Enabling health check alerts for Certificate Integration
Enable health check alerts from the IBM® MaaS360® Portal for the Cloud Extender® Certificate Integration module.
Before you begin
This feature is available for Cloud Extender version 3.001.300 and later.
Procedure
- From the IBM MaaS360 Portal Home page, select Setup > Cloud Extender Settings.
- Select Health Check Configuration > Certificate Integration Alerting.
The Certificate Integration Alerting list is displayed.
- From the list, enable the alerts that apply to your environment.
If you set an alert subscription to Critical Only, the Cloud Extender sends an email message or a text message to the administrator for all alerts that are marked as Critical.The following table provides a description of each alert and the steps that you take to remediate the alert.
Alert name Alert description Remediation steps SCEP/CA server not reachable The Cloud Extender cannot connect to the configured Certificate Authority (CA) or the SCEP URL because the server is unreachable or the specified server URL is invalid. - Verify that the configured Certificate Authority (CA) server is reachable from the Cloud Extender server.
- Verify that the configured SCEP URL is reachable from the Cloud Extender server.
- From the Cloud Extender Configuration Tool in the IBM MaaS360 Portal, use the Certificate Test workflow to confirm certificate generation.
- If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
Service Account credentials expired The Cloud Extender cannot connect to the configured Certificate Authority (CA) server because the server is unreachable or the service account credentials are invalid. - Verify that the configured Certificate Authority (CA) server is reachable from the Cloud Extender server.
- From the Cloud Extender Configuration Tool in the IBM MaaS360 Portal, use the Certificate Test workflow to confirm certificate generation.
- Check whether the service account that is configured in the Certificate Template is still active and the password is not expired. If required, use the Cloud Extender Configuration Tool in the IBM MaaS360 Portal to update the service account credentials.
- If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
Passcode URL not reachable The Cloud Extender cannot connect to the Challenge Passcode URL to obtain the challenge passcode for certificate requests. The Cloud Extender connects to the Passcode URL to obtain a one-time challenge passcode that is required for every certificate request. The Cloud Extender cannot reach this passcode URL. - Verify that the Passcode URL that is configured on the Certificate Template is valid for that configuration.
- Verify that the Passcode URL is reachable from the Cloud Extender server.
- Use the Cloud Extender Configuration Tool in the IBM MaaS360 Portal to run a Test Certificate action to confirm certificate generation.
- If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
Network storage path not reachable (if configured) The Cloud Extender cannot connect to the configured certificate storage path for local caching of certificates. This alert refers to multiple Cloud Extenders in High Availability (HA) mode that share a network storage path to cache certificates. The Cloud Extender uses the certificate storage path to cache identity certificates for future use. This path is either a local path or a network storage path. - Verify that the certificate storage location is accessible from the Windows File Manager on the Cloud Extender server.
- If the location moved to a new path, use the Cloud Extender Configuration Tool to update the location on the Certificate Template.
- If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
Certificate request timeout The certificate generation is taking more time to complete than the configured threshold. By default, the certificate request times out after 3 minutes. - Verify that the Certificate Authority (CA) server is reachable from the Cloud Extender server.
- If you are using an on-premises CA (Microsoft NDES or Entrust), review the event logs or application logs on the CA server for possible issues and resolution steps.
- If you are using a cloud-based CA (Symantec PKI), contact the vendor for further assistance.
Certificate templates configured are not matching This alert is triggered when one or more certificate templates that are configured on a Cloud Extender are not matching with the other Cloud Extender within the same customer environment.
- Export the certificate template from the Cloud Extender where it was created.
- Import the template into all other Cloud Extender in the server.
- Verify that all Cloud Extender have the same set of templates. The alert automatically updates to Remediated once the mismatch is resolved.
- Publish the Cloud Extender settings to activate the alerts.