CPS ERROR V-97-1400-930 message is continuously logged in the CPS server logs

Description

Error Message

CPS ERROR V-97-1400-930 UUID in client certificate is: {23b7f6b6-1dd2-11b2-a60d-7a29666aa648}, UUID in request is: {775c36e8-1dd2-11b2-ac4b-18a9d61cd6a2} . Rejecting request since they are not same.

A. Identify the client nodes that have incorrect client certificates.

Example error message:

CPS ERROR V-97-1400-930 UUID in client certificate is: {23b7f6b6-1dd2-11b2-a60d-7a29666aa648}, UUID in request is: {775c36e8-1dd2-11b2-ac4b-18a9d61cd6a2} . Rejecting request since they are not same.

Check to which VCS cluster does the above referenced client UUID belongs to:

# cpsadm -s -a list_nodes | grep "”

For example:

# cpsadm -s xx.xxx.xx.xx-a list_nodes | grep “775c36e8-1dd2-11b2-ac4b-18a9d61cd6a2"
[…]
vclus004 {775c36e8-1dd2-11b2-ac4b-18a9d61cd6a2} vclus004node001(0) 0
vclus004 {775c36e8-1dd2-11b2-ac4b-18a9d61cd6a2} vclus004node002(1) 0

B. Perform the following steps on one of the client nodes (in this example, xxxxnode001 or xxxxnode002) where the client certificates are incorrect.

Example using xxxxnode001:

1. Perform a backup of the current security folder on the client nodes

# mv /var/VRTSvxfen/security /var/VRTSvxfen/security_bkp

2. Create the following directories on the client nodes

# mkdir /var/VRTSvxfen/security
# mkdir /var/VRTSvxfen/security/certs
# mkdir /var/VRTSvxfen/security/keys

3. Create the client private key

# /opt/VRTSperl/non-perl-libs/bin/openssl genrsa -out /var/VRTSvxfen/security/keys/client_private.key 2048

4. Copy the ca certificate from the CP server (location: /var/VRTScps/security/certs/ca.crt) and store it as /var/VRTSvxfen/security/certs/ca_.crt.

# scp :/var/VRTScps/security/certs/ca.crt /var/VRTSvxfen/security/certs/ca_.crt

Example assuming that 10.225.180.237 is the VIP (Virtual IP) where the CP server is hosted:
# scp 10.225.180.237:/var/VRTScps/security/certs/ca.crt /var/VRTSvxfen/security/certs/ca_10.225.180.xxx.crt

5. Copy the ca.key from the server (/ var/VRTScps/security/keys/ca.key) as well.

# scp 10.225.180.237:/var/VRTScps/security/keys/ca.key /var/VRTSvxfen/security/keys/ca_10.225.180.xxx.key

Note: It is needed only in Step 8. We do not need to store it on client nodes, permanently.

6. Obtain the client cluster uuid

# cat /etc/vx/.uuids/clusuuid

[root@vclus004node001 ~]# cat /etc/vx/.uuids/clusuuid
{775c36e8-1dd2-11b2-ac4b-18a9d61cd6a2}

7. Generate the client csr (use the uuid obtained in step 6).

# /opt/VRTSperl/non-perl-libs/bin/openssl req -new -key /var/VRTSvxfen/security/keys/client_private.key -subj '/C=US/L=city/OU=section/CN={}' -out /var/VRTSvxfen/security/certs/client_.csr

# /opt/VRTSperl/non-perl-libs/bin/openssl req -new -key /var/VRTSvxfen/security/keys/client_private.key -subj '/C=US/L=city/OU=section/CN={775c36e8-1dd2-11b2-ac4b-18a9d61cd6a2}' -out /var/VRTSvxfen/security/certs/client_10.225.180.237.csr

Note: New openssl versions may require -config parameter as well.

Example:

# /opt/VRTSperl/non-perl-libs/bin/openssl req -new -key /var/VRTSvxfen/security/keys/client_private.key -config -subj '/C=US/L=city/OU=section/CN={775c36e8-1dd2-11b2-ac4b-18a9d61cd6a2}' -out /var/VRTSvxfen/security/certs/client_10.225.180.237.csr

Sample config format for https_ssl_cert.conf file:

[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = <Country Name (2 letter code)> countryName_default = US localityName = <Locality Name (eg, city)> organizationalUnitName = <Organizational Unit Name (eg, section)> commonName = <Common Name (eg, YOUR name)> commonName_max = 64 emailAddress = emailAddress_max = 40 [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = DNS.2 = DNS.3 = eg. 192.168.x.x>

8. Generate the client certificate using the client.csr and ca.crt and ca key that was obtained in steps 4 and 5 respectively

#/opt/VRTSperl/non-perl-libs/bin/openssl x509 -req -days 100 -in /var/VRTSvxfen/security/certs/client_.csr -CA /var/VRTSvxfen/security/certs/ca_ .crt -CAkey ca.key -set_serial 01 -out /var/VRTSvxfen/security/certs/client_.crt

# /opt/VRTSperl/non-perl-libs/bin/openssl x509 -req -days 100 -in /var/VRTSvxfen/security/certs/client_10.225.180.xxx.csr -CA /var/VRTSvxfen/security/certs/ca_10.225.180.xxx.crt -CAkey /var/VRTSvxfen/security/keys/ca_10.225.180.xxx.keys -set_serial 01 -out /var/VRTSvxfen/security/certs/client_10.225.180.xxx.crt
Signature ok
subject=/C=US/L=city/OU=section/CN={775c36e8-1dd2-11b2-ac4b-18a9d61cd6a2}
Getting CA Private Key
#

C. Perform the following on the rest of the nodes in the cluster.

Example using vclus004node002:

Once the certificates are generated on one of the client nodes (such as vclus004node001), copy them to the other client nodes (vclus004node002) of the same cluster (vclus004) in the appropriate directories.

Example:

/var/VRTSvxfen/security/certs/client_10.225.180.xxx.crt
/var/VRTSvxfen/security/certs/ca_10.225.180.xxx.crt
/var/VRTSvxfen/security/keys/client_private.key

Cause

The client UUID is added in the CN (Common Name) field of the client certificate while generating this client certificate. This is usually generated by the CPI while configuring fencing on clients and while configuring CPS on server. The above error messages are logged either if the client certificates used here are incorrect or if there was some problem generating these certificates.

Resolution

This issue can be fixed by generating the client certificates manually on the client nodes. It requires replacing the current certificates on the client with the new ones generated by the steps, below:

Issue/Introduction

CPS server logs continuously logging "CPS ERROR V-97-1400-930 UUID in client certificate is: {23b7f6b6-1dd2-11b2-a60d-7a29666aa648}, UUID in request is: {775c36e8-1dd2-11b2-ac4b-18a9d61cd6a2} . Rejecting request since they are not same."

Welcome to "KB Articles"