Renew Certificates on VPLEX Metro Geo.docx

EMC ® VPLEX ™ SolVe Generator
Solution for Validating your engagement
To p i c
VPLEX Customer Procedures
Selections
Procedures: Manage
Management Procedures: Renew security certificates
Renew security certificates: Renew certificates on VPLEX Metro/Geo
Generated: 1:01 PM >

September 22, 2015
SolVe Generator Updated:
R E P O RT P R O B L E M S
If you find any errors in this procedure or have comments regarding this application, send email to
SolVeFeedback@emc.com
Copyright© 2010 – 2021 EMC Corporation. All rights reserved.

Publication Date: September, 2015
EMC believes the information in this publication is accurate as of its publication date. The information is subject to
change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software
license.
For the most up-to-date regulatory document for your product line, search for “regulatory” on the applicable product
page at https://support.EMC.com
For the most up-to-date listing of EMC trademarks, see the list of EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.
version: 2.5.1.0
This study source was downloaded by 100000890435282 from CourseHero.com on 09-05-2024 14:12:17 GMT -05:00
1 of 9
https://www.coursehero.com/file/77896663/Renew-certificates-on-VPLEX-Metro-Geodocx/
Contents
About renewing security certificates............................................................................................................. 3
Renewing security certificates on VPLEX Metro and Geo systems.............................................................3
Before you begin..................................................................................................................................... 3
Renew with current passphrases................................................................................................................. 4
On cluster 1............................................................................................................................................ 4
On cluster 2............................................................................................................................................ 5
Renew with a common passphrase............................................................................................................. 7
On cluster 1............................................................................................................................................ 7
On cluster 2............................................................................................................................................ 8
Renew RecoverPoint splitter credentials..................................................................................................... 9
version: 2.5.1.0
2 of 9
XxxRenew-sec-cert-Intro.doc
About renewing security certificates

When VPLEX is first configured, it creates two digital certificates and one CA certificate:
 Certification Authority (CA) certificate common to all clusters
 VPN host certificate
 Web server host certificate
All types of certificates expire and must be periodically renewed in order to maintain access to VPLEX. By
default:
 CA certificates must be renewed every 5 years
 Host certificates must be renewed every 2 years
Starting in Release 5.0.1 Patch, use the security renew-all-certificates CLI command to renew all
security certificates. You can use the command at any time to renew certificates whether or not they are
about to expire.
Each certificate has an associated passphrase.
 For security certificates created on systems running GeoSynchrony 4.0 and 4.1, VPLEX will not find
the old passphrases.
 For security certificates created on systems running GeoSynchrony 4.2 and later, VPLEX may or may
not find the old passphrases.
During renewal, you are prompted to provide any passphrase that VPLEX cannot find.
After renewal, VPLEX remembers all passphrases.
After upgrading to Release 5.0.1 Patch, you can:
 Renew the security certificates using their current passphrases.
If you choose to renew the certificates using the current passphrases, you are prompted to provide
the passphrase for any certificate that VPLEX does not find.
 Renew the certificates using a common passphrase.
You are prompted to provide a passphrase used to renew all the certificates.
Xxxrenew-sec-cert-Intro-Metro-Geo.doc
Renewing security certificates on VPLEX Metro and Geo

systems
In Metro and Geo systems, the security renew-all-certificates CLI command must be run twice – once on
each cluster.
MPORTANT: After running this command on the first cluster, the VPN tunnel between clusters will be
down until you run this command on the second cluster. This does not affect I/O but does disable
management of the remote cluster.
Before you begin

Verify that the VPN tunnel between clusters is operational.
version: 2.5.1.0
3 of 9
VPlexcli:/> vpn status

Verifying the VPN status between the management servers...
IPSEC is UP
Remote Management Server at IP Address 10.246.55.125 is reachable
Remote Internal Gateway addresses are reachable
If the output indicates the remote server is “not reachable”, use the vpn restart command on both
clusters, and then use the vpn status command again.
If the remote server is still not reachable, contact EMC Customer Support. Do not proceed if the remote
cluster is not reachable.
xxx.Renew-sec-cert-Metro-Geo.doc
Renew with current passphrases

On cluster 1
1. [ ] Open a session to the management server on cluster 1 and login to the CLI.
2. [ ] Run the security renew-all-certificates command:
VPlexcli:/> security renew-all-certificates
Please note that to renew certificates on a Metro or Geo deployment, this

command must be run on both clusters.
WARNING : After running this command on the first cluster, the VPN tunnel
between clusters will be down temporarily until you run this command on the
second cluster. This will not affect I/O but will result in the inability to
manage the remote cluster.
Detecting all the VPLEX certificates currently configured on the system...
The following certificates will be renewed:
Certificate Type Expiration Date New Expiration Date

-------------------------- ------------------------ ------------------------
Host Certificate (VPN) Sep 11 16:08:02 2013 GMT Sep 11 16:08:02 2015 UTC
Certificate Authority (CA) Sep 10 16:08:01 2016 GMT Sep 9 16:08:01 2021 UTC
Host Certificate (WEB) Sep 11 16:08:07 2013 GMT Sep 11 16:08:07 2015 UTC
The certificates above will be renewed, to expire on the dates shown. Do you
want to continue? (Y/N):
3. [ ] Type y. The following prompt is displayed:

Would you like to renew the certificates using the current passphrases? (Y/N):
4. [ ] Type y.
The next steps vary depending on whether VPLEX finds all the current passphrases.
 •If VPLEX finds all the current passphrases, all certificates are renewed. For example:
Would you like to renew the certificates using the current passphrases? (Y/N): y
Renewing CA certificate...
The CA certificate was successfully renewed.
Renewing VPN certificate...

The VPN certificate was successfully renewed.
version: 2.5.1.0
4 of 9
Renewing WEB certificate...

Your Java Key Store has been created.
https keystore: /var/log/VPlex/cli/.keystore
started web server on ports {'http': 49880, 'https': 49881}
The Web certificate was successfully renewed.
Generating certificate renewal summary...
Certificates have been successfully renewed on this cluster. To complete the

renewal process, run this command on the second cluster.
 If VPLEX cannot find one or more passphrases, prompts to enter those passphrases are
displayed. In the following example, VPLEX does not find any of the passphrases:
Would you like to renew the certificates using the current passphrases? (Y/N): y
Some or all of the passphrases are not available, so new passphrases must be
created:
Please create a passphrase (at least 8 chars) for the Certificate Authority
renewal: CA-passphrase
Re-enter the passphrase for the Certificate Key: CA-passphrase
MPORTANT: Record the Certificate Authority passphrase. You will need it when renewing certificates
on the second cluster.
Please create a passphrase (at least 8 chars) for the VPN certificate renewal:
VPN-passphrase
Re-enter the passphrase for the Certificate Key: VPN-passphrase
Please create a passphrase (at least 8 chars) for the web certificate renewal:
WEB-passphrase
Re-enter the passphrase for the Certificate Key: WEB-passphrase



On cluster 2
version: 2.5.1.0
5 of 9

Before continuing to renew certificates on this cluster, please confirm that

certificates have been renewed on the other cluster.
Have certificates have been renewed on the other cluster? (yes/no) (Y/N):
7. [ ] Type y. The following messages and prompt are displayed:


-------------------------- ------------------------ ------------------------

9. [ ] Type y.
If VPLEX cannot find att the current passphrases, the following message is displayed:
Some or all of the passphrases are not available, so new passphrases must be
created:
The following prompt is displayed:

Please enter the 'service' account password( 8 chars ) for the Remote Management
Server:
10. [ ] Type the password for the service user account on cluster 1.
ote: The EMC VPLEX Security Configuration Guide (available on EMC Support Online) contains the
default passwords.
The following prompt is displayed:

Re-enter the password:
11. [ ] Re-type the password. The following prompt is displayed:

Please enter the passphrase for the Certificate Authority on the remote cluster:
12. [ ] Type the passphrase for the Certificate Authority you created in Step 4. The following
prompt is displayed:
version: 2.5.1.0
6 of 9
Re-enter the passphrase for the Certificate Key:
13. [ ] Re-type the passphrase.

14. [ ] Type the remaining passphrases as prompted. For example:
Please create a passphrase (at least 8 chars) for the VPN certificate renewal:
VPN-passphrase
Re-enter the passphrase for the Certificate Key: VPN-passphrase
Please create a passphrase (at least 8 chars) for the web certificate renewal:
WEB-passphrase
Re-enter the passphrase for the Certificate Key: WEB-passphrase


All certificates on both clusters have been successfully renewed.
Renew with a common passphrase

On cluster 1
The following messages are displayed:


-------------------------- ------------------------ ------------------------
version: 2.5.1.0
7 of 9

4. [ ] Type n. The following message and prompt are displayed:

Please create a passphrase (at least 8 chars) to be used for all the certificate
renewals:
5. [ ] Type the common passphrase. The following prompt is displayed:

6. [ ] Re-type the common passphrase. The following messages are displayed:




On cluster 2

Before continuing to renew certificates on this cluster, please confirm that

certificates have been renewed on the other cluster.
Have certificates have been renewed on the other cluster? (yes/no) (Y/N):
16. [ ] Type y. The following messages and prompt are displayed:

version: 2.5.1.0
8 of 9

-------------------------- ------------------------ ------------------------

18. [ ] Type n. The following prompt is displayed:

Please create a passphrase (at least 8 chars) to be used for all the certificate
renewals:
19. [ ] Type the passphrase to be used for all the certificates. The following prompt is displayed:
20. [ ] Re-type the passphrase. The following prompt is displayed:

Please enter the passphrase for the Certificate Authority on the remote cluster:
21. [ ] Type the Certificate Authority passphrase you created in Step 5. The following prompt is
displayed:
22. [ ] Re-type the passphrase. The following messages are displayed:



All certificates on both clusters have been successfully renewed.
Renew RecoverPoint splitter credentials

If RecoverPoint is deployed with this VPLEX cluster, the splitter credentials on each RecoverPoint
cluster used with this VPLEX cluster must also be renewed.
Refer to the RecoverPoint documentation for the procedures to update the splitter credentials.
version: 2.5.1.0
9 of 9
Powered by TCPDF (www.tcpdf.org)

Renew Certificates on VPLEX Metro Geo.docx

Uploaded by

Copyright:

Available Formats

Renew Certificates on VPLEX Metro Geo.docx

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Renew Certificates on VPLEX Metro Geo.docx

Uploaded by

Copyright:

Available Formats

EMC ® VPLEX ™ SolVe Generator

Solution for Validating your engagement

Generated: 1:01 PM >

Copyright© 2010 – 2021 EMC Corporation. All rights reserved.

About renewing security certificates

Renewing security certificates on VPLEX Metro and Geo

Before you begin

VPlexcli:/> vpn status

Renew with current passphrases

Please note that to renew certificates on a Metro or Geo deployment, this

Detecting all the VPLEX certificates currently configured on the system...

The following certificates will be renewed:

Certificate Type Expiration Date New Expiration Date

3. [ ] Type y. The following prompt is displayed:

Renewing VPN certificate...

Renewing WEB certificate...

Generating certificate renewal summary...

Certificates have been successfully renewed on this cluster. To complete the

Re-enter the passphrase for the Certificate Key: CA-passphrase

Re-enter the passphrase for the Certificate Key: VPN-passphrase

Re-enter the passphrase for the Certificate Key: WEB-passphrase

Renewing VPN certificate...

Renewing WEB certificate...

Generating certificate renewal summary...

Certificates have been successfully renewed on this cluster. To complete the

VPlexcli:/> security renew-all-certificates

Please note that to renew certificates on a Metro or Geo deployment, this

Before continuing to renew certificates on this cluster, please confirm that

7. [ ] Type y. The following messages and prompt are displayed:

The following certificates will be renewed:

Certificate Type Expiration Date New Expiration Date

8. [ ] Type y. The following prompt is displayed:

The following prompt is displayed:

The following prompt is displayed:

11. [ ] Re-type the password. The following prompt is displayed:

Re-enter the passphrase for the Certificate Key:

13. [ ] Re-type the passphrase.

Re-enter the passphrase for the Certificate Key: VPN-passphrase

Re-enter the passphrase for the Certificate Key: WEB-passphrase

Renewing VPN certificate...

Renewing WEB certificate...

Generating certificate renewal summary...

All certificates on both clusters have been successfully renewed.

Renew with a common passphrase

The following messages are displayed:

Detecting all the VPLEX certificates currently configured on the system...

The following certificates will be renewed:

Certificate Type Expiration Date New Expiration Date

3. [ ] Type y. The following prompt is displayed:

4. [ ] Type n. The following message and prompt are displayed:

5. [ ] Type the common passphrase. The following prompt is displayed:

6. [ ] Re-type the common passphrase. The following messages are displayed:

Renewing VPN certificate...

Renewing WEB certificate...

Generating certificate renewal summary...

Certificates have been successfully renewed on this cluster. To complete the

Please note that to renew certificates on a Metro or Geo deployment, this

Before continuing to renew certificates on this cluster, please confirm that

16. [ ] Type y. The following messages and prompt are displayed:

The following certificates will be renewed: