Clarification of CPPM database server certificate requirements prior to CPPM upgrade
06-23-2020 04:32 AM
Having just gone through a nightmare CPPM upgrade ( something that has just worked for years) I'm trying to ascertain if there are any specific database cert requirements that need to be set up b4 an upgrade
Our cluster nodes each have a locally generated cert with a SaN entry containing
DNS:<IP address of cluster node>
Think the reason for the SaN entry was to do with a failure to sync all the cluster nodes .. you had to have the DNS ... ( not IP ...) SaN entry for node synchronisation
With our dev cluster, when trying to resolve the upgrade issue, TAC added these self signed certs to the certifiate trust list.
On our production cluster while we have the self signed db certs ,they aren't in the cert trust list.
Understandably I'm a bit concerned that I don't have the same meltdown on our production cluster that happened on our dev one... took days to fix and involved copy/pasting configs from 1 (standalone) server to another and then recreating our cluster, not to mention readding all our licenses
For the dev system, it was simple to point our building switches etc at the prodn cluster.... not so easy if we have to do the same thing from prodn -> dev!
(FYI the issue I had was the MP upgraded successfully but the seondary kept failing because it couldn't determine the version of the master. a revert of master to same release as sec didn't result in db synchronisation. Ended up with what looked like a correctly configured cluster, but any external RADIUS auths resulted in cppm sending back an ICMP no route to host. Solution was to trash the db and type config in as TAC thought the backup was corrupt in some way. This was 6.8.4 -> 6.8.5 BTW
After everything was restored ... a 6.8.5 -> 6.8.6 "just worked" as ususal
Prodn is 6.8.4 and plannning on uprade to 6.8.6