Symptoms

VPLEX VS2 to VS6 GenU has taken place.VPN Certificates have been renewed. An end user received the following alert message: "The Host Certificate will expire within a month."The system has not yet renewed the certificates after a GenU and when IP swap has been used during a GenU.The certificates have been renewed after a GenU and afterwards the VPlexcli command "security list-certificates" shows different serial numbers than expected.Example:current TLA/Serial Number: CKM00xxxxxx123Original TLA/Serial Number before a GenU of a VS6: CKM00yyyyyy456Example of current TLA when the 'cluster summary' command is run: VPlexcli:/> cluster summaryClusters: Name Cluster ID TLA Connected Expelled Operational Status Health State -------- ---------- -------------- --------- -------- ------------------ ------------ cluster-1 1 CKM00xxxxxx123 true false ok ok cluster-2 2 CKM00xxxxxx124 true false ok ok Islands: Island ID Clusters --------- ------------------ 1 cluster-1, cluster-2 Example when the 'security list-certificates' command* is run, may take time to run: NOTE: the security list-certificates command only reports the TLA for the cluster it is run on. Not for the remote/peer cluster in a Metro configuration VPlexcli:/> security list-certificatesFilename Cert Issued to Issued by Date Expiry Start Issuer Entry Signature Algorithm------------------------- Type -------------------- ----------------- Validity Date Date check in ------------------------------------------------ ----- -------------------- ----------------- -------- ---------- --------- ------ TS/KS ------------------------------------------------ ----- -------------------- ----------------- -------- ---------- --------- ------ ----- -----------------------strongswanCert.pem CA CN=CKM00yyyyyy456 CN=CKM00yyyyyy456 YES May 5 May 6 YES TS sha256WithRSAEncryption 09:29:04 09:29:04 2025 GMT 2020 GMThostCert.pem VPN CN=VPlex VPN: CN=CKM00yyyyyy456 YES May 6 May 6 YES - sha256WithRSAEncryption CKM00yyyyyy456 09:33:44 09:33:44 2022 GMT 2020 GMTwebServerHostCertFile.pem WEB CN=VPlex Web Server: CN=CKM00yyyyyy456 YES May 6 May 6 YES KS sha256WithRSAEncryption CKM00yyyyyy456 09:35:24 09:35:24 2022 GMT 2020 GMTCA - Certificate AuthorityTS - Trust StoreKS - Key Store

Cause

The system serial number (TLA) has changed due to some action on the VPLEX, GenU, NDU, or other.A common change is a VPLEX VS2 to VS6 GenU has taken place.The source files where the renew or configuration certificates command read the TLA\Serial Number(s) have not been updated with current TLA\Serial Number.

Resolution

Check the management server (MMCS-A for VS6) to see if you have the valid files in /var/log/VPlex/cli. CACertSubjectInfo.txt, HostCertSubjectInfo.txt,WebServerHostCertSubjectInfo.txt To check for these files on the management server change the directory (cd) to the /var/log/VPlex/cli directory, then run the command "ll *.txt". Other .txt files may be listed also look for those listed above. service@ManagementServer:~> cd /var/log/VPlex/cli service@ManagementServer:/var/log/VPlex/cli> ll *.txt-rw-r--r-- 1 service users 176 Jan 15 21:24 CACertSubjectInfo.txt-rw-r--r-- 1 service users 187 Jan 15 21:24 HostCertSubjectInfo.txt-rw-r--r-- 1 service users 194 Jan 15 21:24 WebServerHostCertSubjectInfo.txt First you should check what the TLA is for the cluster, you only need to check one engine as the TLA is the same for all engines in a cluster. On cluster-1 log on to the VPlexcli to run the check. service@ManagementServer:~> vplexcliTrying ::1...Connected to localhost.Escape character is '^]'.VPlexcli:/> ll /engines/engine-1-1/engines/engine-1-1:Attributes:Name Value------------------ --------------cluster-ip-seed 1enclosure-id 1engine-family VPLengine-id 1-1health-indications []health-state okmarker-led offoperational-status onlinepart-number 100-565-139-04revision-number FFFserial-number CF2GA193xxxxxxtop-level-assembly FNM00xxxxx0656 <---wwn-seed 43e01cb9 Next exit the VPlexcli to get back to the management server and then change directory (cd) to the /var/log/VPlex/cli directory. VPlexcli:/> exitConnection closed by foreign host.service@ManagementServer:~> > cd /var/log/VPlex/cliservice@ManagementServer:/var/log/VPlex/cli> Now 'cat ' each file listed back in step 1 to see what TLA is listed in the 'SUBJECT_COMMON_NAME" line of each file, Example for the CACertSubjectInfo.txt file: service@ManagementServer:/var/log/VPlex/cli> cat CACertSubjectInfo.txtSUBJECT_COUNTRY=USSUBJECT_STATE=MassachusettsSUBJECT_LOCALITY=HopkintonSUBJECT_ORG=EMCSUBJECT_ORG_UNIT=EMCSUBJECT_COMMON_NAME=FNM00xxxxxx0034 <---SUBJECT_EMAIL=support@emc.com If the 'SUBJECT_COMMON_NAME' line in each file lists the wrong TLA serial number, update the 'SUBJECT_COMMON_NAME' with the correct TLA serial number for each of three files the TLA is incorrect using the vi editor. vi CACertSubjectInfo.txtvi VPlex/cli/HostCertSubjectInfo.txtvi VPlex/cli/WebServerHostCertSubjectInfo.txt Example for the CACertSubjectInfo.txt file: service@ManagementServer:/var/log/VPlex/cli> vi CACertSubjectInfo.txtSUBJECT_COUNTRY=USSUBJECT_STATE=MassachusettsSUBJECT_LOCALITY=HopkintonSUBJECT_ORG=EMCSUBJECT_ORG_UNIT=EMCSUBJECT_COMMON_NAME=FNM00xxxxx0034 <---SUBJECT_EMAIL=support@emc.com~~~"CACertSubjectInfo.txt" 7L, 176C 1,1 All As you can see the TLA listed for the "SUBJECT_COMMON_NAME is different from the TLA shown in step 2a. To edit this line using vi, using the down arrow move the cursor down to the "SUBJECT_COMMON_NAME" line. Then using the right arrow move the cursor to the beginning of the TLA serial number. In this example, the "F" For VPLEX shipped in Europe and Asia the serial numbers begin with CKM, so the "C" in those serial numbers. Next with the cursor on the first letter of the serial number type "cw" for "change word". The current serial number will be gone and at the bottom left you will see "-- INSERT --", now back at the cursor type in the correct TLA as listed back in step 2a. Once done press the 'Esc" key to exit the INERT mode. The new serial number should now be listed for the "SUBJECT_COMMON_NAME" line, and be the same as the one listed in step 2a. Example: CACertSubjectInfo.txtSUBJECT_COUNTRY=USSUBJECT_STATE=MassachusettsSUBJECT_LOCALITY=HopkintonSUBJECT_ORG=EMCSUBJECT_ORG_UNIT=EMCSUBJECT_COMMON_NAME=FNM00xxxxx0656 <---SUBJECT_EMAIL=support@emc.com~~~"CACertSubjectInfo.txt" 7L, 176C 6,21 All Now to save and close the vi session type :wq, which writes the changes and quits vi taking you back to the Linux prompt. Example: service@ManagementServer:/var/log/VPlex/cli> vi CACertSubjectInfo.txtservice@ManagementServer:/var/log/VPlex/cli> To confirm the change took cat the file you edited and confirm. Example: service@ManagementServer:/var/log/VPlex/cli> cat CACertSubjectInfo.txt SUBJECT_COUNTRY=US SUBJECT_STATE=Massachusetts SUBJECT_LOCALITY=Hopkinton SUBJECT_ORG=EMC SUBJECT_ORG_UNIT=EMC SUBJECT_COMMON_NAME=FNM00xxxxx0656 <--- corrected TLA SUBJECT_EMAIL=support@emc.com Repeat these steps for a Metro configuration on cluster-2.After correcting the TLA in all three files, on both clusters if a Metro, now you need to re-create the security certificates. You may use the following article for renew certificates: KBA 468657, "VPLEX: How to manually re-create the VPN security certificates" (Only registered Dell Customers can access this article link) After re-creating the certificates on both clusters with the VPLEXcli command: security list-certificates You will need to run the command in step 5 on each cluster separately for a Metro configuration as the command only lists the certificate info for the cluster it is run on.

Support Cases