Professional Documents
Culture Documents
ECS EXSeries DellSwitch OS10.4.3.6 CertificateRenewal Rev1.0
ECS EXSeries DellSwitch OS10.4.3.6 CertificateRenewal Rev1.0
6 Certificate
Renewal Procedure
Affected Product: ECS Appliance Gen 3
Abstract
This document provides the details regarding the July 27, 2021 expiration of
OS10 x.509v3 certificate on Dell Switches, the impact to ECS Appliances and
details on resolving this issue.
June 2021
Revisions
Date Description
June 2021 Initial release
Acknowledgments
Author: Dell Technologies
Acknowledgments
The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this
publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
This document may contain certain words that are not consistent with Dell's current language guidelines. Dell plans to update the document over
subsequent future releases to revise these words accordingly.
This document may contain language from third party content that is not under Dell's control and is not consistent with Dell's current guidelines for Dell's
own content. When such third-party content is updated by the relevant third parties, this document will be revised accordingly.
Copyright © 2021 Dell Inc. or its subsidiaries. All Rights Reserved. Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell
Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. [6/3/2021] [Certificate Renewal]
Certificate Renewal
Table of contents
Table of contents
ECSDOC-946
Revisions.............................................................................................................................................................................1
Acknowledgments ...............................................................................................................................................................1
Table of contents ................................................................................................................................................................3
Summary .............................................................................................................................................................................4
Behavior post expiry ...........................................................................................................................................................4
Resolution Summary...........................................................................................................................................................4
Technical Notes ..................................................................................................................................................................4
Download Service Console .................................................................................................................................................5
Upgrade Service Console to the latest version...................................................................................................................6
Common SC commands used for this procedure ...............................................................................................................7
1.1 Checks for vulnerability in switch certificate .......................................................................................................7
1.2 Procedure for environments with default switch configuration ...........................................................................8
1.3 Procedure for environments with custom Front End switches .........................................................................10
Full output of Service Console Commands ......................................................................................................................12
A Technical support and resources ...............................................................................................................................16
Certificate Renewal
Summary
Summary
This article provides details regarding the July 27, 2021 expiration of OS10 x.509v3 certificate on Dell
Switches, the impact to ECS Appliances, and the details on resolving this issue.
The issue impacts ECS Gen3 Appliances running ECS version 3.4.x or higher. Dell switches in ECS
Appliance models EX300, EX500, and EX3000 use X.509 certificates to establish secure VLT connections
with their switch pair in the same rack. The issue impacts both Front-End (if they are not custom switches)
and Back-End switches X.509v3 certificates expires on July 27, 2021.
Resolution Summary
• Renew_Switch_Certificates procedure helps you renew OS10 x.509v3 security certificates on ECS
Gen3 Appliances. This procedure is part of ECS Service Console utility.
• ECS Service Console is used by ECS Remote Support and Field personnel to perform service
activities on ECS Appliance.
• To ensure timely resolution of OS10 x.509v3 certificate expiration issue on Dell Switches ECS
Service Console is made available for customer download from https://support.dell.com.
• Renew_Switch_Certificates is the only procedure that can be executed by an ECS Appliance user. All
other procedures available in the utility are limited to execution by Dell personnel only.
• The procedure executes all necessary checks to ensure that certificate renewal is successful. If you
get any error, then stop the procedure and contact ECS Remote Support.
Technical Notes
• Renew_Switch_Certificates procedure is VDC based. It detects if VDC has multiple racks and
updates OS10 x.509v3 switch certificates on all racks.
• Procedure supports multirack environments with mixed platforms and updates switch certificates only
on impacted hardware.
• Procedure takes approximately an hour on single rack system, with an additional 20 minutes per rack
in a multi-rack configuration.
• Maintenance of custom Front End switches is customer responsibility. Procedure does not update
certificates on custom switches. If customer provided switches are Dell switches, then follow Dell
Networking OS10 Certificate Expiration and Solution.
• There is no need to re-run the procedure later. Certificate expiration date is extended by 1000 years.
• Procedure is designed to be non-disruptive. No I/O interruption was detected during tests of the
procedure performed in Dell labs.
