Contents
1 Alarm Description
The alarm is raised when a secure service failed because of an expired, revoked, or non-existing certificate.
|
Alarm Cause |
Description |
Fault Reason |
Fault Location |
Impact |
|---|---|---|---|---|
|
No valid certificate available at secured service invocation |
No valid certificate is available when a secured service is invoked |
No certificate exists yet |
Node credential |
A secured service fails, for example, an IP Security (IPsec) connection authenticated by an expired certificate fails |
|
The certificate has expired | ||||
|
The certificate is revoked |
- Note:
- Given the fault impact on secured protocols, more protocol-specific alarms can be raised as a consequence.
2 Procedure
2.1 Handle Alarm Certificate Management, a Valid Certificate Is Not Available
Prerequisites
- This instruction references the following documents:
- No tools are required.
- The following conditions must apply:
- The alarm is raised.
- The user has the System Security Administrator role.
- The user is familiar with the security policy and environment of the organization. The user knows what mechanism is appropriate to use to install and renew node credentials (online, PKCS#12, or CSR).
- If online renewal of node credentials is used, the correct configuration information for enrollment server groups and enrollment authorities is obtained from the IT or security administrator.
- No ongoing maintenance activities are affecting the network or network elements.
- An Ericsson Command-Line Interface (ECLI) session in Exec mode is in progress.
Steps
- Navigate to the NodeCredential Managed
Object (MO) given in the alarm, for example:
>ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,CertM=1,NodeCredential=1
- Check attribute certificateState:
(NodeCredential=1)>show certificateState
The following is an example output:
certificateState=EXPIRED
- Select the appropriate action based on the result:
- Attribute 'certificateState' not set – The certificate does not exist. Proceed with Section 2.2 Install a Node Credential.
- EXPIRED – The certificate has expired based on the validTo date. Continue with the next step.
- REVOKED – The certificate was revoked by a trusted Certification Authority (CA). Continue with the next step.
- Check attribute renewalMode:
(NodeCredential=1)>show renewalMode
The following is an example output:
renewalMode=MANUAL
- Select the appropriate action based on the result:
- MANUAL – The alarm can be cleared by repeating the installation or renewal for the NodeCredential MO. Proceed with Section 2.3 Renew a Node Credential.
- AUTOMATIC – Proceed with Section 2.4 Repair Automatic Configuration.
2.2 Install a Node Credential
Steps
- Based on the security policy, use the appropriate operation
among the following to install the node credential:
- Install Node Credential Online
- Install or Renew Node Credential by PKCS 12 (follow the instructions for installation)
- Install or Renew Node Credential by CSR (follow the instructions for installation)
- Job is completed.
2.3 Renew a Node Credential
Steps
- Based on the security policy, use the appropriate operation
among the following to renew the node credential:
- Install Node Credential Online
- Install or Renew Node Credential by PKCS 12 (follow the instructions for renewal)
- Install or Renew Node Credential by CSR (follow the instructions for renewal)
- Job is completed.
2.4 Repair Automatic Configuration
Steps
- Navigate to the CertM Managed Object (MO), for example:
>dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,CertM=1
- View the enrollment
authority, enrollment server group, and enrollment server configuration:
(CertM=1)>show -r
The following is an example output:
CertM=1 [...] EnrollmentAuthority=1 enrollmentAuthorityName="/CN=atrcus3409NECertCA/OU=⇒ ericssonOAM/O=Ericsson" enrollmentCaCertificate="ManagedElement=NODE06ST,⇒ SystemFunctions=1,SecM=1,CertM=1,TrustedCertificate=1" userLabel="atrcus3409NECertCA O&M Certificate Authority" EnrollmentAuthority=2 enrollmentAuthorityName="/CN=atrcus3841NECertCA/OU=⇒ ericssonOAM/O=Ericsson" enrollmentCaCertificate="ManagedElement=NODE06ST,⇒ SystemFunctions=1,SecM=1,CertM=1,TrustedCertificate=2" userLabel="atrcus3841NECertCA O&M Certificate Authority" EnrollmentServerGroup=1 EnrollmentServer=1 protocol=CMP uri="cmp://192.0.2.10" EnrollmentServerGroup=2 EnrollmentServer=1 protocol=CMP uri="cmp://192.0.2.10" - Does the output in Step 2 show that an enrollment
authority with the correct CA authority name (enrollmentAuthorityName) and CA certificate (enrollmentCaCertificate) is configured on the Managed Element (ME)? That is, does the attributes
values for an EnrollmentAuthority MO match the values obtained from the IT or security administrator?
Yes: Continue with the next step.
No: Proceed with Step 5.
- Does the output in Step 2 show that an enrollment
server group contains a correct enrollment server configuration (attributes protocol and uri)?
Yes: Proceed with Step 8.
No: Proceed with Step 7.
- Configure an
enrollment authority.
For information on how to configure an enrollment authority, refer to Configure Enrollment Authority.
- Proceed with Step 8.
- Configure
an enrollment server group with enrollment servers.
For information on how to configure an enrollment server group with enrollment servers, refer to Configure Enrollment Server Group Together with Enrollment Servers.
- Navigate to
the NodeCredential MO,
for example:
>dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,CertM=1,NodeCredential=1
- Enter Config mode:
(NodeCredential=1)>configure
- Change to manual renewal mode:
(config-NodeCredential=1)>renewalMode=MANUAL
- Commit the change:
(config-NodeCredential=1)>commit
- Install a node credential online using the enrollment
authority and enrollment server group configuration checked or added
previously.
For information how to install a node credential online, refer to Install Node Credential Online (step 3 results in navigating to the existing MO and not in creating an MO).
- Is the alarm cleared?
Yes: Continue with the next step.
No: Proceed with Step 18.
- Enter Config mode:
(NodeCredential=1)>configure
- Change to automatic renewal mode:
(config-NodeCredential=1)>renewalMode=AUTOMATIC
- Commit the change:
(config-NodeCredential=1)>commit
- Proceed with Step 20.
- Perform data collection, refer to Data Collection Guideline.
- Consult the next level of maintenance support. Further actions are outside the scope of this instruction.
- Job is completed.