Reset Search
 

 

Article

KB43799 - Frequent Watchdogs error/snapshots observed resulting in cluster split when FIPS Mode is ON.

« Go Back

Information

 
Last Modified Date7/27/2018 11:52 AM
Synopsis
The article describes an issue where frequent Watchdogs error/snapshots are observed resulting in cluster split when FIPS Mode is ON.
Problem or Goal
From the event logs :
 
info - System()[] - 2018/05/03 14:29:41 - AUHCDCRA08-PS02 - Watchdog: check cgi login error num 1. Response from webserver is: 
info - System()[] - 2018/05/03 14:29:41 - AUHCDCRA08-PS02 - Watchdog: check cgi login error num 3. Response from webserver is: WARNING: can't open config file: //ssl/openssl.cnf 4152333976:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:636: 
info - System()[] - 2018/05/03 14:29:51 - AUHCDCRA08-PS02 - Creating state snapshot, triggered by watchdog
info - System()[] - 2018/05/03 14:30:34 - AUHCDCRA08-PS02 - State snapshot completed.
critical - System()[] - 2018/05/03 14:30:34 - AUHCDCRA08-PS02 - Watchdog restarting cgi-server auth processes (cgi).


 
Cause

Cause :The issue is due to Internal Port Mapping with default Device Certificate ( self signed) which is not supported in FIPS ON Mode.

The  default self signed certificate support SHA-1, whereas in FIPS On Mode , the criteria is that Device Certificate should be SHA 2 capable.

 
Solution
To unmap the default self-signed Certificate from Internal Port and Map it to a Public signed CA Certificate supporting minimum criteria below :

When FIPS mode is on , CA signed Device certificate should support following criterias.

a)  Device Certificate should be SHA2 Capable.
b)  Device Certificate should have RSA Public Key Length greater than or equal to 2048 bits
c)  Device Certificate should have Server Authentication EKU Extension

FIPS mode setting is Security options as shown below :

User-added image
 
Related Links
Attachment 1 
Created ByBiju Kadavil

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255