Primary Storage

Hi,

We have a 4 x SAN64B-7 (8960-P64) SAN switches that a couple of weeks ago started to report expired certificates, giving a policy status result of MARGINAL from the mapsdb --show all command. The switch is running FOS v9.1.1b code. We run the mapsdb --show all command as part of our daily scheduled script commands to check the status of all the SAN switches in the fabric daily, of which these 4 are some of them. 

The 4 switches were updated to FOS 9.1.1b last year, and have been running just fine. Then last month, the HEALTHY status changed to MARGINAL, reporting:

* EXPIRED_CERTS (MARGINAL)

We get this in another environment every so many years on our IBM directors, and have a procedure to reset the HTTPS certificate date, using the seccertmgmt generate -cert https command. This error in other environments also causes the GUI using HTTPS to stop working. We checked the certs date on these SAN64B-7's, and we only have HTTPS certificates, and those had not expired, still had a year or so left, and the GUI was working fine. But even so, we ran the generate command to give them another 5 years, which a seccertmgmt show correctly has the date expiry of 5 years for HTTPS. As per previous occurences of these cert issues, we waited a day for the system to catch up, and re-run mapsdb, but it still shows MARGINAL. It's been over 2 weeks now, and it's still MARGINAL. 

Does anyone have any ideas of what we can do to reset the EXPIRED_CERTS error, and get our switches back to HEALTHY status?

Thanks,

Andy

Hi,

We have a 4 x SAN64B-7 (8960-P64) SAN switches that a couple of weeks ago started to report expired certificates, giving a policy status result of MARGINAL from the mapsdb --show all command. The switch is running FOS v9.1.1b code. We run the mapsdb --show all command as part of our daily scheduled script commands to check the status of all the SAN switches in the fabric daily, of which these 4 are some of them. 

The 4 switches were updated to FOS 9.1.1b last year, and have been running just fine. Then last month, the HEALTHY status changed to MARGINAL, reporting:

* EXPIRED_CERTS (MARGINAL)

We get this in another environment every so many years on our IBM directors, and have a procedure to reset the HTTPS certificate date, using the seccertmgmt generate -cert https command. This error in other environments also causes the GUI using HTTPS to stop working. We checked the certs date on these SAN64B-7's, and we only have HTTPS certificates, and those had not expired, still had a year or so left, and the GUI was working fine. But even so, we ran the generate command to give them another 5 years, which a seccertmgmt show correctly has the date expiry of 5 years for HTTPS. As per previous occurences of these cert issues, we waited a day for the system to catch up, and re-run mapsdb, but it still shows MARGINAL. It's been over 2 weeks now, and it's still MARGINAL. 

Does anyone have any ideas of what we can do to reset the EXPIRED_CERTS error, and get our switches back to HEALTHY status?

Thanks,

Andy

Hi,

We have a 4 x SAN64B-7 (8960-P64) SAN switches that a couple of weeks ago started to report expired certificates, giving a policy status result of MARGINAL from the mapsdb --show all command. The switch is running FOS v9.1.1b code. We run the mapsdb --show all command as part of our daily scheduled script commands to check the status of all the SAN switches in the fabric daily, of which these 4 are some of them. 

The 4 switches were updated to FOS 9.1.1b last year, and have been running just fine. Then last month, the HEALTHY status changed to MARGINAL, reporting:

* EXPIRED_CERTS (MARGINAL)

We get this in another environment every so many years on our IBM directors, and have a procedure to reset the HTTPS certificate date, using the seccertmgmt generate -cert https command. This error in other environments also causes the GUI using HTTPS to stop working. We checked the certs date on these SAN64B-7's, and we only have HTTPS certificates, and those had not expired, still had a year or so left, and the GUI was working fine. But even so, we ran the generate command to give them another 5 years, which a seccertmgmt show correctly has the date expiry of 5 years for HTTPS. As per previous occurences of these cert issues, we waited a day for the system to catch up, and re-run mapsdb, but it still shows MARGINAL. It's been over 2 weeks now, and it's still MARGINAL. 

Does anyone have any ideas of what we can do to reset the EXPIRED_CERTS error, and get our switches back to HEALTHY status?

Thanks,

Andy

I had a similar issue with my Kafka cert for SANnav.

Use: seccertmgmt show -all to see which certs exist.  If you do see a Kafka cert then >Use: seccertmgmt show -ca -server kafka  to make sure it is not expired.

