Article Number: 000192537
當 Azure 儲存裝置憑證變更 (2022 年 7 月開始) 時,若使用 Azure Cloud Tier 所設定的 Data Domain 系統的雲端裝置尚未新增雲端信任的新憑證,將會處於中斷狀態:
# alert show current Id Post Time Severity Class Object Message ----- ------------------------ -------- ----- ------------------------ ------------------------------------------------------------------------- m0-76 Mon Apr 19 15:34:03 2021 CRITICAL Cloud CloudUnit=azure-unit EVT-CLOUD-00001: Unable to access provider for cloud unit azure-unit. ----- ------------------------ -------- ----- ------------------------ ------------------------------------------------------------------------- There is 1 active alert. # cloud unit list Name Profile Status -------------- --------- ------------ azure-unit azure Disconnected -------------- --------- ------------
如果 Data Domain Virtual Edition (DDVE) 是以物件儲存裝置上的 Active Tier (ATOS) 部署在 Azure 上,則文件系統會停用,並顯示下列警示訊息:
Alert History ------------- Id Post Time Clear Time Severity Class Object Message ----- ------------------------ ------------------------ -------- ----------------- ------ -------------------------------------------------------------------------------------- m0-26 Tue Apr 6 13:58:41 2021 Tue Apr 6 13:59:03 2021 ERROR Filesystem EVT-FILESYS-00008: Filesystem has encountered an error and is restarting. m0-27 Tue Apr 6 14:19:59 2021 Tue Apr 6 14:20:03 2021 ALERT Filesystem EVT-FILESYS-00002: Problem is preventing filesystem from
Microsoft Azure 儲存服務已更新,以使用連結至 DigiCert Global G2 Root 的認證機構 (CA) TLS 憑證。但與此同時,目前憑證 (由網狀網信任根發行) 仍會繼續使用。
此變更自 2022 年 7 月開始,預計於 2022 年 10 月底完成。我們建議您在 2022 年 6 月 30 日前安裝新憑證,切勿刪除目前的憑證。
若要存取 Blob 容器 (適用於 Data Domain Cloud Tier 或 DDVE ATOS),Data Domain 系統需要新的 DigiCert 全球 G2 根 CA 憑證,而非目前受信任雲端的網狀網路信任根 CA 憑證。
如需本主題的詳細資訊,請參閱以下官方 Azure Security Blob:
Azure Storage TLS:即將進行重大變更!(...以及您應該注意的原因) - Microsoft 技術社群。
若要在 2022 年 7 月開始推動變更時,盡可能順暢地轉換至新的 Azure 儲存安全性憑證,您必須將受信任的「網路信任根 CA」憑證保存在 Data Domain 的雲端中,並新增同樣受信任雲端的新「DigiCert Global G2 Root CA」憑證。 而不是將一個替換為另一個。
無論任一 CAS 發出的憑證為何,保持這兩個憑證都不會發生問題,而且可讓 Data Domain DDVE 系統信任與 Azure 儲存裝置的連線,因此從 2022 年 7 月起的某個時間點,新憑證第一次呈現給 Data Domain/DDVE 系統時,便可避免任何停機時間。
下列步驟適用於支援使用部署在ATOS之 Azure 雲端平臺上部署 Cloud Tier 或 DDVE 的 Data Domain 系統之 DigiCert 全球 G2 根憑證。此外,也建議您新增 DigiCert Global G3 根憑證和 Microsoft ECC 或 RSA Root Certificate Authority 憑證,以避免日後發生中斷。
根據下列範例,確認 Data Domain DDVE 系統有雲端應用程式的「網路信任根」:
sysadmin@dd01# adminaccess certificate show
Subject Type Application Valid From Valid Until Fingerprint
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
dd01.example.com host https Tue Mar 26 10:38:34 2019 Wed Jan 31 10:48:38 2024 30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BA
dd01.example.com ca trusted-ca Wed Mar 27 17:38:34 2019 Wed Jan 31 10:16:38 2024 CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8
Baltimore CyberTrust Root imported-ca cloud Fri May 12 11:46:00 2000 Mon May 12 16:59:00 2025 D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
