A Hardware Management Console (HMC) can be used with advanced node failure detection
to prevent cluster partitions when a cluster node has actually failed.
- Using HMC with a Representational state transfer (REST) server requires HMC version V8R8.5.0 or
greater.
- The Add cluster monitor (ADDCLUMON) command must be used with the
representational state transfer (REST) server. The PowerHA® graphical interface only supports the
Common Informational Model (CIM) server for the cluster monitor.
- Check the QSSLPCL system value. Verify that it is set correctly for
the release currently running.
Note: An incorrect value in QSSLPCL may
result in a CPFBBCB diagnostic message with reason code
4.
These steps guide you through obtaining the digital certificate of your HMC, storing
it and referencing it to allow advanced node failure detection for the cluster node.
Important: This guide describes steps making use of features of both HMC and of the Digital
Certificate Manager. Changes to either of these products may cause portions of this guide to become
invalid. If you suspect such changes are preventing you from following the steps outlined in this
guide successfully, contact your technical support provider.
Begin by extracting the digital certificates for the HMC and copying them to the
IBM® i system in the cluster node with these
steps:
-
Sign on your IBM i system and open the command line
display.
-
In the command line display, enter CALL QP2TERM to enter the PASE shell
environment.
-
Retrieve the digital certificates from the HMC with this command:
openssl s_client -connect HMC_name:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="HMC_name"a".pem"; print > out}'
Replace
HMC_name with the name of your system's HMC. This copies the certificates
into files named
HMC_name1.pem …
HMC_nameN.pem, where
N is the number of certificates copied from your system's HMC.
-
Press F3 to exit the QP2TERM environment.
-
Run the following command for each of certificate file to convert the CCSID to 819
(ASCII)
CHGATR OBJ('HMC_nameX.pem') ATR(*CCSID) VALUE(819).
Create a certificate store to hold the digital certificates by following these steps:
-
Open the IBM Navigator
for i and click Internet
Configurations.
-
On the Internet Configurations page, click Digital
Certificate Manager.
You need to enter your user profile and password.
-
In the Digital Certificate Manager page, click Create New
Certificate Store.
-
In the page that appears, you should have an option for *SYSTEM. Make
sure that the button is selected and click Continue.
If the *SYSTEM option is not there, you already have a *SYSTEM store created. Skip forward to
step 12.
-
Select No - Do not create a certificate in the certificate store.
-
Create a password for the *SYSTEM store and click Continue.
The password is case-sensitive. It is recommended not to use special characters. This password
is not attached to a user profile and it will not lock you out of the system after too many
retries.
You have successfully created the *SYSTEM store.
Select the *SYSTEM certificate store by following these steps:
-
Click Select a Certificate Store and select the *SYSTEM option, click
continue.
-
Sign in with the password for the certificate store and click Continue,
then Manage Certificates.
Import the HMC certificates into the security store.
-
Select Import certificate and click
Continue.
If your HMC has only one certificate, perform these steps for that certificate. If your HMC
has multiple certificates, perform these steps for each certificate except the first certificate
(HMC_name1.pem), starting with the last certificate and moving backwards through
the list of certificates. For example, if there are three certificates:
HMC_name1.pem, HMC_name2.pem, and
HMC_name3.pem, perform these steps for HMC_name3.pem first,
then for HMC_name2.pem.
-
Select Certificate Authority (CA) and click
Continue.
-
Enter the path name of the certificate you want to import. For example, the path and file name
may be
/HMC_name1.pem
. Click
Continue.
The selected security certificate is imported into the security store.
After importing the certificates, sign on to your IBM i and use the command line to run the Add cluster monitor
(ADDCLUMON) command to run the cluster configuration steps. For additional
information about ADDCLUMON, see the Add Cluster Monitor (ADDCLUMON) command in the Knowledge
Center.
As an alternative option to importing digital certificates, consider setting a PowerHA policy to
manage communications throughout the cluster. To learn about PowerHA policies read Planning for PowerHA policies, and for information on implementing
and managing PowerHA policies consult the Managing PowerHA policies section.