Verifying the Secure Sockets Layer (SSL) certificate

Edit online

You can verify the existing Secure Sockets Layer (SSL) certificate that is used on IBM Storage® Protect Plus server to determine if further action is required.

About this task

To verify the SSL certificate, complete the following steps:

Procedure

  1. Log on to the IBM Storage Protect Plus console with the ID serveradmin by using Secure Shell (SSH) protocol.
  2. To verify the IP address, issue the following command:
    hostname -I
  3. To verify the certificate for IP address, issue the following command:
    sudo openssl x509 -text -noout -in /opt/ECX/virgo/configuration/ecx-beta.crt | grep "IP Address:"
  4. If the certificate contains the server IP address, no further action is required.
    Note: Check the IP address in the certificate obtained in step (3) to ensure that it matches the IP address from the hostname obtained in step (2). For example, if the certificate contains multiple IP addresses such as IPv4, IPv6, and local addresses used by Kubernetes components in the IBM Storage Protect Plus server, you must look for the IPv4 address in the certificate.
  5. If the IP address is not present in the certificate, you can verify the certificate for the server hostname by running the following command:
    sudo openssl x509 -text -noout -in /opt/ECX/virgo/configuration/ecx-beta.crt | grep $HOSTNAME
    Note: The $HOSTNAME environment variable may contain the short hostname rather than the fully qualified domain name (FQDN).
  6. You can get the machine FQDN by running the following command:
    hostname –fqdn or hostname -A
  7. If the certificate does not contain the value of the output of step 6, you must take the one of the following actions:
    • Change the server hostname to match the hostname in the certificate. The nmtui console mode utility allows you to change the server's hostname without rebooting the server.
    • Regenerate the SSL certificate (or regenerate if it is a CA certificate) and reboot the IBM Storage Protect Plus appliance. For instructions, see Regenerating the Secure Sockets Layer (SSL) certificate.
    • Add an entry to the agent hosts file so that the hostname in the certificate resolves the IP address.