No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionAccess V100R006C20 Alarm Handling 05 (FusionSphere 6.3.1)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
1000048 Certificate Has Expired or Is About to Expire

1000048 Certificate Has Expired or Is About to Expire

Description

After the ITA service is enabled, the system checks certificate validity every two minutes. The alarm is generated when the time left before the certificate expires is shorter than the threshold (30 days by default) or the certificate has expired. You can update the certificate to clear the alarm.

Attribute

Alarm ID

Alarm Severity

Auto Clear

1000048

Critical

Yes

Parameters

Name

Meaning

Alarm ID

Identifies an alarm. Each alarm is uniquely identified by an alarm ID and an alarm name.

Alarm Severity

Indicates the severity of an alarm. Value:

  • Critical: indicates that a fault affecting services provided by the system occurs. You need to rectify the fault immediately. If a device or resource is faulty, rectify it immediately even if the fault occurs during non-working hours.
  • Major: indicates that a fault affecting the service quality of the system occurs. You need to rectify the fault immediately. If the service quality of a device or resource is degraded, rectify it immediately during working hours.
  • Minor: indicates a fault that does not affect service quality. To prevent more serious faults, this type of alarm needs to be observed or handled if necessary.
  • Warning: indicates a fault that may affect service quality. This type of alarm must be handled based on the error type.

Alarm Name

Identifies an alarm. Each alarm is uniquely identified by an alarm ID and an alarm name.

Object Type

Specifies the type of the object for which the alarm is generated.

Alarm Object Name

Specifies the name of the object for which the alarm is generated.

Component Type

(This parameter exists only in FusionManager.)

Specifies the type of the component for which the alarm is generated.

Generation Time

Specifies the time when the alarm is generated.

Clear Time

Specifies the time when the alarm is cleared.

Clear Mode

Specifies whether the alarm is manually or automatically cleared.

Operation

Specifies the operation that can be performed on the alarm.

Value: Manually Clear Alarm

Impact on the System

After the certificate expires, you cannot log in to the FusionAccess Portal or ITA cannot communicate with other components.

Possible Causes

Certificate has expired or is about to expire.

Procedure

  1. Update the certificates that have expired or are about to expire according to the certificate library files and the alias list in alarm details. For details, see Operation and Maintenance > System Management > Certificate Management in the FusionAccess Desktop Solution V100R006C20 Product Documentation according to Table 18-1. If the certificate file that is about to expire or has expired is litead.keystore (the certificate file is checked by default), replace the certificate file. For details, see System Management > Certificate Management > Replacing the LiteAD Certificate in the FusionAccess Desktop Solution V100R006C20 LiteAD User Guide.

    Table 18-1 Certificate update reference

    Certificate File

    Certificate Update Reference

    Whether Certificate Validity Is Checked by Default

    itacert.p12

    Updating Component Communication Certificates. Please update the certificates for communication between the ITA, HDC, WI, AUS, License, and vAG/vLB at the same time.

    Yes

    tomcat.jks

    Updating Component Communication Certificates. Please update the certificates for communication between the ITA, HDC, WI, AUS, License, and vAG/vLB at the same time.

    Yes

    ssokey

    Updating the ITA Portal Certificate

    Yes

    fasso.jks

    Updating the ITA Portal Certificate

    No. The check is performed when ITA uses this certificate as an SSO trust certificate library during its interconnection with a third-party system.

    vDesktop6000.keystore

    Updating the ITA Portal Certificate, Choose NBI certificate of the local ITA when updating the certificate.

    Yes

    ita_client.p12

    Updating the ITA Portal Certificate, Choose NBI certificate of the local ITA when updating the certificate.

    No. The check is performed when ITA is configured as a DR site.

    hwtruststore

    Updating the ITA Portal Certificate, Choose GaussDB client certificate when updating the certificate.

    No. The check is performed when ITA connects to a database in SSL mode.

    fcserver.keystore

    Updating the ITA and FusionCompute Certificates

    No. The check is performed when ITA interconnects with FusionCompute.

    vrm.jks

    Updating the ITA and FusionManager Certificates

    Yes

    fmserver.keystore

    Updating the ITA and FusionManager Client Certificates

    No. The check is performed when ITA interconnects with FusionManager.

    openstackserver.keystore

    Updating the Certificate Used for Interconnection Between the ITA and an OpenStack Server

    No. The check is performed when ITA interconnects with OpenStack.

  2. Choose FusionManager > Monitoring or FusionAccess > Alarm to check whether the alarm still exists.

    • If yes, go to Step 3.
    • If no, no further operation is required.

  3. Log in to the ITA server and delete the certificates that have expired and are about to expire from the certificate library.

    1. Log in to the ITA server as user gandalf.
    2. Run the cd /opt/ITA/tomcat/ita/WEB-INF/conf/security command to go to the corresponding directory.
    3. Run the command /opt/ITA/jre/bin/keytool -delete -alias certificate alias -keystore keystore file name.

      Obtain the certificate file name and certificate alias from the alarm details. For example, in the following alarm details, the certificate file name is tomcat.jks, the certificate alias is mykey, and the command for deleting the certificate is /opt/ITA/jre/bin/keytool -delete -alias mykey -keystore tomcat.jks.

      About to Expire Certificates = {[tomcat.jks:mykey] } 
    4. Enter the password of the Keystore file as prompted to delete the certificates that have expired and are about to expire from the certificate library.
    5. Repeat 3.c to 3.d to delete other certificates that have expired and are about to expire.
    6. Run the sudo service ITAService restart command to restart ITA service.

  4. Repeat Step 3 to delete the other ITA certificates that have expired and are about to expire.
  5. Choose FusionManager > Monitoring or FusionAccess > Alarm to check whether the alarm still exists.

    • If yes, contact Huawei technical support.
    • If no, no further operation is required.

Related Information

None

Download
Updated: 2019-03-01

Document ID: EDOC1100010511

Views: 20018

Downloads: 12

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next