No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI CLOUD Stack 6.5.0 Alarm and Event Reference 04

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ALM-1510003 GaussdbHA Certificate Alarm

ALM-1510003 GaussdbHA Certificate Alarm

Description

This alarm is generated when the certificate expires, is invalid, or is about to expire.

Attribute

Alarm ID

Alarm Severity

Auto Clear

1510003

Critical

Yes

Parameters

Parameter

Description

Location Info

Resource name

Name of the device for which the alarm is generated

Resource type

MONITOR

Monitor type

Certificate monitoring

Host IP address

IP address of the host

Details

Monitoring data in last period

Threshold

Threshold for generating an alarm

Impact on the System

The database certificate is abnormal or the certificate is about to expire.

Possible Causes

  • If the threshold is 1, the certificate is about to expire.
  • If the threshold is 2, the certificate has expired.
  • If the threshold is 3, the certificate is invalid or does not exist.

Prerequisites

  • You have obtained the IP addresses of the active and standby database nodes of the corresponding services.
  • You have obtained the certificates to be replaced. If you have not obtained the certificates, you can temporarily use the default certificates released with GaussdbHA.

    One set of certificates must contain the following five certificate files:

    • cacert.pem: indicates the root certificate file for issuing server certificates and client certificates.
    • server.crt: indicates the server certificate file.
    • server.key indicates the server private key file.
    • client.crt indicates the client certificate file.
    • client.key indicates the client private key file.
      NOTE:

      Currently, GaussdbHA supports only level-1 to level-3 certificates.

  • You have obtained other related information of the certificates. The related information obtained is displayed in variables. The variables will be quoted in subsequent steps and need to be replaced with the actual site information.
    Table 16-1 Variable description

    Variable

    Description

    Value in the Default Certificate

    CERT_PATH

    Indicates the temporary directory for uploading new certificates to the environment. This document uses /home/rts1/certs as an example. Make sure that files can be uploaded to the directory.

    Configure the value as planned.

    CERT_CN

    Indicates the organization information when the certificate is generated.

    www.huawei.com

    CERT_CLIENT_KEY_PWD

    Indicates the protection password of the client certificate private key. The value can be empty.

    FusionSphere123

    CERT_SERVER_KEY_PWD

    Indicates the protection password of the server certificate private key. The value can be empty.

    FusionSphere123

  • An application, such as PuTTY, which can be used for remote access on various platforms, is available.
  • You have obtained a network transfer tool, such as WinSCP.
  • You have obtained the password of the user for installing the database and the password of the root user.

Procedure

  1. Log in to ManageOne Maintenance Portal using a browser.

    • URL: https://Address for accessing the homepage of ManageOne Maintenance Portal:31943, for example, https://oc.type.com:31943
    • Default username: admin; default password: Huawei12#$

  2. On the menu bar in the upper part of the page, choose Alarms > Current Alarms.
  3. In the alarm list, locate the alarm to be handled, and click on the left of the alarm. The Details page is displayed.
  4. Choose Location Info, obtain the host IP address, that is, the IP address of the node where the alarm is generated.
  5. Use PuTTY to log in to the node for which the alarm is generated. Ensure that the IP address of the node obtained in 4 is used to establish the connection.

    The default username is gaussdb. The default password is Huawei@123.

  6. Run the following command and enter the password of the root user (default password: Cloud12#$) to switch to the root user:

    sudo su - root

  7. Run the following command to disable user logout upon system timeout:

    TMOUT=0

  8. Run the following command to query the database version and check whether the current version supports certificate replacement:

    cat /opt/gaussdb/version.json

    NOTE:

    Currently, only version 1.1.9 or later supports certificate replacement.

Upload the certificate and stop the database service.

  1. Use PuTTY to log in to the two database nodes.

    The default username is gaussdb. The default password is Huawei@123.

  2. Switch to the root user and run the following commands to create a temporary directory for storing the new certificate:

    CERT_PATH='/home/rts1/certs'

    mkdir -p $CERT_PATH

    chmod 777 $CERT_PATH

    In the command, set the value of variable CERT_PATH with the value obtained in Prerequisites. Make sure that files can be uploaded to the planned directory.

  3. Use a network transmission tool, such as WinSCP, to upload the certificate file to the /home/rts1/certs directory, as specified in 10.

  4. Use PuTTY to log in to the two database nodes, switch to the root user, and run the following command to determine the active and standby database nodes:

    service gaussdb query|grep LOCAL_ROLE

    If the command output contains Standby, the node is the standby database node. If the command output contains Primary, the node is the active database node.

  5. Run the following commands on both the active and standby database nodes to stop the database:

    source /etc/profile

    haStopAll -a

Replace the certificates on the database nodes.