選項 1:使用 Microsoft Windows 工作站
安裝憑證的指示示範,請按下以下影片:
在 YouTube 上觀看。
在本機工作站上建立資料夾。
例如:
C:\MS-AZ-certificates
從以下頁面下載 DigiCert Global Root G2/G3 憑證:
DigiCert Root Certificates - Download & Test | DigiCert.com
在下載 PEM 上按下滑鼠右鍵,然後將連結儲存為:
DigiCertGlobalRootG2.crt.pem
SHA1 指紋辨識器:DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
DigiCertGlobalRootG3.crt.pem
SHA1 指紋辨識器:7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E
下載 Microsoft RSA 和 ECC 憑證。
在下載 PEM 上按下滑鼠右鍵,然後將連結儲存為:
Microsoft RSA Root Certificate Authority 2017
(指紋:73a5e64a3bff8316ff0edccc618a906e4eae4d74)
Microsoft ECC Root Certificate Authority 2017
(指紋:999a64c37ff47d9fab95f14769891460eec4c3c5)
前往命令行並執行下列步驟。這些命令是從 Windows 主機執行,但 Linux 主機也可執行類似的命令。
C:\MS-AZ-certificates>dir Volume in drive C is OS Volume Serial Number is E4AE-2A04 Directory of C:\MS-AZ-certificates 15/10/2021 09:30 AM <DIR> . 15/10/2021 09:30 AM <DIR> .. 15/10/2021 09:29 AM 1,294 DigiCertGlobalRootG2.crt.pem 15/10/2021 09:29 AM 839 DigiCertGlobalRootG3.crt.pem 15/10/2021 09:30 AM 605 Microsoft ECC Root Certificate Authority 2017.crt 15/10/2021 09:30 AM 1,452 Microsoft RSA Root Certificate Authority 2017.crt 4 File(s) 4,190 bytes
將 DigiCertGlobalRootG2 檔案重新命名為如下名稱,並加上 .pem 副檔名。
C:\MS-AZ-certificates>rename DigiCertGlobalRootG2.crt.pem DigiCertGlobalRootG2.pem C:\MS-AZ-certificates>rename DigiCertGlobalRootG3.crt.pem DigiCertGlobalRootG3.pem
根據以下步驟操作,將 Microsoft ECC RSA Root Certificate Authority 憑證從 crt 轉換為 pem 格式:
C:\MS-AZ-certificates>certutil -encode "Microsoft ECC Root Certificate Authority 2017.crt" ms-ecc-root.pem Input Length = 605 Output Length = 890 CertUtil: -encode command completed successfully. C:\MS-AZ-certificates>certutil -encode "Microsoft RSA Root Certificate Authority 2017.crt" ms-rsa-root.pem Input Length = 1452 Output Length = 2054 CertUtil: -encode command completed successfully. C:\MS-AZ-certificates>dir Volume in drive C is OS Volume Serial Number is E4AE-2A04 Directory of C:\MS-AZ-certificates 15/10/2021 10:25 AM <DIR> . 15/10/2021 10:25 AM <DIR> .. 15/10/2021 09:29 AM 1,294 DigiCertGlobalRootG2.pem 15/10/2021 09:29 AM 839 DigiCertGlobalRootG3.pem 15/10/2021 09:46 AM 605 Microsoft ECC Root Certificate Authority 2017.crt 15/10/2021 09:45 AM 1,452 Microsoft RSA Root Certificate Authority 2017.crt 15/10/2021 10:25 AM 890 ms-ecc-root.pem 15/10/2021 10:25 AM 2,054 ms-rsa-root.pem 6 File(s) 7,134 bytes
使用 PowerProtect DD System Manager UI,從資料夾匯入所有 PEM 格式的憑證檔案。
選項 2:使用Linux工作站安裝憑證的指示
下載下列兩個 .pem 格式的 DigiCert 憑證。
https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem SHA1 指紋辨識器:DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
https://cacerts.digicert.com/DigiCertGlobalRootG3.crt.pem SHA1 指紋辨識器:7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E
下載以下兩個根憑證為 DER CRT 格式。
Microsoft RSA Root Certificate Authority 2017
