IBM Support

One expired certificate brings down all certificates in the DataPower Validation Credential

Question & Answer


Question

Why does one expired certificate cause all other certificates within the Validation Credential to come down after a reboot of the DataPower appliance?

Cause

When multiple certificates are configured to a Validation Credential (ValCred), all of the certificates
must be up in order for the ValCred to be up.

Note, when any configuration object (such as ValCred) has references to other objects, the whole chain of objects will go down if any of the referenced objects are down. Therefore, one certificate being down will take down the ValCred and any other objects referencing that ValCred (i.e crypto profile, MPGW, etc).

In regards to the problem occurring after a reboot, this is because the 'certificate expiration' check only occurs at two times:

  • (re)configuration of a certificate object
  • reboot of the appliance

When the expiration check occurs at reboot, all configured objects are processed and any object referencing a down object (directly or indirectly), will also be marked down.

Answer

The Ignore Expiration Dates toggle in the Crypto Certificate object determines if the 'certificate expiration' check should be ignored at configuration/reboot time. By setting it to ON, there are no checks for certificate expiration at configuration/reboot time. This means that when one certificate in the Validation Credential expires, the certificate remains in the 'up' state and the other certificates in the referenced chain are not affected. The default is OFF.

The Disable Expired Certificates toggle in the Crypto Certificate Monitor object, determines if the 'certificate expiration' check should happen on a periodic timer instead of only happening at configuration/reboot time. When set to ON, the expired certificate and all referenced objects would go down immediately, instead of only after a reboot. The default is OFF.

In conclusion, Disable Expired Certificates = OFF in the Crypto Certificate Monitor object *and* Ignore Expiration Dates = ON in all of the certificate objects within the Validation Credential will prevent one expired certificate from bringing down all other certificates in the Validation Credential.

Also, please note that when Ignore Expiration Dates = ON this allows the certificate to maintain the up state even if it is expired. However, when the certificate is used to make an SSL connection to a remote host, the actual expiration date is still utilized, and connections may fail validation if the certificate has expired.

[{"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateways"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"--","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"7.6;7.5;7.2","Edition":""}]

Document Information

Modified date:
21 June 2018

UID

swg21509220