Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Gecko1507

1 Rookie

 • 

32 Posts

6512

December 19th, 2016 07:00

CA and Host Certificates

Hi all,

Not sure of this is the correct community (as opposed to Avamar) but thought I would reach out to the DD community first.

My question is quite simple, I believe.

We have a DD4200 integrated with Avamar M1200 and Vcentre server - all backups running fine, until we upgraded the DDOs from 5.7.0.10 to 5.7.2.10 (avamar is 7.3.0-233 and vCenter is 5.5)

We are now unable to backup ANY clients and are getting lots of output from the Avamar activity log which I will not bore my esteemed DD colleagues with, however, we have 2 environments here, call it PROD and Non-Prod, non-prod upgraded and all working fine, PROD upgraded and now no backups at all - one of the main differences I have seen with the two environments is that the working non-prod has Certificates on the DD, whereas the non working PROD environment DD has none?????

Would we not expect at least a a self-signed Host certificate to be present on the DD????? I have a DDVE deployed elsewhere and that also has an entry for CA Certificate and Host certificate???????

Any help gratefully accepted.

Neil

James_Ford

30 Posts

December 22nd, 2016 05:00

Hi Neil,

That does sound weird - at the point of initial install all Data Domain systems should generate a self signed host and CA certificate. These should not be removed/modified during an upgrade and are only regenerated if specifically requested.

Under DDOS 5.x/DDMC 1.x you can regenerate the host certificate as follows:

- Log into the DD CLI

- Enter 'se' mode:

# system show serialno

[system serial number displayed]

# priv set se

[password prompt - enter serial number from above]

Note that on systems using encryption and/or retention lock the above may prompt for credentials of a user with role of security.

- Regenerate the host certificate:

# adminaccess certificate generate self-signed-cert

Note that this will only regenerate the host certificate if the hostname of the system is anything other than 'localhost'. If the hostname is localhost it will regenerate the host and CA certificates. Under DDOS 5.7 there is no command to force regeneration of the CA certificate.

Under DDOS 6.x/DDMC 2.x you can run similar commands from 'se' mode, i.e.:

# adminaccess certificate generate self-signed-cert <= REGENERATE HOST CERTIFICATE

# adminaccess certificate generate self-signed-cert regenerate-ca <= REGENERATE HOST AND CA CERTIFICATE

Note that if you regenerate the CA certificate you will break established mutual trust with all other systems so will need to re-establish this manually (for example refreshing certificates in DDMC or on other DDRs as necessary).

Please have a look at the article I posted about changes to SHA1 in Jan 2017 as this has more information on the above.

Thanks, James

Was this post helpful?

View All

0 events found

No Events found!

Top