Certificate Renewal
Download Service Console
1. Sign in https://www.dell.com/support/
Certificate Renewal
Upgrade Service Console to the latest version
Upload service-console-<service_console_version><service_console_build_number>.tgz to
/tmp/service_console directory that is on Node1 and Rack1 of the cluster. This node is also referred to as
Installer node.
If you are not sure which node is the Installer Node, connect to any node in the cluster and then follow the
steps below:
# ssh ECS_Node
# ssh master
# hostname
# provo-gen3-cyan.svt.lab.emc.com
For example, provo-gen3-cyan.svt.lab.emc.com is the name of the Installer node. Upload service
console code to /tmp/service_console directory on provo-gen3-cyan.svt.lab.emc.com host using any SSH
client. Now you are ready to upgrade to the latest service console.
# cd /tmp/service_console
# tar -xf service-console-
<service_console_version><service_console_build_number>.tgz
# ./service-console upgrade
# service-console run Cluster_Config
# admin@provo-gen3-cyan:~> service-console -v
6.X.0.0-XXXXX.XXXXXXXXXX
Certificate Renewal
Common SC commands used for this procedure
Note: The status of the procedure displays FAIL if the system is vulnerable.
Example:
“Not able to connect to FE switches. These could be customer provided switches. See details in KB 185695”.
• If you are not sure of the error, contact ECS Remote Support.
• If the message is accurate and your environment contains custom Front End switches, then proceed
to Section1. 3 Procedure for environments with custom Front End switches
Certificate Renewal
Common SC commands used for this procedure
For multirack VDCs: The procedure updates all the impacted racks in a VDC. It is possible that only a subset
of the racks pass Renew_Switch_Certificates prechecks. Contact ECS Remote Support if a subset of the
racks does not pass the prechecks.
Example:
Certificate Renewal
Common SC commands used for this procedure
Certificate Renewal
Common SC commands used for this procedure
This Procedure flaps VLT links after passing all the health checks. It may take several minutes for the VLT
links to come back on-line. The status is checked every 15 seconds.
Note: This procedure should be followed only when you use the custom Front End Switches and not the
default Dell Switches.
Example:
Certificate Renewal
Common SC commands used for this procedure
Checking ntp status on Rack Master node 169.254.19.1 ( Rack name: auburn ) PSNT:
psnt1
Public switches are skipped
Running Health Checks after all switches certificates refreshment ...
20210526 11:45:09.429: | Check that the system is not in TSO state
20210526 11:45:09.431: | | PASS
20210526 11:45:09.432: | Check DT status
Checking DT status (with timeout 10 min).
20210526 11:45:20.048: | | PASS (10 sec)
20210526 11:45:20.050: | Validate that all nodes are available - OS
20210526 11:45:20.051: | | PASS
20210526 11:45:20.052: | Check network interfaces
20210526 11:45:20.970: | | PASS
20210526 11:45:20.972: | Check BE switches links
Checking private switches nodes links...
Checking Rack: auburn...
Checking switch: fox.rack...
Checking switch: hound.rack...
20210526 11:46:18.136: | | PASS (57 sec)
20210526 11:46:18.138: | Check BE switches ntp
Checking ntp status on Rack Master node 169.254.19.1 ( Rack name: auburn ) PSNT:
psnt1
Public switches are skipped
NTP is configured on the switch fox.rack
NTP is configured on the switch hound.rack
20210526 11:46:46.325: | | PASS (28 sec)
20210526 11:46:46.326: | PASS (7 min 30 sec)
================================================================================
Status: PASS
Time Elapsed: 7 min 51 sec
Debug log: /opt/emc/caspian/service-
console/log/20210526_113859_run_Renew_Switch_Certificates/dbg_robot.log
HTML log: /opt/emc/caspian/service-
console/log/20210526_113859_run_Renew_Switch_Certificates/log.html
Certificate Renewal
Full output of Service Console Commands
Certificate Renewal
Full output of Service Console Commands
Certificate Renewal
Full output of Service Console Commands
Certificate Renewal
Full output of Service Console Commands
Certificate Renewal
Full output of Service Console Commands
Certificate Renewal