Brocade Fibre Channel Networking Community

Expand all | Collapse all

Switch Status is MARGINAL. Contributors: *EXPIRED_CERTS (MARGINAL).

  • 1.  Switch Status is MARGINAL. Contributors: *EXPIRED_CERTS (MARGINAL).

    Posted 02-12-2020 11:57 AM
    We recently enabled HTTPS on 4 Brocade G620 switches (FOS v8.2.1a). All were configured in the same way, but 3 of them got the MARGINAL status ("Switch Status is MARGINAL. Contributors: *EXPIRED_CERTS (MARGINAL).") in BNA afterwards. Indeed MAPS is complaining about expired certificates:

    ----
    2020/01/25-00:05:03, [MAPS-1003], 3230, FID 128, WARNING, SWITCHNAME, Chassis, Condition=CHASSIS(EXPIRED_CERTS>0), Current Value:[EXPIRED_CERTS, 1 certs], RuleName=defCHASSISCERTS_EXPIRED, Dashboard Category=Security Violations.
    2020/01/25-00:05:03, [MAPS-1021], 3231, FID 128, WARNING, SWITCHNAME, RuleName=defCHASSISCERTS_EXPIRED, Condition=CHASSIS(EXPIRED_CERTS>0), Obj:Chassis [ EXPIRED_CERTS,1 certs] has contributed to switch status MARGINAL.
    2020/01/25-00:05:03, [MAPS-1020], 3232, FID 128, WARNING, SWITCHNAME, Switch wide status has changed from HEALTHY to MARGINAL.
    ----

    However, the certificates and their CA's seems to be fine (at least we can not find any differences between the switch which is healthy and the 3 others). For example:

    Switch in the HEALTHY state:
    ----
    DC1_SANG620_02:FID128:admin> seccertmgmt show -all

    ssh private key:
    Does not Exist

    ssh public keys available for users:
    None

    Certificate Files:
    --------------------------------------------------------------------------------------------------------------------
    Protocol Client CA Server CA SW CSR PVT Key Passphrase
    --------------------------------------------------------------------------------------------------------------------
    FCAP Empty NA Empty Empty Empty Empty
    RADIUS Empty Empty Empty Empty Empty NA
    LDAP Empty Empty Empty Empty Empty NA
    SYSLOG Empty Empty Empty Empty Empty NA
    HTTPS NA Exist Exist Exist Exist NA
    DC1_SANG620_02:FID128:admin> seccertmgmt show -cert https

    Issued To
    countryName = BE
    stateOrProvinceName = ProvinceName
    localityName = City
    organizationName = Company
    organizationalUnitName = OUN
    commonName = dc1_sang620_02.example.com

    Issued By
    countryName = BE
    organizationName = City
    organizationalUnitName = www.example.com
    commonName = COMPANY INTERMEDIATE SHA256 CA01


    Period Of Validity
    Begins On Jan 14 13:08:25 2020 GMT
    Expires On Jan 13 13:08:25 2022 GMT

    Fingerprints
    SHA1 Fingerprint 2F:06:C5:0C:A8:AC:1A:CA:0B:20:3F:32:42:F0:C7:BF:55:54:57:C7
    SHA256 Fingerprint 87:12:19:42:12:47:AE:9D:64:EE:65:E2:1C:DC:53:C0:92:3D:E4:69:F3:6B:60:68:A1:5B:2D:2B:C2:6A:1F:7F


    DC1_SANG620_02:FID128:admin> seccertmgmt show -ca -server https

    Issued To
    countryName = BE
    organizationName = City
    organizationalUnitName = www.example.com
    commonName = COMPANY INTERMEDIATE SHA256 CA01

    Issued By
    countryName = BE
    organizationName = City
    organizationalUnitName = www.example.com
    commonName = COMPANY ROOT CA


    Period Of Validity
    Begins On Dec 11 13:35:54 2015 GMT
    Expires On Dec 11 13:45:54 2026 GMT

    Fingerprints
    SHA1 Fingerprint CC:AD:B0:5A:34:F0:83:4C:EE:15:64:88:39:52:43:4D:DA:AA:EA:91
    SHA256 Fingerprint BE:76:7C:89:77:3C:CF:66:FC:5F:5A:6D:BB:F0:28:3F:F7:23:AA:B6:73:F8:C5:9E:C6:0F:EE:8C:BA:C3:80:72


    DC1_SANG620_02:FID128:admin> seccertmgmt show -csr https
    Issued To
    countryName = BE
    stateOrProvinceName = ProvinceName
    localityName = City
    organizationName = Company
    organizationalUnitName = OUN
    commonName = dc1_sang620_02.example.com

    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)

