Como lidar com as alterações de certificado do AWS S3 de 23 de março de 2021
Summary: O AWS está alterando os certificados de servidor do S3 para certificados emitidos pela CA do Amazon Trust Services. Isso está acontecendo desde 23 de março de 2021, de acordo com a comunicação do AWS. Essa alteração afeta os sistemas Data Domain configurados com o nível de nuvem e o Data Domain Virtual Edition (DDVE) implementado na plataforma AWS Cloud com o ATOS (Active Tier on Object Storage). ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Esta alteração de certificado faz com que a unidade de nuvem entre no estado de desconexão para sistemas Data Domain configurados com o nível de nuvem:
OU
No caso do DDVE implementado no AWS com o ATOS, o sistema de arquivos é desativado com as seguintes mensagens de alerta:
# alert show current
Id Post Time Severity Class Object Message
----- ------------------------ -------- ----- ------------------------ -------------------------------------------------------------------------
m0-76 Mon Apr 19 15:34:03 2021 CRITICAL Cloud CloudUnit=aws-unit EVT-CLOUD-00001: Unable to access provider for cloud unit aws-unit.
----- ------------------------ -------- ----- ------------------------ -------------------------------------------------------------------------
There is 1 active alert.
# cloud unit list
Name Profile Status
-------------- --------- ------------
aws-unit aws Disconnected
-------------- --------- ------------
Id Post Time Severity Class Object Message
----- ------------------------ -------- ----- ------------------------ -------------------------------------------------------------------------
m0-76 Mon Apr 19 15:34:03 2021 CRITICAL Cloud CloudUnit=aws-unit EVT-CLOUD-00001: Unable to access provider for cloud unit aws-unit.
----- ------------------------ -------- ----- ------------------------ -------------------------------------------------------------------------
There is 1 active alert.
# cloud unit list
Name Profile Status
-------------- --------- ------------
aws-unit aws Disconnected
-------------- --------- ------------
OU
No caso do DDVE implementado no AWS com o ATOS, o sistema de arquivos é desativado com as seguintes mensagens de alerta:
Alert History
-------------
Id Post Time Clear Time Severity Class Object Message
----- ------------------------ ------------------------ -------- ----------------- ------ --------------------------------------------------------------------------------------
m0-26 Tue Apr 6 13:58:41 2021 Tue Apr 6 13:59:03 2021 ERROR Filesystem EVT-FILESYS-00008: Filesystem has encountered an error and is restarting.
m0-27 Tue Apr 6 14:19:59 2021 Tue Apr 6 14:20:03 2021 ALERT Filesystem EVT-FILESYS-00002: Problem is preventing filesystem from
-------------
Id Post Time Clear Time Severity Class Object Message
----- ------------------------ ------------------------ -------- ----------------- ------ --------------------------------------------------------------------------------------
m0-26 Tue Apr 6 13:58:41 2021 Tue Apr 6 13:59:03 2021 ERROR Filesystem EVT-FILESYS-00008: Filesystem has encountered an error and is restarting.
m0-27 Tue Apr 6 14:19:59 2021 Tue Apr 6 14:20:03 2021 ALERT Filesystem EVT-FILESYS-00002: Problem is preventing filesystem from
Cause
O AWS está alterando os certificados de servidor do S3 para certificados emitidos pela CA do Amazon Trust Services. Isso está acontecendo desde 23 de março de 2021.
Para acessar os buckets do S3, o sistema exige um novo certificado rootCA da Autoridade de certificação Starfield Class 2, em vez do certificado presente Baltimore CyberTrust Root.
Resolution
As etapas a seguir são aplicáveis aos sistemas Data Domain configurados com o nível de nuvem e ao DDVE implementado na plataforma AWS Cloud com o ATOS.