Microsoft ECC Root Certificate Authority 2017
(指紋:999a64c37ff47d9fab95f14769891460eec4c3c5)
範例:
使用 Linux wget 公用程式下載憑證:
$ mkdir certs $ cd certs $ wget https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem --2021-10-18 20:10:52-- https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem . . 2021-10-18 20:10:53 (16.5 MB/s) - ‘DigiCertGlobalRootG2.crt.pem’ saved [1294/1294] $ wget https://cacerts.digicert.com/DigiCertGlobalRootG3.crt.pem --2021-10-18 20:32:21-- https://cacerts.digicert.com/DigiCertGlobalRootG3.crt.pem . . 2021-10-18 20:32:21 (41.1 MB/s) - ‘DigiCertGlobalRootG3.crt.pem’ saved [839/839] $ wget https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt --2021-10-18 20:31:44-- https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt . . 2021-10-18 20:31:45 (73.2 MB/s) - ‘Microsoft RSA Root Certificate Authority 2017.crt’ saved [1452/1452] $ wget https://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt --2021-10-18 20:31:16-- https://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt . . 2021-10-18 20:31:16 (15.7 MB/s) - ‘Microsoft ECC Root Certificate Authority 2017.crt’ saved [605/605] admin@linux:~/certs$ ls -l total 155 -rw-rw-rw-. 1 admin admin 178 Oct 18 20:32 cert.list -rw-rw-rw-. 1 admin admin 1294 Dec 6 2017 DigiCertGlobalRootG2.crt.pem -rw-rw-rw-. 1 admin admin 839 Sep 22 12:36 DigiCertGlobalRootG3.crt.pem -rw-rw-rw-. 1 admin admin 605 Jan 22 2020 Microsoft ECC Root Certificate Authority 2017.crt -rw-rw-rw-. 1 admin admin 1452 Jan 22 2020 Microsoft RSA Root Certificate Authority 2017.crt
使用以下命令,將兩個 Root 憑證轉換為 .pem 格式。
admin@linux:~/certs$ openssl x509 -inform der -in Microsoft\ ECC\ Root\ Certificate\ Authority\ 2017.crt -out ms-ecc-root.pem admin@linux:~/certs$ openssl x509 -inform der -in Microsoft\ RSA\ Root\ Certificate\ Authority\ 2017.crt -out ms-rsa-root.pem admin@linux:~/certs$ ls -l total 155 -rw-rw-rw-. 1 admin admin 178 Oct 18 20:32 cert.list -rw-rw-rw-. 1 admin admin 1294 Dec 6 2017 DigiCertGlobalRootG2.crt.pem -rw-rw-rw-. 1 admin admin 839 Sep 22 12:36 DigiCertGlobalRootG3.crt.pem -rw-rw-rw-. 1 admin admin 605 Jan 22 2020 Microsoft ECC Root Certificate Authority 2017.crt -rw-rw-rw-. 1 admin admin 1452 Jan 22 2020 Microsoft RSA Root Certificate Authority 2017.crt -rw-rw-rw-. 1 admin admin 875 Oct 18 2021 ms-ecc-root.pem -rw-rw-rw-. 1 admin admin 2021 Oct 18 2021 ms-rsa-root.pem
在 Data Domain 系統上複製 .pem 憑證檔案。
admin@linux:~/certs$ scp *.pem sysadmin@dd01.example.com:/ddr/var/certificates/ DigiCertGlobalRootG2.crt.pem 100% 1294 13.6KB/s 00:00 DigiCertGlobalRootG3.crt.pem 100% 839 8.8KB/s 00:00 ms-ecc-root.pem 100% 875 9.2KB/s 00:00 ms-rsa-root.pem 100% 2021 21.2KB/s 00:00
安裝憑證,如下所示:
adminaccess certificate import ca application cloud file <file-name> Certificates should be stored in /ddr/var/certificates before you run the adminaccess command.
