Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
stevev1 Absent Member.
Absent Member.
3216 views

Create SSL Certificate on Cluster Ressources

Hi everyone....

I want to create an SSL Certificate for Cluster ressources.
I explain:
I have two servers in cluster mode. Those servers are iPrint servers.
If a server failed, the iPrint ressources migrate to the other server and that's work fine for all printers except printers with SSL Authentication.
Those printers stop working and iPrint client send the message " unable to authenticate to the printer ". If the failed server came up again, the message disappear and eveything works fine again.

I want to know if it's possible to create SSL Certificate and associate it to the cluster ressource and not the server?

Thanks in advance....
Labels (1)
0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Create SSL Certificate on Cluster Ressources

stevev,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://support.novell.com/forums/

0 Likes
cam Absent Member.
Absent Member.

Re: Create SSL Certificate on Cluster Ressources

I've setup SSL clustered apps before and I've copied my typical response to other people below. This was related to a clustered LDAPS resource.

---

The setup of the cluster load and unload script for clustering ldap is as simple as adding and removing the secondary IP for the ldap resource. The setup of the ldap service is a different matter.

First off, create an LDAP group for the resource. Setup the attribute/class map the way that you want the resource to behave such that whatever node the resource is on at the moment, it will answer with the same information.

Secondly, the ldap service will only read the cert information pointed to by the ldap server object. Since you can only mint a cert off the server object and associate it with its' respective ldap server object, you cannot easily just create one cert for this resource. You need to identify beforehand all the possible combinations your ldap apps could authenticate to the ldap server. You then mint a cert for every node in the cluster that is going to potentially host this resource and assign the main DNS A name as the primary name and add the other names as Secondary naming.

For example, I have a 7 node cluster and for each node I minted a cert with the main name of the resource (BRIPNLDAP01) and then added in the IP address for that DNS name and then the IP/DNS of the individual node for that cert. In effect, it turned out to be something like 7 or 8 secondary names for each cert as you need to be aware of how the resource is going to connect (fully qualified dns versus relative, ie cn=server.domain.com,o=org or cn=server,o=org). Since you can't change a cert once it has been minted, you need to spend a lot of time at this step identifying how clients might connect cause you don't want to have to go back and re-mint all these certs.

Once you have this cert mess figured out, you can bounce a secure ldap server/secondary ip address around your cluster and not have the apps complain.

P.S. You also need to export the trusted root of your tree's CA into the keystore of your app.
0 Likes
Mark Casey
New Member.

Re: Create SSL Certificate on Cluster Ressources

For those that want the cert to travel with the cluster resource, this is what I did

For cluster: MAIN-CLUSTER

Cluster Resource: SERVICES

Resource IP: 10.242.1.34

 

Create a directory on the root of the cluster resource

MAIN-CLUSTER-SERVICES-SERVER-CSR

In that

 

Create & alter services.conf which contains

[ req ]

default_bits       = 2048

default_keyfile    = services.key

distinguished_name = req_distinguished_name

req_extensions     = req_ext

 

[ req_distinguished_name ]

commonName = common_name

 

[ req_ext ]

subjectAltName = @alt_names

 

[alt_names]

DNS.1   =  MAIN-CLUSTER-SERVICES-SERVER.office.mydomain.com.au

IP.2 = 10.242.1.34

 

Then

openssl req -new -nodes -sha256 -config services.conf -out services.csr   < Create request

Insert short cluster name  eg MAIN-CLUSTER-SERVICES-SERVER

 

openssl req -in services.csr -noout -text   < Check Request

 

Use iManager to create the certificate & export

openssl x509 -noout -text -in services.b64   < Check Cert

 

For some things you may need to export the Tree root and as TREE.b64

Then cat services.b64 TREE.b64 > services-chain.b64 (Edit it and add a linefeed between the 2 certs

Then you will have a cert that has

subject = CN=MAIN-CLUSTER-SERVICES-SERVER

alt subject = DNS:MAIN-CLUSTER-SERVICES-SERVER.office.pegasustech.com.au, IP Address:10.242.1.34

Which i think is what you are looking for.

 

 

 

 

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.