Reset Search
 

 

Article

KB9686 - How to Configure and Apply Certificates for Cluster Ports?

« Go Back

Information

 
Last Modified Date6/18/2020 4:41 PM
Synopsis

How to Configure and Apply Certificates for Cluster Ports?

This article provides an overview on how to configure and apply certificates to both Active/Passive cluster ports and Active/Active cluster ports.
Problem or Goal
On accessing the sign-in URL configured for a Virtual IP (VIP) in a cluster, a certificate warning is issued.
 
Note: The certificate warning occurs even though device certificates have been applied to the internal and external ports.  
Cause
Missing hostname from the certificate.
Solution
The configuration of the cluster determines how the certificates will be applied to the two types of cluster nodes:
  • Active/Passive Cluster
  • Active/Active Cluster

Configuring and Setting Up Certificates for Active/Passive Cluster Ports

An Active/Passive (A/P) cluster is accessed via a Virtual IP (VIP) address that the active node owns. 
 
Important: Ensure the following:
  • The common name in the certificate must match the DNS hostname of the cluster VIP (Example: tpcluster.nouturn.local)
  • Certificate must be installed on both nodes and applied to the VIP.

Example:
active_passive   
To verify that the certificate is applied to the correct port and defined correctly, you need to follow the below steps:
  1. Login to the cluster as an 'Administrator'
  2. Navigate to Configuration > Certificates > Device Certificates
User-added image
   
  1. A list of certificates that are available/installed on the cluster will be listed. Check if the required certificate is listed. 
User-added image
 
2.a. If the required certificate is missing from the list, import the required certificate by clicking the Intermediate CAs link.
 
3. Verify the Certificate issued to field displays the common name identified in the certificate and matches the DNS hostname of internal/external VIP.



Configuring and Setting Up Certificates for Active/Active Cluster Ports (External Ports of Nodes)

An Active/Active (A/A) cluster can be configured with an external Load Balancer.  In this configuration, the VIP that users access the cluster with resides on the Load Balancer.  Since the host name is mapped to the IP of the Load Balancers, the certificate must be installed on the Load Balancer. 

Example:

loadbalancer   
To verify that the certificate installed on each external cluster node is valid, you need to perform the following steps:
  1. Login to the cluster as an 'Administrator'
  2. Navigate to Configuration > Certificates > Device Certificates
User-added image

2. Verify the following:
  • the Issued By field for the certificate being used is one that is trusted by the browser
  • the Valid Dates column contains a date range that is valid
 

Configuring and Setting Up Certificates for Active/Active Cluster Ports (Internal Ports of Nodes)


To verify that the certificate is applied to the correct internal port and defined correctly, you need to follow the steps as explained in the topic Configuring and Setting Up Certificates for Active/Passive Cluster Ports.




 
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255