- Verifique se o sistema está usando "Baltimore CyberTrust Root" para aplicativos em nuvem, de acordo com o seguinte exemplo:
sysadmin@dd01# adminaccess certificate show
Subject Type Application Valid From Valid Until Fingerprint
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
dd01.example.com host https Tue Mar 26 10:38:34 2019 Wed Jan 31 10:48:38 2024 30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BA
dd01.example.com ca trusted-ca Wed Mar 27 17:38:34 2019 Wed Jan 31 10:16:38 2024 CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8
dd01.example.com imported-host ddboost Sat Jun 20 15:09:16 2020 Thu Jun 19 15:09:16 2025 12:DB:62:AA:E8:59:5B:E9:63:29:A0:DC:6B:63:B2:BB:E5:77:07:C6
avamar.example.com imported-ca login-auth Fri Jun 19 17:25:13 2020 Wed Jun 18 17:25:13 2025 D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
avamar.example.com imported-ca ddboost Fri Jun 19 17:25:13 2020 Wed Jun 18 17:25:13 2025 D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
Baltimore CyberTrust Root imported-ca cloud Fri May 12 11:46:00 2000 Mon May 12 16:59:00 2025 D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr
Subject Type Application Valid From Valid Until Fingerprint
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
dd01.example.com host https Tue Mar 26 10:38:34 2019 Wed Jan 31 10:48:38 2024 30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BA
dd01.example.com ca trusted-ca Wed Mar 27 17:38:34 2019 Wed Jan 31 10:16:38 2024 CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8
dd01.example.com imported-host ddboost Sat Jun 20 15:09:16 2020 Thu Jun 19 15:09:16 2025 12:DB:62:AA:E8:59:5B:E9:63:29:A0:DC:6B:63:B2:BB:E5:77:07:C6
avamar.example.com imported-ca login-auth Fri Jun 19 17:25:13 2020 Wed Jun 18 17:25:13 2025 D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
avamar.example.com imported-ca ddboost Fri Jun 19 17:25:13 2020 Wed Jun 18 17:25:13 2025 D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
Baltimore CyberTrust Root imported-ca cloud Fri May 12 11:46:00 2000 Mon May 12 16:59:00 2025 D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr
- Faça download do certificado rootCA da Autoridade de certificação Starfield Class 2, na página a seguir
https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certif: icate-authority/
Clique com o botão direito em "here" e salve o arquivo como:
Clique com o botão direito em "here" e salve o arquivo como:
Link alternativo para fazer download do certificado: https://certs.secureserver.net/repository/sf-class2-root.crt
- Renomeie o arquivo sf-class2-root.crt como sf-class2-root.pem (somente a extensão é alterada).
- Importe o certificado usando a GUI do Data Domain System Manager.
- Unidades de nuvem: "Data Management" > "File System" > "Cloud Units" > "Manage Certificates" > Add
- DDVE: "Administration" > "Access" > "MANAGE CA CERTIFICATES" > "+ Add
- Em seguida, execute a Etapa 2 da CLI. (localizada abaixo destas capturas de tela)
Ou, como alternativa, a partir da CLI
- Transfira o arquivo sf-class2-root.pem para /ddr/var/certificates usando o método scp ou sftp
- Importe o certificado
# adminaccess certificate import ca application cloud file sf-class2-root.pem
- NOTA: Este certificado pode mostrar o assunto como vazio na GUI ou na saída "adminaccess certificate show", o que pode ser ignorado (não há problema de funcionalidade, exceto a exibição vazia).
sysadmin@dd01# adminaccess certificate show
Subject Type Application Valid From Valid Until Fingerprint
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
dd01.example.com host https Tue Mar 26 10:38:34 2019 Wed Jan 31 10:48:38 2024 30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BA
dd01.example.com ca trusted-ca Wed Mar 27 17:38:34 2019 Wed Jan 31 10:16:38 2024 CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8
dd01.example.com imported-host ddboost Sat Jun 20 15:09:16 2020 Thu Jun 19 15:09:16 2025 12:DB:62:AA:E8:59:5B:E9:63:29:A0:DC:6B:63:B2:BB:E5:77:07:C6
avamar.example.com imported-ca login-auth Fri Jun 19 17:25:13 2020 Wed Jun 18 17:25:13 2025 D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
avamar.example.com imported-ca ddboost Fri Jun 19 17:25:13 2020 Wed Jun 18 17:25:13 2025 D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
Baltimore CyberTrust Root imported-ca cloud Fri May 12 11:46:00 2000 Mon May 12 16:59:00 2025 D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
- imported-ca cloud Tue Jun 29 10:39:16 2004 Thu Jun 29 10:39:16 2034 AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr
Subject Type Application Valid From Valid Until Fingerprint
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
dd01.example.com host https Tue Mar 26 10:38:34 2019 Wed Jan 31 10:48:38 2024 30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BA
dd01.example.com ca trusted-ca Wed Mar 27 17:38:34 2019 Wed Jan 31 10:16:38 2024 CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8
dd01.example.com imported-host ddboost Sat Jun 20 15:09:16 2020 Thu Jun 19 15:09:16 2025 12:DB:62:AA:E8:59:5B:E9:63:29:A0:DC:6B:63:B2:BB:E5:77:07:C6
avamar.example.com imported-ca login-auth Fri Jun 19 17:25:13 2020 Wed Jun 18 17:25:13 2025 D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
avamar.example.com imported-ca ddboost Fri Jun 19 17:25:13 2020 Wed Jun 18 17:25:13 2025 D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
Baltimore CyberTrust Root imported-ca cloud Fri May 12 11:46:00 2000 Mon May 12 16:59:00 2025 D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
- imported-ca cloud Tue Jun 29 10:39:16 2004 Thu Jun 29 10:39:16 2034 AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr
- Não remova o antigo certificado "Baltimore CyberTrust Root". Em alguns casos, descobrimos que o AWS reverteu o certificado para o Baltimore.
- Mantenha-o junto com o novo certificado Starfield.
Affected Products
Data Domain, PowerProtect Data Protection SoftwareArticle Properties
Article Number: 000184415
Article Type: Solution
Last Modified: 22 Aug 2022
Version: 13
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.