Create SSL Certificates for New Coordinator Point Server For vxfenswap

book

Article ID: 100063299

calendar_today

Updated On:

Description

Error Message

# vxfenswap
The logfile generated for vxfenswap is /var/VRTSvcs/log/vxfen/vxfenswap.log.29967

Veritas vxfenswap version 7.4.2.2500 Linux

Please Wait...

CPS ERROR V-97-1400-937 None of the SSL certificates found in directory /var/VRTSvxfen/security/certs/ could be used to successfully connect to 192.168.10.230

CP server [192.168.10.230]:443 is not reachable
 

Cause

The CP Client does not have SSL certificates for the new CP Server

Resolution

Generate new SSL certificates

1.) Locate the clients' cluster uuid

    [CPClient] # cat /etc/vx/.uuids/clusuuid
    {c7c2d65e-058f-11e8-a32c-c094107f3b61}

2.) Copy the CP Clients' private client key to the CP Server.

    [CPClient] # scp /var/VRTSvxfen/security/keys/client_private.key 192.168.10.230:/tmp/client_private_nbserver104.key

3.) Generate new certificates 

    [CPServer] # mkdir new_certs
    [CPServer] # cd new_certs

    Use the clients' cluster uuid when creating the certificate sign request(csr). 

    [CPServer] # /usr/bin/openssl req -new -sha256 -key /tmp/client_private_nbserver104.key -subj '/C=IN/L=Pune/OU=VCS/CN={c7c2d65e-058f-11e8-a32c-c094107f3b61}' -out client_192.168.10.230.csr

    [CPServer] # /usr/bin/openssl x509 -req -days 3650 -sha256 -in client_192.168.10.230.csr -CA /var/VRTScps/security/certs/ca.crt -CAkey /var/VRTScps/security/keys/ca.key -set_serial 01 -out client_192.168.10.230.crt

    [CPServer] # cp /var/VRTScps/security/certs/ca.crt ca_192.168.10.230.crt
    [CPServer] # chmod 700 ca_192.168.10.230.crt
    [CPServer] # chmod 700 client_192.168.10.230.crt

4.) Copy certificates to CP Client

    Copy ca_192.168.10.230.crt and client_192.168.10.230.crt to /var/VRTSvxfen/security/certs on the CP Client

5.) Verify CPS Communication 

    [CPClient] # cpsadm -s 192.168.10.230 -a ping_cps
    CPS INFO V-97-1400-458 CP server successfully pinged

6.) Add the CP Client nodes to the CP Server if not already present. 

    [CPServer]# cpsadm -s 192.168.10.230 -a add_clus -p 443 -c prod -u {c7c2d65e-058f-11e8-a32c-c094107f3b61}
    CPS INFO V-97-1400-721 Cluster prod added successfully

    [CPServer]# cpsadm -s 192.168.10.230 -a add_node -p 443 -c prod -u {c7c2d65e-058f-11e8-a32c-c094107f3b61} -h nbuserver104 -n 0
    CPS INFO V-97-1400-712 Node 0 (nbuserver104) successfully added

    [CPServer]# cpsadm -s 192.168.10.230 -a add_node -p 443 -c prod -u {c7c2d65e-058f-11e8-a32c-c094107f3b61} -h nbuserver105 -n 1
    CPS INFO V-97-1400-712 Node 1 (nbuserver105) successfully added

7.) Perform the vxfenswap 

    [CPClient]]# vxfenswap
    The logfile generated for vxfenswap is /var/VRTSvcs/log/vxfen/vxfenswap.log.23243

    Veritas vxfenswap version 7.4.2.2500 Linux

    Please Wait...

    Validation of coordination points change has succeeded on all nodes.
            You may commit the changes now.
            WARNING: This may cause the whole cluster to panic if a node leaves
            membership before the change is complete.

            Do you wish to commit this change? [y/n] (default: n) y
    Successfully completed the vxfenswap operation.

8.) Verify CP Server configuration   

     [CPClient]# vxfenconfig -l

    I/O Fencing Configuration Information:
    ======================================

    single_cp=0
    [192.168.10.227]:443 {90360fea-c4e9-11ee-a347-8037522d04a6}
    [192.168.10.230]:443 {93d3bcfe-c748-11ee-a37c-c463f6753437}
    [192.168.10.226]:443 {bdbc6766-c4e9-11ee-b0c9-9ff5272997e6}

    [CPClient]# cat /etc/vxfenmode
    vxfen_mode=customized
    vxfen_mechanism=cps
    cps1=[192.168.10.230]:443
    cps2=[192.168.10.226]:443
    cps3=[192.168.10.227]:443
 

 

Issue/Introduction

Unable to perform vxfenswap using the new Coordinator Point Server.
Powered by Wolken Software