Security

Reply
Highlighted

Clarification of CPPM database server certificate requirements prior to CPPM upgrade

Having just gone through a nightmare CPPM upgrade  ( something that has just worked for years) I'm trying to ascertain if there are any specific  database cert requirements  that need to be set up b4 an upgrade

Our cluster nodes each have a locally generated cert with a SaN entry containing

DNS:<IP address of cluster node>

 

Think the reason for the SaN entry was to do with a failure to sync all the cluster nodes .. you had to have the DNS ... ( not IP ...) SaN entry for node synchronisation

With our dev cluster, when trying to resolve the upgrade issue, TAC added these self signed certs to the certifiate trust list.

 

On our  production cluster while we have the self signed  db certs ,they aren't in the cert  trust list.

 

Understandably I'm a bit concerned that I don't have the same meltdown on our production cluster that happened on our dev one... took days to fix and involved copy/pasting configs from 1 (standalone) server to another and then recreating our cluster, not to mention readding all our licenses

 

For the dev system, it was simple to point our building switches etc at the prodn cluster.... not so easy if we have to do the same thing from prodn -> dev!

 

(FYI the issue I had was the MP upgraded successfully  but the seondary kept failing because it couldn't determine the version of the master. a revert of  master to same release as sec didn't result in db synchronisation.  Ended up with what looked like a  correctly configured cluster, but any external RADIUS auths resulted in cppm sending back an ICMP no route to host. Solution was to trash the db and  type config in as TAC thought the backup was corrupt in some way. This was 6.8.4 -> 6.8.5 BTW

 

After everything was restored ... a 6.8.5 -> 6.8.6 "just worked" as ususal

 

Prodn is 6.8.4 and plannning on uprade to 6.8.6

A

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: