Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
On HPE Integrity Superdome 2 systems, the following anomalies in GiCAP version 4.2.36 and GiCAP Version 4.2.48 may cause SSL connection issues between Group Managers (GMs) and GiCAP members with 4.2.36 or 4.2.48: Swapping GiCAP Group Manager roles cannot be correctly handled. The requirements of user certificates used for two-factor authentication has changed since version 4.2.36: a unique distinguished name in the subject field and SHA256 signature hash algorithm. User certificates in GiCAP Group Managers do not have a unique distinguished name with iCAP SW up to 10.11.00.01. When Integrity Superdome 2 GiCAP users perform either of the following three actions, no errors are encountered: Upgrading the existing Superdome 2 GiCAP members from version 4.1.34 or earlier to version 4.2.36 or 4.2.48. Adding a Superdome 2 GiCAP member with version 4.2.36 or 4.2.48 to the GiCAP group configuring a Standby GM. Adding a Standby GM to the GiCAP group that has one or more Superdome 2 members with version 4.2.36 or 4.2.48. The subsequent icapmanage -Q execution; however, causes a failure with the message displayed, "could not contact, active manager unknown." At this point, either the Active or Standby GM no longer contacts the Superdome 2 GiCAP members with version 4.2.36 or 4.2.48.
Category 1 Superdome 2 GiCAP members with version 4.1.34 or earlier. GiCAP Group Managers configured with any HP-UX Instant Capacity version. Category 2 Superdome 2 GiCAP members with version 4.2.36 or 4.2.48. GiCAP Group Managers configured with HP-UX Instant Capacity version 10.10.00.07, 10.10.00.10, or 10.10.00.12.
The above issue has been fixed in the combination of version 4.2.54 and iCAP software version 10.11.00.01. Existing Superdome 2 GiCAP users must follow the steps below prior to upgrading firmware to 4.2.54 (or later). 1. Check the signature hash algorithm for GiCAP_OA_*.pem: # openssl x509 -in /etc/opt/iCAP/GiCAP_OA_CA_CERT.pem -text -noout | grep Signature Either sha1WithRSAEncryption or sha256WithRSAEncryption may be seen. 2. Store the current GiCAP_OA_CA_CERT.pem file on both GMs before updating iCAP SW to 10.11.00.01 (or later): # cp /etc/opt/iCAP/GiCAP_OA_CA_CERT.pem /tmp 3. Update iCAP software to version 10.11.00.01 or later on both GMs 4. Skip the step here if the above #1 steps had indicated sha1WithRAEncryption. Run the following command to re-create GiCAP_OA_USER_CERT.pem if the above #1 step had indicated sha256WithRSAEncryption: # rm –f /etc/opt/iCAP/GiCAP_OA_USER_CERT.pem # /opt/icod/bin/GiCAP_OA_keygen -u NOTE: The above assumes that iCAP software 10.10.00.07, 10.10.00.10, or 10.10.00.12 was used before updating iCAP software to 10.11.00.01 (or later). 5. Execute updateGiCAPCert from the Active GM to transfer GiCAPcert.pem to the Standby GM and upload CA and User certificates to each GiCAP member: # /opt/icod/bin/updateGiCAPCert NOTE: The root password for Standby GM OS must be available. NOTE: Defer the choice of restarting OA until the next step. 6. Execute the above step from the Standby GM to transfer GiCAPcert.pem to the Active GM and upload CA and User certificates to each GiCAP member: # /opt/icod/bin/updateGiCAPCert NOTE: The root password for Active GM OS must be available. NOTE: If Category 1 is applicable to the system, restart the member at this time. Category 2 does not need to restart members. 7. Wait until each member OA starts up. 8. Execute the following command from both GMs to check the connectivity to each member OA: # icapmanage -sv Consult the "HP Instant Capacity (iCAP) Version 10.x User Guide" at https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05054382 if any errors are seen. If there is no error, upgrade the Superdome 2 firmware to version 4.2.54 or later. NOTE: Review the Superdome 2 firmware release notes for stepping requirements if upgrading from a version prior to 4.0.4 or 4.1.8. It will be necessary to re-add the members to the existing GiCAP group after the firmware upgrade to version 4.2.54 or later: # icapmanage -a -m member1:member1-oa1.corp.com -g prod # icapmanage -a -m member2:member2-oa1.corp.com -g prod Finally, execute the following command from both GMs to check the connectivity to each member OA: # icapmanage –sv NOTE: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models. RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form. NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document . SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips Document .