Certificate expiration warnings
IBM Spectrum Scale writes warning messages into the mmfs.log file for digital certificates that are nearing their expiration dates.
Warnings for an RKM server certificate
2018-08-01_11:45:09.341-0400: GPFS: 6027-3732 [W] The server certificate for key
server 192.168.9.135 (port 5696) will expire at Aug 01 12:03:32 2018 EDT (-0400).
With
this information you can log on to the specified RKM server and find the server certificate that is
approaching expiration.Warnings for a key client certificate
2020-11-04_13:55:07.838-0400: [W] The client certificate with label 'client1' for key server with RKM ID 'RKM1' (192.168.9.135:5696) will expire at Nov 04 16:39:59 2020 EDT (-0400).
- Whether more than one key client in the cluster has a connection with the RKM server that is specified in the error message.
- Whether the encryption environment of the cluster is configured by the simplified setup method or the regular setup method.
- Simplified method: If the encryption environment is configured by the
simplified method, follow these steps:
- Make a note of the following information:
- The expiration date of the client certificate from the warning message.
- The IP address and port of the RKM server from the error message.
- The host name of the RKM server that uses that IP address and port. Look this item up in your system information.
- On the command line of a node in the cluster, issue the following command to list the key
clients for the RKM
server:
where <host_ID> is the IP address or host name of the RKM server from Step 1.mmkeyserv client show -server <host_ID>
- For each key client the command displays a block of information that includes the client certificate label, the host name or IP address and the port of the RKM server, and other information.
- This set of instructions assumes that only one key client in the cluster has a connection with the specified RKM server. Therefore, in Step 3 the command displays only one block of information. The label that is listed in this block of information is the label of the client certificate that is approaching expiration.
- Make a note of the following information:
- Regular method: If the encryption environment is configured by the
regular method, follow these steps:
- Make a note of the following information:
- The expiration date of the client certificate from the warning message
- The IP address and port of the RKM server from the error message.
- The host name of the RKM server that uses that IP address and port. Look this item up in your system information.
- On a node of the cluster that accesses encrypted files – that is, on a node that is successfully configured for encryption – open the RKM.conf file with a text editor. For more information about the RKM.conf file, see the topic Preparation for encryption.
- In the RKM.conf file, follow these steps:
- Find the stanza that contains the host name or IP address and the port of the RKM server from Step 1. This information is specified in the kmipServerURI parameter of the stanza.
- The client certificate label that is specified in that same stanza is the label of the client certificate that is approaching expiration.
- Make a note of the path of the keystore and the keystore password that are also specified in the stanza. You can use this information to open the keystore with a tool such as the openssl key-management utility and inspect the certificate.
- Make a note of the following information:
- Make a note of the expiration date of the client certificate and the IP address and port of the RKM server in the error message. Also look up the host name of the RKM server.
- List the stanzas of the RKM.conf file:
- For the simplified setup method, issue the following command from the command
line:
mmkeyserv rkm show
- For the regular setup method, open the RKM.conf file with a text editor. You must do this step on a node that is configured for encryption. For more information about the RKM.conf file, see the topic Preparation for encryption.
- For the simplified setup method, issue the following command from the command
line:
- Find the stanza or stanzas that contain the host name or IP address of the RKM server from Step 1. For each such stanza, make a note of the client certificate label, the path of the keystore file, and the password to the keystore file.
- Open each keystore file from Step 3 with a tool such as the openssl key-management utility. In the keystore file, find the client certificate label or labels from Step 3 and verify whether each client certificate is approaching expiration.
Only certificates that are in use are checked
IBM Spectrum Scale checks certificate expiration dates only when the certificates are being used to authenticate a connection between a key client and a key server.
IBM Spectrum Scale checks the certificate expiration dates of a key client and its RKM server at regular intervals, currently every 15 minutes. The first check occurs when the key client connects with the server to obtain a master encryption key (MEK), which it stores in a local cache on the network node. Subsequent checks occur regularly as the key client periodically reconnects with the RKM server so that it can refresh the MEK in the local cache. The current refresh interval is 15 minutes.
IBM Spectrum Scale does not check the certificate expiration dates of client or server certificates that are not currently being used in this way. This category includes not-in-use client certificates in local keystores and not-in-use server certificates for RKM backup servers.
Frequency of warnings
Time before expiration | Frequency of warnings |
---|---|
More than 90 days | No warnings are logged. |
30 - 90 days | Every seven days. |
7 days - 30 days | Every 24 hours. |
24 hours - 7 days | Every 60 minutes. |
Less than 24 hours | Every 15 minutes. |
- At least 75 percent of the certificate validity period has passed.
- The time that remains falls within one of the warning windows.
- First warning: March 22 at 12:00 noon (.75 * 30 days = 22.5 days).
- Second warning: March 23 at 12:00 noon (7.5 days remaining).
- Third warning: March 24 at 12:00 noon (6.5 days remaining).
- Warnings: Every 60 minutes from March 24 at 1:00 PM until March 29 at 12:00 midnight.
- Warnings: Every 15 minutes from March 29 at 12:15 AM until March 30 at midnight.
Limitations
- Warnings are logged only on nodes that access encrypted files.
- Warnings are logged only for certificates that are used to authenticate a connection between a key client and an RKM server that is still active.
- Warning messages identify only the type of certificate (client or server) and the IP address and port of the RKM server.