Security

Reply
Highlighted
Occasional Contributor II

CPPM 6.8 Database Certificate SAN Validation

Hello all,  I opened TAC case #5346209868 because I believe there may be a bug in the way that ClearPass 6.8.3 and 6.8.5 validates the publisher database certificate when attempting to join a subscriber to the cluster.  I know that the database certificate needs a subject alternate name referring to the IP address of the publisher.  The issue that I have is that per RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile the certificate should be able to take an IP: based SAN.  When I generated certificates for use for ClearPass databases, I kept getting errors until I made the IP Address a DNS: based SAN.  I believe that ClearPass should allow the IP address based SAN as well.

ACEX#101 ACCX#1200 ACDX#1244 ACMX#1260
Highlighted

Re: CPPM 6.8 Database Certificate SAN Validation

Hi,

 

The database certificate is validated based on the SAN >> DNS entry carrying the server IP address, this is by design. You are correct about the IP based SAN in general, but for the ClearPass database certificate, follow SAN >> DNS >> "local node IP address".

 

Note - The IP address that you enter in SAN >> DNS for database certificate should be of local node IP. 

 

 


Thank you,
Saravanan

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Occasional Contributor II

Re: CPPM 6.8 Database Certificate SAN Validation

this is not a bug

 

it must be public cert  if not you can disable this check from the cli

 

you can follow this doc

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=36443

 

 

Highlighted
Occasional Contributor II

Re: CPPM 6.8 Database Certificate SAN Validation

Okay, so let's assume I can find a public CA to issue a SAN as an IP address. GlobalSign, for example, states that I cannot use an IP address in a DNS field for SAN it needs to be in an IP field so I am back to my original request to have ClearPass enhanced to validate an IP type SAN as well as a DNS type SAN for a database certificate.

ACEX#101 ACCX#1200 ACDX#1244 ACMX#1260
Highlighted

Re: CPPM 6.8 Database Certificate SAN Validation

You can only bypass the validation of the https/ssl certificate while joining the subscriber from CLI. The database certificate should contain SAN >> DNS:<local node IP> to join a subscriber even with -V.

 


@GoAruba wrote:

this is not a bug

 

it must be public cert  if not you can disable this check from the cli

 

you can follow this doc

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=36443

 

 


 


Thank you,
Saravanan

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted

Re: CPPM 6.8 Database Certificate SAN Validation

The Database certificate requires SAN >> DNS:<local node IP> and does not work with SAN >> IP:<IP address> as per the current design. I do agree that public CAs won't support DNS with IP addresses, but the current design requires it. Please consider signing the database certificate using an internal PKI instead of public CA for now. 

 


@KellyKnowles wrote:

Okay, so let's assume I can find a public CA to issue a SAN as an IP address. GlobalSign, for example, states that I cannot use an IP address in a DNS field for SAN it needs to be in an IP field so I am back to my original request to have ClearPass enhanced to validate an IP type SAN as well as a DNS type SAN for a database certificate.


 Future releases might move to FQDN in database cert instead of IP. But  I suggest filing an RFE for this requirement.


Thank you,
Saravanan

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: