Contents

1   Alarm Description

The alarm is raised when automatic certificate enrollment or renewal failed to execute because of local misconfiguration or remote enrollment service denial.

Note:  

The alarm is raised only if the renewalMode in a NodeCredential Managed Object (MO) is set to AUTOMATIC.

2   Procedure

2.1   Handle Alarm Certificate Management, Automatic Enrollment Failed

Prerequisites

• This instruction references the following documents:
  • Change Enrollment Server
  • Configure Enrollment Authority
  • Configure Enrollment Server Group Together with Enrollment Servers
  • Configure Renewal Mode of Node Credential
  • Data Collection Guideline
  • Install Node Credential Online
  • Renew Node Credential Online
• No tools are required.
• The following conditions must apply:
  • The alarm is raised.
  • The user has the System Security Administrator role.
  • The user is familiar with the security policy and environment of the organization. The user knows what mechanism is appropriate to use to install and renew node credentials online.
  • For the online renewal of node credentials, the correct configuration information for enrollment server groups and enrollment authorities is obtained from the IT or security administrator.
  • No ongoing maintenance activities are affecting the network or network elements.
  • An Ericsson Command-Line Interface (ECLI) session in Exec mode is in progress.

Steps

1. Navigate to the NodeCredential Managed Object (MO) given in the alarm, for example:

   >ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,CertM=1,NodeCredential=1

2. Compare if the existing configuration information for the NodeCredential MO matches with the information received from the IT or security administrator.

   The values of attributes enrollmentServerGroup and enrollmentAuthority can be checked in the NodeCredential MO with the following command:

   (NodeCredential=1)>show

3. Change the attribute renewalMode to MANUAL.

   For information on how to change attribute renewalMode, refer to Configure Renewal Mode of Node Credential.

   Note:  

   When renewalMode is set to MANUAL, the alarm is cleared but the problem remains.

   
   
4. Select the appropriate action based on the result in Step 2:
   • There is a mismatch with the NodeCredential MO configuration information – Continue with Step 5.
   • There is no mismatch with the NodeCredential MO configuration information – Continue with Step 6.
5. Select the appropriate action based on the result in Step 2:
   • If the EnrollmentServerGroup MO or the EnrollmentServer MO needs to be reconfigured, follow the instruction Configure Enrollment Server Group Together with Enrollment Servers, then continue with the next step.
   • If the EnrollmentServer MO needs to be changed, follow the instruction Change Enrollment Server, then continue with the next step.
   • If the EnrollmentAuthority MO needs to be changed, follow the instruction Configure Enrollment Authority, then continue with the next step.
   • If some of the NodeCredential MO attribute values are wrong, correct the faulty attribute values using the values in Install Node Credential Online.
6. Renew the certificate.

   For information on how to renew the certificate, refer to Renew Node Credential Online.

7. Was the Renew Node Credential Online procedure successful?

   Yes: Continue with the next step.

   No: Proceed with Step 9.

   Note:  

   The cause of the failure is shown in resultinfo of the attribute nodeCredentialId.

   
   
8. Change the attribute renewalMode back to AUTOMATIC.

   For information on how to change the attribute renewalMode, refer to Configure Renewal Mode of Node Credential.

9. Is the alarm cleared?

   Yes: Proceed with Step 12.

   No: Continue with the next step.

10. Perform data collection, refer to Data Collection Guideline.
11. Consult the next level of maintenance support. Further actions are outside the scope of this instruction.
12. Job is completed.