Security

Hello all,  I opened TAC case #5346209868 because I believe there may be a bug in the way that ClearPass 6.8.3 and 6.8.5 validates the publisher database certificate when attempting to join a subscriber to the cluster.  I know that the database certificate needs a subject alternate name referring to the IP address of the publisher.  The issue that I have is that per RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile the certificate should be able to take an IP: based SAN.  When I generated certificates for use for ClearPass databases, I kept getting errors until I made the IP Address a DNS: based SAN.  I believe that ClearPass should allow the IP address based SAN as well.

Hi,

 

The database certificate is validated based on the SAN >> DNS entry carrying the server IP address, this is by design. You are correct about the IP based SAN in general, but for the ClearPass database certificate, follow SAN >> DNS >> "local node IP address".

 

Note - The IP address that you enter in SAN >> DNS for database certificate should be of local node IP. 

 

 

this is not a bug

 

it must be public cert  if not you can disable this check from the cli

 

you can follow this doc

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=36443

 

 

Okay, so let's assume I can find a public CA to issue a SAN as an IP address. GlobalSign, for example, states that I cannot use an IP address in a DNS field for SAN it needs to be in an IP field so I am back to my original request to have ClearPass enhanced to validate an IP type SAN as well as a DNS type SAN for a database certificate.

The Database certificate requires SAN >> DNS:<local node IP> and does not work with SAN >> IP:<IP address> as per the current design. I do agree that public CAs won't support DNS with IP addresses, but the current design requires it. Please consider signing the database certificate using an internal PKI instead of public CA for now. 

 

---

@KellyKnowles wrote:

Okay, so let's assume I can find a public CA to issue a SAN as an IP address. GlobalSign, for example, states that I cannot use an IP address in a DNS field for SAN it needs to be in an IP field so I am back to my original request to have ClearPass enhanced to validate an IP type SAN as well as a DNS type SAN for a database certificate.

---

 Future releases might move to FQDN in database cert instead of IP. But  I suggest filing an RFE for this requirement.

You can only bypass the validation of the https/ssl certificate while joining the subscriber from CLI. The database certificate should contain SAN >> DNS:<local node IP> to join a subscriber even with -V.

 

---

@GoAruba wrote:

this is not a bug

 

it must be public cert  if not you can disable this check from the cli

 

you can follow this doc

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=36443

 

 

---

 

This solution is still valid for 6.12 ClearPass.. 

I have in the SAN field, DNS: fdqn, IP: x.x.x.x

And the cluster doesnt pass the validation stage, changing in the DB cert the SAN field to only DNS: x.x.x.x solves the problem.

------------------------------
Esa� Ruiz Bustillos
------------------------------

Original Message:
Sent: Mar 30, 2020 11:40 AM
From: Saravanan
Subject: CPPM 6.8 Database Certificate SAN Validation

You can only bypass the validation of the https/ssl certificate while joining the subscriber from CLI. The database certificate should contain SAN >> DNS:<local node IP> to join a subscriber even with -V.

 

---

@GoAruba wrote:

this is not a bug

 

it must be public cert  if not you can disable this check from the cli

 

you can follow this doc

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=36443

 

 

---

 

Correct, the IP must be added in an DNS SAN Field, not the IP one.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 20, 2025 02:47 PM
From: Esau Ruiz
Subject: CPPM 6.8 Database Certificate SAN Validation

This solution is still valid for 6.12 ClearPass.. 

I have in the SAN field, DNS: fdqn, IP: x.x.x.x

And the cluster doesnt pass the validation stage, changing in the DB cert the SAN field to only DNS: x.x.x.x solves the problem.

------------------------------
Esa� Ruiz Bustillos

Original Message:
Sent: Mar 30, 2020 11:40 AM
From: Saravanan
Subject: CPPM 6.8 Database Certificate SAN Validation

You can only bypass the validation of the https/ssl certificate while joining the subscriber from CLI. The database certificate should contain SAN >> DNS:<local node IP> to join a subscriber even with -V.

 

---

@GoAruba wrote:

this is not a bug

 

it must be public cert  if not you can disable this check from the cli

 

you can follow this doc

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=36443

 

 

---