Contents
1 Introduction
This instruction concerns alarm handling.
1.1 Alarm Description
The alarm is raised when automatic certificate enrollment or renewal failed to execute because of local misconfiguration or remote enrollment service denial.
- Note:
- The alarm is raised only if the renewalMode in a NodeCredential Managed Object (MO) is set to AUTOMATIC.
The possible alarm causes and fault locations are explained in Table 1.
|
Alarm Cause |
Description |
Fault Reason |
Fault Location |
Impact |
|---|---|---|---|---|
|
Automatic certificate enrollment or renewal has failed |
Automatic enrollment or renewal failed to execute because of local misconfiguration or break in remote enrollment service |
Configuration or customization error This can be for one of the following reasons:
|
Node credential |
Certificate is not renewed, which causes certificate expiration Expired certificate can cause secured service failure, for example, Internet Protocol Security connection authenticated by non-existing or expired certificate can fail |
The alarm attributes are listed and explained in Table 2.
|
Attribute Name |
Attribute Value |
|---|---|
|
Major Type |
193 |
|
Minor Type |
6946819 |
|
Managed Object Class |
|
|
Managed Object Instance |
ManagedElement=<node_name>,SystemFunctions=1,SecM=1,CertM=1,NodeCredential=<node_credential_id> |
|
Specific Problem |
Certificate Management, Automatic Enrollment Failed |
|
Event Type |
processingErrorAlarm (4) |
|
Probable Cause |
x733ConfigurationOrCustomizationError (307) |
|
Additional Text |
Automatic enrollment or renewal failed to execute because of local misconfiguration or remote enrollment service denial |
|
Perceived Severity |
warning (6) |
- Note:
- When the automatic online node credential renewal has failed and the threshold for certificate expiration time has been crossed, another alarm Certificate Management, the Certificate is to Expire is raised.
1.2 Prerequisites
This section provides information on the documents, tools, and conditions that apply to the procedure.
1.2.1 Documents
This instruction references the following documents:
- Change Enrollment Server
- Configure Enrollment Authority
- Configure Enrollment Server Group Together with Enrollment Servers
- Configure Renewal Mode of Node Credential
- Data Collection Guideline
- Install Node Credential Online
- Renew Node Credential Online
1.2.2 Tools
No tools are required.
1.2.3 Conditions
Before starting this procedure, ensure that the following conditions are met:
- A Certificate Management, Automatic Enrollment Failed alarm is raised.
- The user has the System Security Administrator role.
- The user is familiar with the security policy and environment of the organization. The user knows what mechanism is appropriate to use to install and renew node credentials online.
- For the online renewal of node credentials, the correct configuration information for enrollment server groups and enrollment authorities is obtained from the IT or security administrator.
- No ongoing maintenance activities are affecting the network or network elements.
- An Ericsson Command-Line Interface (ECLI) session in Exec mode is in progress.
2 Procedure
Do the following:
- Navigate to the NodeCredential Managed
Object (MO) given in the alarm, for example:
>ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,CertM=1,NodeCredential=1
- Compare if the existing configuration
information for the NodeCredential MO
matches with the information received from the IT or security administrator.
The values of attributes enrollmentServerGroup and enrollmentAuthority can be checked in the NodeCredential MO with the following command:
(NodeCredential=1)>show
- Change the attribute renewalMode to MANUAL.
For information on how to change attribute renewalMode , refer to Configure Renewal Mode of Node Credential.
- Note:
- When renewalMode is set to MANUAL, the alarm is cleared but the problem remains.
- Select the appropriate action
based on the result in Step 2:
- There is a mismatch with the NodeCredential MO configuration information – Continue with Step 5.
- There is no mismatch with the NodeCredential MO configuration information – Continue with Step 6.
- Select the appropriate action
based on the result in Step 2:
- If the EnrollmentServerGroup MO or the EnrollmentServer MO needs to be reconfigured, follow the instruction Configure Enrollment Server Group Together with Enrollment Servers, then continue with the next step.
- If the EnrollmentServer MO needs to be changed, follow the instruction Change Enrollment Server, then continue with the next step.
- If the EnrollmentAuthority MO needs to be changed, follow the instruction Configure Enrollment Authority, then continue with the next step.
- If some of the NodeCredential MO attribute values are wrong, correct the faulty attribute values using the values in Install Node Credential Online.
- Renew the certificate.
For information on how to renew the certificate, refer to Renew Node Credential Online.
- Was the Renew Node Credential Online procedure successful?
Yes: Continue with the next step.
No: Proceed with Step 9.
- Note:
- The cause of the failure is shown in resultinfo of the attribute nodeCredentialId.
- Change the attribute renewalMode back to AUTOMATIC.
For information on how to change the attribute renewalMode, refer to Configure Renewal Mode of Node Credential.
- Is the alarm cleared?
Yes: Proceed with Step 12.
No: Continue with the next step.
- Perform data collection, refer to Data Collection Guideline.
- Consult the next level of maintenance support. Further actions are outside the scope of this instruction.
- Job is completed.