Retrying certificate exchange between servers

Edit online

If the certificate exchange between servers fails, you can attempt another exchange.

Procedure

  1. Remove the certificate from the partner server's database by issuing the following command on both servers: 
    update server servername forcesync=yes
    Tip: The server might be using the wrong certificate if you are still getting error messages for each server-to-server session after you have completed the steps in this task and restarted the servers. If you determine that the server is attempting to use the wrong certificate, delete the certificate from the key database by issuing the following command:
    gsk8capicmd_64 -cert -delete -db cert.kdb -stashed -label certificate_labelname
  2. Delete the server definition by issuing the DELETE SERVER command for both the server and the partner server. If you cannot delete the server definition, you must configure the certificates manually. For instructions about manually configuring certificates, see ../srv.admin/t_ssl_srvcfg.html.
  3. To reacquire the certificate, cross-define the servers to each other and allow them to exchange certificates by issuing the following commands on both servers: 
    set crossdefine on 
set serverhladdress hladdress 
set serverlladdress lladdress 
set serverpassword password
  4. Issue the following command on one of the servers that you are cross defining: 
    define server servername crossdefine=yes ssl=yes
  5. Repeat step 3 for all other Version 8.1.2 or later server pairs.
  6. Restart the servers.
  7. To verify that certificates were exchanged, issue the following command from the server instance directory of each server that you want to verify: 
    gsk8capicmd_64 -cert -list -db cert.kdb -stashed
    Example output: 
    example.website.com:1542:0
    Tip: If you use replication, the replication heartbeat runs approximately every 5 minutes and initiates a certificate exchange during the first connection after you upgrade the server. This connection causes messages ANR8583E and ANR8599W to appear in the log once, before a certificate exchange takes place. If you do not use replication, certificates are exchanged the first time a server-to-server session is initiated, except for server configurations without a server defined on both computers.
  8. For servers that are defined as a virtual volume, complete the following steps:
    1. Remove the partner certificate from the server's database by issuing the following command on both servers: 
      update server servername forcesync=yes
    2. Ensure that the same password is used for the server password value on the DEFINE SERVER command on the source server, the password value on the REGISTER NODE command on the virtual volume server, and the SET SERVERPASSWORD value on the virtual volume server. If necessary, update a password by using the UPDATE SERVER, UPDATE NODE, or SET SERVERPASSWORD commands, respectively. Certificates are exchanged after the first client backup operation from the virtual volume server to the source server.
  9. If you are still unable to exchange certificates between servers, complete the following steps:
    1. In the server definition for each of the communicating servers, verify that you specified a server name that matches the name that was set by issuing the SET SERVERNAME command on the partner server.
    2. Verify that server definitions have passwords that are specified with the SET SERVERPASSWORD command. The passwords must match the value that is specified with the SET SERVERNAME command for the partner server.
    3. After completing steps a and b, reissue the following command: 
      update server servername forcesync=yes
    4. Retry steps 1 through 3.