ClearPass 6.8版本Cluster集群配置证书信任问题



从ClearPass 6.8开始,建立集群和删除集群时增加了对Publisher和Subscriber HTTPs证书的校验。当Subscriber添加到Publisher时Subscriber会校验Publisher的HTTPs证书是否被信任,当在Publisher上删除Subscriber时,Publisher会校验Subscriber的HTTPs证书是否被信任,当证书校验不通过时会提示WARNING – 10.X.50.41: echo GET failed. 并且无法成功创建集群或者删除集群。



[appadmin@Lab5-CPPM-1]# cluster make-subscriber -V -i 10.X.50.41 

*                                                      *
* WARNING: Executing this command will make the current*
* machine a subscriber to the publisher host specified.*
* Current configuration and application licenses       *
* installed (if any) on this node will be lost when the*
* operation is complete.                               *
*                                                      *
* Configuration changes will be blocked on the         *
* publisher during initial cluster sync as part of     *
* this operation.                                     *
*                                                      *
* Do not close the shell or interrupt this command     *
* execution.                                           *
*                                                      *

Continue? [y|n]: y

Enter Publisher Password: aruba123
Setting up local machine as a subscriber to
INFO - Check publisher connection passed
INFO - Local checks before adding subscriber passed
INFO - - Subscriber node added successfully for host=Lab5-CPPM-1

[appadmin@Lab5-CPPM-1]# cluster make-subscriber  --h
ERROR: Invalid command-line argument

        make-subscriber -i <IP Address> [-l] [-b] [-V]

        -i <IP Address> -- Publisher IP Address
        -l              -- Restore the local log database after this operation
        -b              -- Skip generating a backup before this operation
        -V              -- Do not verify publisher certificate

2、分别在Publisher和Subscriber上创建证书签名请求CSR,通过CA(这里采用ClearPass Onboard)签发HTTPs证书,分别在Publisher和Subscriber上导入HTTPs证书,并在证书信任列表中导入对方的证书链。推荐采用此方式。

通过ClearPass Onboard给Publisher节点签发HTTPs证书具体流程,参考以下文档:

关于Clearpass 6.8 Clustering的官方文档,参考: