I've gone through the SANNAV actions, I ended up following the more details info on the DELL and Netapp support sites, which told me exactly what to set, and where, and hey presto, our switches now have a KAFKA certificate set to 10 year expiry :-)
Original Message:
Sent: Wed July 17, 2024 08:24 AM
From: Andy Heath
Subject: IBM SAN64B-7 Certificate Expired Issues
And we have a winner, many thanks Nicholas, that's the cause, SANNAV and Kafka certificates. I was not looking at the screen close enough on the seccertmgmt show -all screen which said the KAFKA Server CA is set to Exist, I must look closer at what is staring me in the face!
We'll look in to the SANNAV certificates updates. But at least we now know the cause.
Cheers,
Andy
------------------------------
Andy Heath
Original Message:
Sent: Tue July 16, 2024 08:55 AM
From: Nicholas Frazee
Subject: IBM SAN64B-7 Certificate Expired Issues
I had a similar issue with my Kafka cert for SANnav.
Use: seccertmgmt show -all to see which certs exist. If you do see a Kafka cert then >Use: seccertmgmt show -ca -server kafka to make sure it is not expired.
If you are using SANnav, then you will need to unmonitor and then monitor the switch and a new Kafka cert will push to it. I had to do an "hareboot" to kind of force it after re-monitoring the switch.
Also review this link for additional support:
https://techdocs.broadcom.com/us/en/fibre-channel-networking/sannav/management-portal-installation-and-migration/2-2-x/v25174220/changing-ssl-certificates.html
Note:
After the server is back up, you must rediscover or unmonitor and then monitor all switches that are registered for telemetry data; otherwise, the new certificates do not take effect, and SANnav functions may not work properly.
------------------------------
Nicholas Frazee
Original Message:
Sent: Mon July 15, 2024 07:07 AM
From: Andy Heath
Subject: IBM SAN64B-7 Certificate Expired Issues
Hi,
We have a 4 x SAN64B-7 (8960-P64) SAN switches that a couple of weeks ago started to report expired certificates, giving a policy status result of MARGINAL from the mapsdb --show all command. The switch is running FOS v9.1.1b code. We run the mapsdb --show all command as part of our daily scheduled script commands to check the status of all the SAN switches in the fabric daily, of which these 4 are some of them.
The 4 switches were updated to FOS 9.1.1b last year, and have been running just fine. Then last month, the HEALTHY status changed to MARGINAL, reporting:
* EXPIRED_CERTS (MARGINAL)
We get this in another environment every so many years on our IBM directors, and have a procedure to reset the HTTPS certificate date, using the seccertmgmt generate -cert https command. This error in other environments also causes the GUI using HTTPS to stop working. We checked the certs date on these SAN64B-7's, and we only have HTTPS certificates, and those had not expired, still had a year or so left, and the GUI was working fine. But even so, we ran the generate command to give them another 5 years, which a seccertmgmt show correctly has the date expiry of 5 years for HTTPS. As per previous occurences of these cert issues, we waited a day for the system to catch up, and re-run mapsdb, but it still shows MARGINAL. It's been over 2 weeks now, and it's still MARGINAL.
Does anyone have any ideas of what we can do to reset the EXPIRED_CERTS error, and get our switches back to HEALTHY status?
Thanks,
Andy
------------------------------
Andy Heath
------------------------------