Configuring advanced node failure detection on hardware management console (HMC) with REST server

A Hardware Management Console (HMC) can be used with advanced node failure detection to prevent cluster partitions when a cluster node has actually failed.

  1. Using HMC with a Representational state transfer (REST) server requires HMC version V8R8.5.0 or greater.
  2. The Add cluster monitor (ADDCLUMON) command must be used with the representational state transfer (REST) server. The PowerHA® graphical interface only supports the Common Informational Model (CIM) server for the cluster monitor.
  3. Check the QSSLPCL system value. Verify that it is set correctly for the release currently running.
    Note: An incorrect value in QSSLPCL may result in a CPFBBCB diagnostic message with reason code 4.
These steps guide you through obtaining the digital certificate of your HMC, storing it and referencing it to allow advanced node failure detection for the cluster node.
Important: This guide describes steps making use of features of both HMC and of the Digital Certificate Manager. Changes to either of these products may cause portions of this guide to become invalid. If you suspect such changes are preventing you from following the steps outlined in this guide successfully, contact your technical support provider.

Begin by extracting the digital certificates for the HMC and copying them to the IBM® i system in the cluster node with these steps:

  1. Sign on your IBM i system and open the command line display.
  2. In the command line display, enter CALL QP2TERM to enter the PASE shell environment.
  3. Retrieve the digital certificates from the HMC with this command: 
    openssl s_client -connect HMC_name:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="HMC_name"a".pem"; print > out}'
    Replace HMC_name with the name of your system's HMC. This copies the certificates into files named HMC_name1.pemHMC_nameN.pem, where N is the number of certificates copied from your system's HMC.
  4. Press F3 to exit the QP2TERM environment.
  5. Run the following command for each of certificate file to convert the CCSID to 819 (ASCII) 
    CHGATR OBJ('HMC_nameX.pem') ATR(*CCSID) VALUE(819).

Create a certificate store to hold the digital certificates by following these steps:

  1. Open the IBM Navigator for i and click Internet Configurations.
  2. On the Internet Configurations page, click Digital Certificate Manager.
    You need to enter your user profile and password.
  3. In the Digital Certificate Manager page, click Create New Certificate Store.
  4. In the page that appears, you should have an option for *SYSTEM. Make sure that the button is selected and click Continue.
    If the *SYSTEM option is not there, you already have a *SYSTEM store created. Skip forward to step 12.
  5. Select No - Do not create a certificate in the certificate store.
  6. Create a password for the *SYSTEM store and click Continue.
    The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many retries.
    You have successfully created the *SYSTEM store.

Select the *SYSTEM certificate store by following these steps:

  1. Click Select a Certificate Store and select the *SYSTEM option, click continue.
  2. Sign in with the password for the certificate store and click Continue, then Manage Certificates.

Import the HMC certificates into the security store.

  1. Select Import certificate and click Continue.
    If your HMC has only one certificate, perform these steps for that certificate. If your HMC has multiple certificates, perform these steps for each certificate except the first certificate (HMC_name1.pem), starting with the last certificate and moving backwards through the list of certificates. For example, if there are three certificates: HMC_name1.pem, HMC_name2.pem, and HMC_name3.pem, perform these steps for HMC_name3.pem first, then for HMC_name2.pem.
  2. Select Certificate Authority (CA) and click Continue.
  3. Enter the path name of the certificate you want to import. For example, the path and file name may be /HMC_name1.pem. Click Continue.

The selected security certificate is imported into the security store.

After importing the certificates, sign on to your IBM i and use the command line to run the Add cluster monitor (ADDCLUMON) command to run the cluster configuration steps. For additional information about ADDCLUMON, see the Add Cluster Monitor (ADDCLUMON) command in the Knowledge Center.

As an alternative option to importing digital certificates, consider setting a PowerHA policy to manage communications throughout the cluster. To learn about PowerHA policies read Planning for PowerHA policies, and for information on implementing and managing PowerHA policies consult the Managing PowerHA policies section.