If you are using SANnav, then you will need to unmonitor and then monitor the switch and a new Kafka cert will push to it.   I had to do an "hareboot" to kind of force it after re-monitoring the switch. 

Also review this link for additional support:

https://techdocs.broadcom.com/us/en/fibre-channel-networking/sannav/management-portal-installation-and-migration/2-2-x/v25174220/changing-ssl-certificates.html

Note:

After the server is back up, you must rediscover or unmonitor and then monitor all switches that are registered for telemetry data; otherwise, the new certificates do not take effect, and SANnav functions may not work properly.

Hi,

We have a 4 x SAN64B-7 (8960-P64) SAN switches that a couple of weeks ago started to report expired certificates, giving a policy status result of MARGINAL from the mapsdb --show all command. The switch is running FOS v9.1.1b code. We run the mapsdb --show all command as part of our daily scheduled script commands to check the status of all the SAN switches in the fabric daily, of which these 4 are some of them. 

The 4 switches were updated to FOS 9.1.1b last year, and have been running just fine. Then last month, the HEALTHY status changed to MARGINAL, reporting:

* EXPIRED_CERTS (MARGINAL)

We get this in another environment every so many years on our IBM directors, and have a procedure to reset the HTTPS certificate date, using the seccertmgmt generate -cert https command. This error in other environments also causes the GUI using HTTPS to stop working. We checked the certs date on these SAN64B-7's, and we only have HTTPS certificates, and those had not expired, still had a year or so left, and the GUI was working fine. But even so, we ran the generate command to give them another 5 years, which a seccertmgmt show correctly has the date expiry of 5 years for HTTPS. As per previous occurences of these cert issues, we waited a day for the system to catch up, and re-run mapsdb, but it still shows MARGINAL. It's been over 2 weeks now, and it's still MARGINAL. 

Does anyone have any ideas of what we can do to reset the EXPIRED_CERTS error, and get our switches back to HEALTHY status?

Thanks,

Andy

And we have a winner, many thanks Nicholas, that's the cause, SANNAV and Kafka certificates. I was not looking at the screen close enough on the seccertmgmt show -all screen which said the KAFKA Server CA is set to Exist, I must look closer at what is staring me in the face!

We'll look in to the SANNAV certificates updates. But at least we now know the cause.

Cheers,

Andy

I had a similar issue with my Kafka cert for SANnav.

Use: seccertmgmt show -all to see which certs exist.  If you do see a Kafka cert then >Use: seccertmgmt show -ca -server kafka  to make sure it is not expired.

If you are using SANnav, then you will need to unmonitor and then monitor the switch and a new Kafka cert will push to it.   I had to do an "hareboot" to kind of force it after re-monitoring the switch. 

Also review this link for additional support:

https://techdocs.broadcom.com/us/en/fibre-channel-networking/sannav/management-portal-installation-and-migration/2-2-x/v25174220/changing-ssl-certificates.html

Note:

After the server is back up, you must rediscover or unmonitor and then monitor all switches that are registered for telemetry data; otherwise, the new certificates do not take effect, and SANnav functions may not work properly.

Hi,

We have a 4 x SAN64B-7 (8960-P64) SAN switches that a couple of weeks ago started to report expired certificates, giving a policy status result of MARGINAL from the mapsdb --show all command. The switch is running FOS v9.1.1b code. We run the mapsdb --show all command as part of our daily scheduled script commands to check the status of all the SAN switches in the fabric daily, of which these 4 are some of them. 

The 4 switches were updated to FOS 9.1.1b last year, and have been running just fine. Then last month, the HEALTHY status changed to MARGINAL, reporting:

* EXPIRED_CERTS (MARGINAL)

We get this in another environment every so many years on our IBM directors, and have a procedure to reset the HTTPS certificate date, using the seccertmgmt generate -cert https command. This error in other environments also causes the GUI using HTTPS to stop working. We checked the certs date on these SAN64B-7's, and we only have HTTPS certificates, and those had not expired, still had a year or so left, and the GUI was working fine. But even so, we ran the generate command to give them another 5 years, which a seccertmgmt show correctly has the date expiry of 5 years for HTTPS. As per previous occurences of these cert issues, we waited a day for the system to catch up, and re-run mapsdb, but it still shows MARGINAL. It's been over 2 weeks now, and it's still MARGINAL. 

Does anyone have any ideas of what we can do to reset the EXPIRED_CERTS error, and get our switches back to HEALTHY status?

Thanks,

Andy