admin@linux:~/certs$ ssh sysadmin@dd01.example.com
sysadmin@dd01# adminaccess certificate import ca application cloud file DigiCertGlobalRootG2.crt.pem The SHA1 fingerprint for the imported CA certificate is: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4 Do you want to import this certificate? (yes|no) [yes]: y CA certificate imported for application(s) : "cloud". sysadmin@dd01# adminaccess certificate import ca application cloud file DigiCertGlobalRootG3.crt.pem The SHA1 fingerprint for the imported CA certificate is: 7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E Do you want to import this certificate? (yes|no) [yes]: y CA certificate imported for application(s) : "cloud". sysadmin@dd01# adminaccess certificate import ca application cloud file ms-ecc-root.pem The SHA1 fingerprint for the imported CA certificate is: 99:9A:64:C3:7F:F4:7D:9F:AB:95:F1:47:69:89:14:60:EE:C4:C3:C5 Do you want to import this certificate? (yes|no) [yes]: y CA certificate imported for application(s) : "cloud". sysadmin@dd01# adminaccess certificate import ca application cloud file ms-rsa-root.pem The SHA1 fingerprint for the imported CA certificate is: 73:A5:E6:4A:3B:FF:83:16:FF:0E:DC:CC:61:8A:90:6E:4E:AE:4D:74 Do you want to import this certificate? (yes|no) [yes]: y CA certificate imported for application(s) : "cloud".
從 DD DDVE 命令列檢查新憑證資訊:
sysadmin@ddve# sysadmin@ddve# adminaccess cert show
Subject Type Application Valid From Valid Until Fingerprint
--------------------------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
dd01.example.com host https Tue Mar 26 10:38:34 2019 Wed Jan 31 10:48:38 2024 30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BA
dd01.example.com ca trusted-ca Wed Mar 27 17:38:34 2019 Wed Jan 31 10:16:38 2024 CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8
Baltimore CyberTrust Root imported-ca cloud Fri May 12 11:46:00 2000 Mon May 12 16:59:00 2025 D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
DigiCert Global Root G2 imported-ca cloud Thu Aug 1 05:00:00 2013 Fri Jan 15 04:00:00 2038 DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
DigiCert Global Root G3 imported-ca cloud Thu Aug 1 05:00:00 2013 Fri Jan 15 04:00:00 2038 7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E
Microsoft ECC Root Certificate Authority 2017 imported-ca cloud Wed Dec 18 15:06:45 2019 Fri Jul 18 16:16:04 2042 99:9A:64:C3:7F:F4:7D:9F:AB:95:F1:47:69:89:14:60:EE:C4:C3:C5
Microsoft RSA Root Certificate Authority 2017 imported-ca cloud Wed Dec 18 14:51:22 2019 Fri Jul 18 16:00:23 2042 73:A5:E6:4A:3B:FF:83:16:FF:0E:DC:CC:61:8A:90:6E:4E:AE:4D:74
--------------------------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------
如果為「雲端」以外的「應用程式」意外新增任何憑證,請從存取管理 UI 底下的認證機構證書中將其刪除。
若為使用雲端階層文件系統設定的 Data Domain 系統,可能需要重新啟動,才能重新建立與雲端裝置的連線。請安排停機時間並執行下列命令,以重新開機檔案系統:#filesys restart
若為在 Azure 平台上執行的 Data Domain 系統,請重新開機 DDVE:#system reboot
Data Domain, Integrated Data Protection Appliance Family
16 Jan 2024
6
Solution