am going to renew the database certificate with a self signed one and reboot the publisher. I am looking for some help on the process required.
After i update the publisher certificate, will the subscriber rejoin the cluster or do I need to import the certificate to it first?
Will I need to drop the subscriber and re-add to the cluster?