  1. Perform the following operations to replace the database certificates on the active and standby nodes:

    Log in to each database node and run the following commands as user root to replace the certificates (Replace the values of variables CERT_PATH and CERT_CN in the commands with the actual values obtained in Prerequisites.) and then run the commands together as the root user to replace the certificates:

    unset HISTFILE

    CERT_PATH='/home/rts1/certs'

    CERT_CN='www.huawei.com'

    alias cp='cp'

    mkdir -p /opt/backup/cert_old

    cp -fr /opt/gaussdb/data/certs/* /opt/backup/cert_old/

    rm -rf /opt/gaussdb/data/certs/*

    cp -fr $CERT_PATH/* /opt/gaussdb/data/certs/

    cp /opt/gaussdb/data/certs/server* /opt/gaussdb/data/db/

    cp /opt/gaussdb/data/certs/cacert.pem /opt/gaussdb/data/db/

    su - dbadmin -c "gs_guc set -c repl_force_cert_check=\"'repl_All_peer_cn=$CERT_CN'\""

    chown dbadmin: /opt/gaussdb/data/certs/ -R

    chmod 700 /opt/gaussdb/data/certs

    chmod 600 /opt/gaussdb/data/certs/*

  2. If the value of CERT_SERVER_KEY_PWD obtained in Prerequisites is not empty, run the following commands as the root user to generate a server certificate password file and enter the value of CERT_SERVER_KEY_PWD as prompted during the command execution:

    unset HISTFILE

    rm -rf /opt/gaussdb/data/db/server.key.rand

    rm -rf /opt/gaussdb/data/db/server.key.cipher

    su - dbadmin -c "gs_guc encrypt -M server -k"

  3. If the value of CERT_SERVER_KEY_PWD obtained in Prerequisites is not empty, run the following commands to replace the server certificate password file:

    cp /opt/gaussdb/data/db/server.key.cipher /opt/gaussdb/data/certs/

    cp /opt/gaussdb/data/db/server.key.rand /opt/gaussdb/data/certs/

    chown dbadmin: /opt/gaussdb/data/certs/ -R

    chmod 700 /opt/gaussdb/data/certs

    chmod 600 /opt/gaussdb/data/certs/*

  4. If the value of CERT_CLIENT_KEY_PWD obtained in Prerequisites is not empty, run the following commands as user root to generate a client certificate password file and enter the value of CERT_CLIENT_KEY_PWD as prompted during the command execution:

    unset HISTFILE

    rm -rf /opt/gaussdb/data/db/client.key.rand

    rm -rf /opt/gaussdb/data/db/client.key.cipher

    su - dbadmin -c "gs_guc encrypt -M client -k"

  5. If the value of CERT_CLIENT_KEY_PWD obtained in Prerequisites is not empty, run the following commands to replace the client certificate password file:

    cp /opt/gaussdb/data/db/client.key.rand /opt/gaussdb/data/certs/

    cp /opt/gaussdb/data/db/client.key.cipher /opt/gaussdb/data/certs/

    rm -rf /opt/gaussdb/data/db/client.key.rand

    rm -rf /opt/gaussdb/data/db/client.key.cipher

    chown dbadmin: /opt/gaussdb/data/certs/ -R

    chmod 700 /opt/gaussdb/data/certs

    chmod 600 /opt/gaussdb/data/certs/*

Restart the database service.

  1. Run the following commands on the active and standby database nodes, respectively:

    source /etc/profile

    haStartAll -a

  2. Run the following commands on the active database node to check whether the database is running properly after the certificates are replaced:

    source /etc/profile

    service had query

    service gaussdb query

     Ha state:           
    	LOCAL_ROLE                     : Primary
    	STATIC_CONNECTIONS             : 1
    	DB_STATE                       : Normal
    	DETAIL_INFORMATION             : Normal
     Senders info:       
    	SENDER_PID                     : 22772
    	LOCAL_ROLE                     : Primary
    	PEER_ROLE                      : Standby
    	PEER_STATE                     : Normal
    	STATE                          : streaming
    	SENDER_SENT_LOCATION           : 0/B71326C8
    	SENDER_WRITE_LOCATION          : 0/B71326C8
    	SENDER_FLUSH_LOCATION          : 0/B71326C8
    	SENDER_REPLAY_LOCATION         : 0/B71326C8
    	RECEIVER_RECEIVED_LOCATION     : 0/B71326C8
    	RECEIVER_WRITE_LOCATION        : 0/B71326C8
    	RECEIVER_FLUSH_LOCATION        : 0/B71326C8
    	RECEIVER_REPLAY_LOCATION       : 0/B712D138
    	SYNC_PERCENT                   : 99%
    	SYNC_STATE                     : async
    	SYNC_PRIORITY                  : 0
            CHANNEL                        : 192.168.0.0-->192.168.1.0
     Receiver info:      
    	No information 

    If the command output is similar to that displayed in the preceding figure, the database service is normal after the certificate replacement.

Delete the uploaded certificate files.

  1. Log in to the active and standby database nodes and run the following command:

    rm -f /home/rts1/certs/*

    /home/rts1/certs/ is the example directory for uploading certificate files in this document. You need to replace it with the actual directory.

Alarm Clearance

This alarm will be automatically cleared after the fault is rectified.

Reference

None

Translation
Download
Updated: 2019-08-30

Document ID: EDOC1100062365

Views: 35730

Downloads: 31

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next