What certificates does AIQUM use, what is impact when expired and how to regenerate?

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 10,007

Visibility:: Public

Votes:: 2

Category:: active-iq-unified-manager

Specialty:: om

Last Updated:

Applies to

Active IQ Unified Manager (AIQUM)
ONTAP 9

Answer

SSL (HTTPS) certificate

Type	server-ca
Generated by	AIQUM
Stored in	AIQUM/ONTAP
Purpose	Authentication of AIQUM server in HTTP/HTTPS connections via browser Note: AIQUM installs this certificate to ONTAP while adding cluster
Impact when expired	AIQUM fails to add ONTAP clusters as described in AIQUM cannot add ONTAP cluster via HTTPS when AIQUM HTTPS certificate is expired Accessing AIQUM can be warned or blocked depending on the browser and its settings ONTAP reports `mgmtgwd.certificate.expired`
How to regenerate	Generating an HTTPS security certificate Select Reset Server Certificate in the maintenance console
Validity duration	397 days by default, see also Generating an HTTPS security certificate
Activate new certificate	After generate the HTTPS Certificate, restart AIQUM to take effort. Attempt to re-add the cluster from cluster setup page.

EMS certificate

Type	client
Generated by	AIQUM
Stored in	AIQUM/ONTAP
Purpose	Authentication of EMS notifications received from ONTAP for Subscribing to ONTAP EMS events Note: AIQUM installs this certificate to ONTAP while adding cluster
Impact when expired	AIQUM fails to add ONTAP clusters as described in Unable to Add Cluster or acquisition fails for existing clusters on AIQUM due to expired client certificate ERROR mgmtgwd.certificate.expired caused by expired AIQUM client certificate
How to regenerate	Please contact NetApp Technical Support or log into the NetApp Support Site to create a technical case. Reference this article for further assistance.
Validity duration	5 years
Activate new certificate	NA

Certificates for Mutual TLS communication

Type	client-ca
Generated by	AIQUM
Stored in	AIQUM/ONTAP
Purpose	Authentication of ONTAP cluster during AIQUM data acquisition via certificate-based authentication. Note: AIQUM installs this certificate to ONTAP while adding cluster
Impact when expired	AIQUM fails to monitor ONTAP clusters as described in Cluster acquisition fails in AIQUM due to expired CA certificate for Mutual TLS communication ONTAP reports mgmtgwd.certificate.expiring for Active IQ Unified Manager client-ca certificate
How to regenerate	Follow the steps in How to renew a client-ca certificate for Active IQ Unified Manager
Validity duration	1 year, see also CAIQUM-5794
Activate new certificate	NA

Cluster certificates

Type	server
Generated by	ONTAP
Stored in	ONTAP
Purpose	Authentication of ONTAP cluster while adding ONTAP cluster
Impact when expired	AIQUM fails to add or edit ONTAP cluster as described in AIQUM fails to add the Cluster with self-signed SSL certificate expired error Error message of "mgmtgwd.certificate.expired" in event log Performance data collection might fail as described in Unified Manager performance collection fails because the cluster certificate is expired Note: See also What is the impact of an expired digital certificate used for a Vserver for the impact from ONTAP cluster perspective
How to regenerate	How to renew a Self-Signed SSL certificate in ONTAP 9
Validity duration	1 year by default, see also Renew TLS/SSL Certificate in ONTAP 9 - Resolution Guide
Activate new certificate	After verifying Self-Signed SSL Certificate is up to date, attempt to re-add the cluster on the Cluster Setup page.

Note:

Types of certificate can be found by using -type parameter of ONTAP security certificate show command

::> security certificate show -type server-ca

Vserver Serial Number Certificate Name Type ---------- --------------- -------------------------------------- ------------ cluster1 85589F65349650BE aiqum.demo.netapp.com_85589F65349650BE server-ca Certificate Authority: demo.netapp.com Expiration Date: Fri Nov 01 21:06:11 2058

Applies to

Answer

Additional Information