    X509v3 Subject Alternative Name:
    DNS:dc1_sang620_02.example.com, IP Address:10.1.2.4
    ----

    Switch in the MARGINAL state:
    ----
    DC1_SANG620_01:FID128:admin> seccertmgmt show -all

    ssh private key:
    Does not Exist

    ssh public keys available for users:
    None

    Certificate Files:
    --------------------------------------------------------------------------------------------------------------------
    Protocol Client CA Server CA SW CSR PVT Key Passphrase
    --------------------------------------------------------------------------------------------------------------------
    FCAP Empty NA Empty Empty Empty Empty
    RADIUS Empty Empty Empty Empty Empty NA
    LDAP Empty Empty Empty Empty Empty NA
    SYSLOG Empty Empty Empty Empty Empty NA
    HTTPS NA Exist Exist Exist Exist NA
    DC1_SANG620_01:FID128:admin> seccertmgmt show -cert https

    Issued To
    countryName = BE
    stateOrProvinceName = ProvinceName
    localityName = City
    organizationName = Company
    organizationalUnitName = OUN
    commonName = dc1_sang620_01.example.com

    Issued By
    countryName = BE
    organizationName = City
    organizationalUnitName = www.example.com
    commonName = COMPANY INTERMEDIATE SHA256 CA01


    Period Of Validity
    Begins On Feb 7 15:06:54 2020 GMT
    Expires On Feb 6 15:06:54 2022 GMT

    Fingerprints
    SHA1 Fingerprint 9A:D9:6E:E3:8D:62:C3:52:32:F0:8D:53:5D:62:E4:ED:D6:A9:8F:E3
    SHA256 Fingerprint F6:C7:D9:4C:E2:F8:83:CB:34:62:90:34:28:0A:76:7C:F2:B1:73:4A:23:A8:F4:26:59:F4:2E:D6:7C:D2:F1:30


    DC1_SANG620_01:FID128:admin> seccertmgmt show -ca -server https

    Issued To
    countryName = BE
    organizationName = City
    organizationalUnitName = www.example.com
    commonName = COMPANY INTERMEDIATE SHA256 CA01

    Issued By
    countryName = BE
    organizationName = City
    organizationalUnitName = www.example.com
    commonName = COMPANY ROOT CA


    Period Of Validity
    Begins On Dec 11 13:35:54 2015 GMT
    Expires On Dec 11 13:45:54 2026 GMT

    Fingerprints
    SHA1 Fingerprint CC:AD:B0:5A:34:F0:83:4C:EE:15:64:88:39:52:43:4D:DA:AA:EA:91
    SHA256 Fingerprint BE:76:7C:89:77:3C:CF:66:FC:5F:5A:6D:BB:F0:28:3F:F7:23:AA:B6:73:F8:C5:9E:C6:0F:EE:8C:BA:C3:80:72


    DC1_SANG620_01:FID128:admin> seccertmgmt show -csr https
    Issued To
    countryName = BE
    stateOrProvinceName = ProvinceName
    localityName = City
    organizationName = Company
    organizationalUnitName = OUN
    commonName = dc1_sang620_01.example.com

    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)

    X509v3 Subject Alternative Name:
    DNS:dc1_sang620_01.example.com, IP Address:10.1.2.3
    ----

    The certificates them self looks fine too.

    What else can be checked to get the root cause for this expired certificates state?


  • 2.  RE: Switch Status is MARGINAL. Contributors: *EXPIRED_CERTS (MARGINAL).

    Posted 02-13-2020 03:22 AM
    Hi,

    Suggest to do a hareboot, on one of the marginal switches, in a low I/O period or even in a maintenance window (if that is what you prefer.) It is possible that MAPS is not processing the update properly sent form the security deamon.

    If that did not resolve the problem, I suggest to open a ticket with the OEM, and get it properly checked by support.

    Regards,

    Ed


  • 3.  RE: Switch Status is MARGINAL. Contributors: *EXPIRED_CERTS (MARGINAL).

    Posted 02-13-2020 06:58 AM
    Hi Ed,

    Thanks for your feedback. I will check internally and update this thread once we were able to do a hareboot (it might take some time to get this done).

    Kind regards,

    trumbaut


  • 4.  RE: Switch Status is MARGINAL. Contributors: *EXPIRED_CERTS (MARGINAL).

    Posted 03-03-2020 01:38 AM
    Hi Ed,

    Just a quick update to let you know that a hareboot on all switches fixed the issue indeed. Thanks for helping!

    Kind regards,

    trumbaut


  • 5.  RE: Switch Status is MARGINAL. Contributors: *EXPIRED_CERTS (MARGINAL).

    Posted 03-03-2020 02:46 AM
    Appreciated the feedback.
    Ed