- VPLEX VS2 to VS6 GenU has taken place.
- VPN Certificates have been renewed.
An end user received the following alert message: "The Host Certificate will expire within a month."
The system has not yet renewed the certificates after a GenU and when IP swap has been used during a GenU.
The certificates have been renewed after a GenU and afterwards the VPlexcli command "security list-certificates" shows different serial numbers than expected.
example:
current TLA/Serial Number: CKM00xxxxxx123
Original TLA/Serial Number before a GenU of a VS6: CKM00yyyyyy456
Example of current TLA when the '
cluster summary' command is run:
VPlexcli:/> cluster summary
Clusters:
Name Cluster ID TLA Connected Expelled Operational Status Health State
-------- ---------- -------------- --------- -------- ------------------ ------------
cluster-1 1 CKM00xxxxxx123 true false ok ok
cluster-2 2 CKM00xxxxxx124 true false ok ok
Islands:
Island ID Clusters
--------- ------------------
1 cluster-1, cluster-2
Example when the 'security list-certificates' command* is run, may take time to run:
*Note: the security list-certificates command only reports the TLA for the cluster it is run on
not for the remote/peer cluster in a Metro configuration
VPlexcli:/> security list-certificates
Filename Cert Issued to Issued by Date Expiry Start Issuer Entry Signature Algorithm
------------------------- Type -------------------- ----------------- Validity Date Date check in -----------------------
------------------------- ----- -------------------- ----------------- -------- ---------- --------- ------ TS/KS -----------------------
------------------------- ----- -------------------- ----------------- -------- ---------- --------- ------ ----- -----------------------
strongswanCert.pem CA CN=CKM00yyyyyy456 CN=CKM00yyyyyy456 YES May 5 May 6 YES TS sha256WithRSAEncryption
09:29:04 09:29:04
2025 GMT 2020 GMT
hostCert.pem VPN CN=VPlex VPN: CN=CKM00yyyyyy456 YES May 6 May 6 YES - sha256WithRSAEncryption
CKM00yyyyyy456 09:33:44 09:33:44
2022 GMT 2020 GMT
webServerHostCertFile.pem WEB CN=VPlex Web Server: CN=CKM00yyyyyy456 YES May 6 May 6 YES KS sha256WithRSAEncryption
CKM00yyyyyy456 09:35:24 09:35:24
2022 GMT 2020 GMT
CA - Certificate Authority
TS - Trust Store
KS - Key Store
- Check the management server (MMCS-A for VS6) to see if you have the valid files in /var/log/VPlex/cli.
- CACertSubjectInfo.txt,
- HostCertSubjectInfo.txt,
- WebServerHostCertSubjectInfo.txt
To check for these files on the management server change directory (cd) to the
/var/log/VPlex/cli directory, then run the command "ll *.txt". Other .txt files may
be listed also, just look for those listed above.
service@ManagementServer:~> cd /var/log/VPlex/cli
service@ManagementServer:/var/log/VPlex/cli> ll *.txt
-rw-r--r-- 1 service users 176 Jan 15 21:24 CACertSubjectInfo.txt
-rw-r--r-- 1 service users 187 Jan 15 21:24 HostCertSubjectInfo.txt
-rw-r--r-- 1 service users 194 Jan 15 21:24 WebServerHostCertSubjectInfo.txt
- First you should check what the TLA is for the cluster, you only need to check one engine as the TLA is the same for all engines in a cluster.
- On cluster-1 login into the VPlexcli to run the check.
service@ManagementServer:~> vplexcli
Trying ::1...
Connected to localhost.
Escape character is '^]'.
VPlexcli:/> ll /engines/engine-1-1
/engines/engine-1-1:
Attributes:
Name Value
------------------ --------------
cluster-ip-seed 1
enclosure-id 1
engine-family VPL
engine-id 1-1
health-indications []
health-state ok
marker-led off
operational-status online
part-number 100-565-139-04
revision-number FFF
serial-number CF2GA193xxxxxx
top-level-assembly FNM00xxxxx0656 <---
wwn-seed 43e01cb9
- Next exit the VPlexcli to get back to the management server and then change directory (cd) to the /var/log/VPlex/cli directory.
