Data Domain: How to handle AWS S3 certificate changes from March 23, 2021 for system that is configured with Cloud Tier or system that is deployed on AWS cloud platform
Summary: AWS is changing their server certificates from S3 to certificates issued by Amazon Trust Services CA. This change impacts Data Domain systems that are configured with Cloud Tier and Data Domain Virtual Edition (DDVE) deployed on AWS Cloud platform with Active Tier on Object Storage (ATOS). ...
Symptoms
This certificate change causes the cloud unit to go into a disconnected state for Data Domain systems configured with Cloud Tier:
# alert show current
Id Post Time Severity Class Object Message
----- ------------------------ -------- ----- ------------------------ ------------------------------------------------------------
m0-76 Mon Apr 19 15:34:03 2021 CRITICAL Cloud CloudUnit=aws-unit EVT-CLOUD-00001: Unable to access provider for cloud unit aws-unit.
----- ------------------------ -------- ----- ------------------------ ------------------------------------------------------------
There is 1 active alert.
# cloud unit list
Name Profile Status
-------------- --------- ------------
aws-unit aws Disconnected
-------------- --------- ------------
For Data Domain Virtual Edition (DDVE) deployed on AWS with Active Tier on Object Storage (ATOS), file system is disabled with the following alerts messages:
Alert History
-------------
Id Post Time Clear Time Severity Class Object Message
----- ------------------------ ------------------------ -------- ----------------- ------ ----------------------------------------------------------------------
m0-26 Tue Apr 6 13:58:41 2021 Tue Apr 6 13:59:03 2021 ERROR Filesystem EVT-FILESYS-00008: Filesystem has encountered an error and is restarting.
m0-27 Tue Apr 6 14:19:59 2021 Tue Apr 6 14:20:03 2021 ALERT Filesystem EVT-FILESYS-00002: Problem is preventing filesystem from
----- ------------------------ ------------------------ -------- ----------------- ------ ----------------------------------------------------------------------
Cause
AWS is changing their server certificates from S3 to certificates issued by Amazon Trust Services CA. This is happening starting March 23, 2021.
To access S3 buckets, systems require Amazon Root CA1 certificate instead of Baltimore CyberTrust Root certificate.
See the following Amazon security Blog for detailed information:
https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority
Resolution
The following steps are applicable to support AWS own certificate authority for Data Domain systems configured either with Cloud Tier or DDVE deployed on AWS Cloud platform with ATOS.
- Confirm that the Data Domain system has "Baltimore CyberTrust Root" certificate for cloud application as per the following example:
sysadmin@dd01# adminaccess certificate show
Subject Type Application Valid From Valid Until Fingerprint
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
dd01.example.com host https Tue Mar 26 10:38:34 2019 Wed Jan 31 10:48:38 2024 30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BA
dd01.example.com ca trusted-ca Wed Mar 27 17:38:34 2019 Wed Jan 31 10:16:38 2024 CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8
Baltimore CyberTrust Root imported-ca cloud Fri May 12 11:46:00 2000 Mon May 12 16:59:00 2025 D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr
- Download Amazon Root CA1 certificate from the following page:
https://www.amazontrust.com/repository/
| Distinguished Name | SHA-256 Hash of Subject Public Key Information | Self-Signed Certificate | Test URLs |
| CN=Amazon Root CA 1,O=Amazon,C=US | fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2 | DER PEM | Valid Revoked Expired |
- Right click on the word "PEM" on this web page and select save as:
Import AmazonRootCA1.pem certificate file from folder using Data Domain system manager UI.
- For Data Domain system configured with Cloud Tier:
Data Management > File System > Cloud Units > Manage Certificates > Add.
- For Data Domain system running on AWS Platform with ATOS:
- Run the following command using SSH session and confirm that the following highlighted certificates are added to the system:
sysadmin@dd01# adminaccess certificate show
Subject Type Application Valid From Valid Until Fingerprint
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
dd01.example.com host https Tue Mar 26 10:38:34 2019 Wed Jan 31 10:48:38 2024 30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BA
dd01.example.com ca trusted-ca Wed Mar 27 17:38:34 2019 Wed Jan 31 10:16:38 2024 CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8
Baltimore CyberTrust Root imported-ca cloud Fri May 12 11:46:00 2000 Mon May 12 16:59:00 2025 D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
Amazon Root CA 1 imported-ca cloud Mon May 25 17:00:00 2015 Sat Jan 16 16:00:00 2038 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr
- If the certificate is added other than "cloud" under the "Application" field, remove it from Certification Authority certificate under Access Management UI as follows:
Note: Do not remove old "Baltimore CyberTrust Root" certificate.
- For Data Domain systems that are configured with Cloud Tier file system, a restart may be required to reestablish connection with Cloud Units. Arrange for downtime and run the following command to restart the file system:
#filesys restart
- For Data Domain systems running on AWS Platform, reboot DDVE:
#system reboot
Additional Information
Note:
Previously, AWS Starfield Class 2 Certification Authority certificate required to configure Cloud Tier or DDVE deployed on AWS Cloud platform with ATOS. It is now replaced with Amazon Root CA1 certificate.
If command line is used to create cloud profile, it prompts to import AWS Starfield Class 2 Certification Authority certificate. Answer "yes" and proceed with cloud profile creation.
sysadmin@dd02# cloud profile add test-aws
Enter provider name (alibabacloud|aws|azure|ecs|google|s3_flexible): aws
Enter the access key:
Enter the secret key:
Enter the storage class (STANDARD|STANDARD_IA|ONEZONE_IA) [STANDARD]: STANDARD_IA
Enter the region (us-east-1|us-west-1|us-west-2|eu-west-1|ap-northeast-1|
ap-southeast-1|ap-southeast-2|sa-east-1|ap-south-1|
ap-northeast-2|eu-central-1|eu-west-2|us-gov-east-1|
us-gov-west-1|ca-central-1|eu-south-1|me-south-1): eu-west-2
Do you want to enter proxy details? (yes|no) [no]:
SSL communication with aws requires the Starfield Class 2 Certification Authority certificate with the following fingerprint:
AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
Do you want to import it? (yes|no) [yes]
In upcoming DDOS release and patch release, system automatically imports Amazon Root CA1 certificate instead of Starfield Class 2 Certification Authority certificate.