dswareTool Fails to Be Executed After the Certificate Is Replaced and Then the Upgrade Is Performed

Hi team, here's a new case.

Problem Symptom

1. Log in to the management node using SSH and run dswareTool.sh to perform related operations.

2. The following error message is displayed when you enter the user name and password, as shown in the following figure.

[dsware@localhost bin]$ ./dswareTool.sh --op queryNodeProcessInfo[Tue Jan 21 15:01:41 CST 2020] DswareTool operation start.Enter Password:I0 exception:sun.security.validator.validatorException:PKIX path buliding failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;Login server failed.Login failed, please try again.Failed to send command to web handle.

Problem Diagnosis

1. Use a browser to log in to DeviceManager and choose Settings > Certificate Management.

2. Check whether the expiration time, issuer, and fingerprint of the DeviceManager security certificate are the same as those of the new certificate.

3. If the certificate information is inconsistent with that after the replacement, the certificate is faulty. Otherwise, this section is not applicable.

Causes

1. After the DeviceManager certificate is replaced, a flag indicating that the certificate has been replaced is generated in a DeviceManager directory. Before the upgrade, the flag is read to determine whether to back up the new certificate.

2. After the first upgrade is complete, the backup certificate is used to replace the certificate before the upgrade, but the flag is not reset.

3. During the second upgrade, the flag of the replaced certificate cannot be read before the upgrade. As a result, the certificate is not backed up before the upgrade, and the default certificate in the upgrade package is used after the upgrade.

Solution

1. Use a browser to log in to DeviceManager and choose Settings > Certificate Management.

2. Select the security certificate of DeviceManager, import and activate it, select the new certificate and private key, and perform replacement again.

Check After Recovery

1. Use a browser to log in to DeviceManager and choose Settings > Certificate Management.

2. Check whether the expiration time, issuer, and fingerprint of the DeviceManager security certificate are the same as those of the new certificate.

3. Log in to the management node using SSH and run dswareTool.sh to perform related operations. dswareTool.sh can be used properly.

Suggestion and Summary

None

Applicable Versions

FusionStorage 8.0.0.2; FusionStorage 8.0.1; FusionStorage 8.0.2