VPlexcli:/> exit
Connection closed by foreign host.
service@ManagementServer:~> > cd /var/log/VPlex/cli
service@ManagementServer:/var/log/VPlex/cli>
- now 'cat ' each file listed back in step 1 to see what TLA is listed in the 'SUBJECT_COMMON_NAME" line of each file,
example for CACertSubjectInfo.txt file:
service@ManagementServer:/var/log/VPlex/cli> cat CACertSubjectInfo.txt
SUBJECT_COUNTRY=US
SUBJECT_STATE=Massachusetts
SUBJECT_LOCALITY=Hopkinton
SUBJECT_ORG=EMC
SUBJECT_ORG_UNIT=EMC
SUBJECT_COMMON_NAME=FNM00xxxxxx0034 <---
SUBJECT_EMAIL=support@emc.com
- If the 'SUBJECT_COMMON_NAME' line in each file lists the wrong TLA serial number please update the 'SUBJECT_COMMON_NAME' with the correct TLA serial number for each of three files the TLA is incorrect using the vi editor.
vi CACertSubjectInfo.txt
vi VPlex/cli/HostCertSubjectInfo.txt
vi VPlex/cli/WebServerHostCertSubjectInfo.txt
Example for the CACertSubjectInfo.txt file:
service@ManagementServer:/var/log/VPlex/cli> vi CACertSubjectInfo.txt
SUBJECT_COUNTRY=US
SUBJECT_STATE=Massachusetts
SUBJECT_LOCALITY=Hopkinton
SUBJECT_ORG=EMC
SUBJECT_ORG_UNIT=EMC
SUBJECT_COMMON_NAME=FNM00xxxxx0034 <---
SUBJECT_EMAIL=support@emc.com
~
~
~
"CACertSubjectInfo.txt" 7L, 176C 1,1 All
As you can see the TLA listed for the "SUBJECT_COMMON_NAME is different from the TLA shown in step 2a. To edit this line using vi, using the down arrow move the cursor down to the "SUBJECT_COMMON_NAME" line. Then using the right arrow move the cursor to the beginning of the TLA serial number. In this example the "F". For VPLEX shipped in Europe and Asia the serial numbers begin with CKM, so the "C" in those serial numbers.
- Next with the cursor on the first letter of the serial number type "cw" for "change word". The current serial number will be gone and at the bottom left you will see "-- INSERT --", now back at the cursor type in the correct TLA as listed back in step 2a.
Once done press the 'Esc" key to exit the INERT mode.
The new serial number should now be listed for the "SUBJECT_COMMON_NAME" line, and be the same as the one listed in step 2a.
example:
CACertSubjectInfo.txt
SUBJECT_COUNTRY=US
SUBJECT_STATE=Massachusetts
SUBJECT_LOCALITY=Hopkinton
SUBJECT_ORG=EMC
SUBJECT_ORG_UNIT=EMC
SUBJECT_COMMON_NAME=FNM00xxxxx0656 <---
SUBJECT_EMAIL=support@emc.com
~
~
~
"CACertSubjectInfo.txt" 7L, 176C 6,21 All
- Now to save and close the vi session type :wq, which writes the changes and quits vi taking you back to the Linux prompt.
example:
service@ManagementServer:/var/log/VPlex/cli> vi CACertSubjectInfo.txt
service@ManagementServer:/var/log/VPlex/cli>
- To confirm the change took cat the file you just edited and confirm.
example:
service@ManagementServer:/var/log/VPlex/cli> cat CACertSubjectInfo.txt
SUBJECT_COUNTRY=US
SUBJECT_STATE=Massachusetts
SUBJECT_LOCALITY=Hopkinton
SUBJECT_ORG=EMC
SUBJECT_ORG_UNIT=EMC
SUBJECT_COMMON_NAME=FNM00xxxxx0656 <--- corrected TLA
SUBJECT_EMAIL=support@emc.com
- Repeat these steps for a Metro configuration on cluster-2.
- After correcting the TLA in all three files, on both clusters if a Metro, now you need to re-create the security certificates.
You may use the following article for renew certificates:
KBA 468657, "
VPLEX: How to manually re-create the VPN security certificates" (Only registered Dell Customers can access this article link)
- After re-creating the certificates on both clusters with the VPLEXcli command:
security list-certificates
- You will need to run the command in step 5 on each cluster separately for a Metro configuration as the command only lists the certificate info for the cluster it is run on.