ClearPass 6.8以上版本Cluster集群配置证书信任问题

开启Cluster集群注意事项

从ClearPass 6.8开始,建立集群和删除集群时增加了对Publisher和Subscriber HTTPs证书的校验。当Subscriber添加到Publisher时Subscriber会校验Publisher的HTTPs证书是否被信任,当在Publisher上删除Subscriber时,Publisher会校验Subscriber的HTTPs证书是否被信任,当证书校验不通过时会提示WARNING – 10.X.50.41: echo GET failed. 并且无法成功创建集群或者删除集群。

针对此情况,有两种解决方式:

1、在ClearPass的CLI下通过命令将ClearPass转换为Subscriber,并通过设置参数来忽略对Publisher证书的校验,通过此方式可以成功将Subscriber加入到Publisher,但是在Publisher上通过命令删除Subscriber时无法通过设置参数来忽略对Subscriber证书的校验,所以会导致删除Subscriber失败;此方式不推荐

[appadmin@Lab5-CPPM-1]# cluster make-subscriber -V -i 10.X.50.41 

********************************************************
*                                                      *
* WARNING: Executing this command will make the current*
* machine a subscriber to the publisher host specified.*
* Current configuration and application licenses       *
* installed (if any) on this node will be lost when the*
* operation is complete.                               *
*                                                      *
* Configuration changes will be blocked on the         *
* publisher during initial cluster sync as part of     *
* this operation.                                     *
*                                                      *
* Do not close the shell or interrupt this command     *
* execution.                                           *
*                                                      *
********************************************************

Continue? [y|n]: y

Enter Publisher Password: aruba123
Setting up local machine as a subscriber to 10.1.50.41
INFO - Check publisher connection passed
INFO - Local checks before adding subscriber passed
INFO - 10.1.50.41: - Subscriber node added successfully for host=Lab5-CPPM-1

[appadmin@Lab5-CPPM-1]# cluster make-subscriber  --h
ERROR: Invalid command-line argument

        Usage:
        make-subscriber -i <IP Address> [-l] [-b] [-V]

        -i <IP Address> -- Publisher IP Address
        -l              -- Restore the local log database after this operation
        -b              -- Skip generating a backup before this operation
        -V              -- Do not verify publisher certificate

2、分别在Publisher和Subscriber上创建证书签名请求CSR,通过CA(这里采用ClearPass Onboard)签发HTTPs证书,分别在Publisher和Subscriber上导入HTTPs证书,并在证书信任列表中导入对方的证书链。推荐采用此方式。

通过ClearPass Onboard给Publisher节点签发HTTPs证书具体流程,参考以下文档:

关于Clearpass 6.8 Clustering的官方文档,参考:

发表评论

电子邮件地址不会被公开。 必填项已用*标注