Excellent. Really appreciate your input. Thanks for your help.
Nathan.
Original Message:
Sent: Apr 25, 2024 03:07 PM
From: Exodius
Subject: Impact of changing Clearpass IP address on database cert?
For reference : https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Content/ReleaseNotes/Behaviors/Behaviors-6.11.0.htm
For a cluster with self-signed certificates, now after the user changes the management IP address they do not need to regenerate the database certificate. The steps to generate the database certificate and restart the backend service are now handled automatically. Users may expect a delay of up to 10 minutes while all backend services are restarted and the configuration updates and replication setup are re-established. With this change, in a cluster with self-signed certificates, users no longer need to manually regenerate the database certificate or reboot the server after changing the management IP. This change only applies to clusters with self-signed certificates. It does not apply to clusters with CA-signed certificates. (CP‑45345)
Original Message:
Sent: Apr 25, 2024 03:04 PM
From: Exodius
Subject: Impact of changing Clearpass IP address on database cert?
Hi Nathan,
Yes, and I think it's something new with the 6.11 version. The DB certificate is now automatically updated when you change your IP address, considering you're keeping the self-signed certificate.
I've upgraded a 6.10 cluster this week with the same prerequisite as you (keeping the old IPs) and it was this simple.
By the way, you don't have to export de certificate to check its details, you have a button under de certificate summary for this purpose.
Original Message:
Sent: Apr 25, 2024 11:55 AM
From: n.millward
Subject: Impact of changing Clearpass IP address on database cert?
All wrapped up in the move from 6.10 to 6.11 I've been warned about changing the IP of the new servers (VM) because of the SAN on the db cert.
When I use the GUI to change the IP of Clearpass (only has the mgmt interface), and then export the db cert to check its details, I can see the SAN reflects the new address (previously it showed the old address). Is it that straightforward? No CLI command to issue? There are no other certs on CP for me to worry about, nothing CA signed, just the db that leaves me uncertain.
I'm doing this because I want to keep the old IPs on the newly built/updated/licensed VMs.
Thanks
Nathan.
------------------------------
Nathan
------------------------------