Flash Storage​

Customer Facing Issue While Configuring KM Server in HCP

Issue Description

Customers may encounter issues while configuring the Key Management (KM) server in Hitachi Content Platform (HCP). The following errors were observed in the logs:

02/20 18:56:15.501 00004271 00008958 INFO at com.hds.util.admin.AdminJvmRequestReceiver.received(AdminJvmRequestReceiver.java:216) Completed jvm command: AdminJvmRequest([certificate, list])
02/21 20:54:41.300 00005169 00011817 001 The client certificate supplied does not match any certificate signing request or domain certificate.
02/21 ? at com.hds.ui.cluster.security.KmipOverviewAction.checkConnection(KmipOverviewAction.java:296) Unable to connect to KM server

Resolution Steps

When adding a new KM server, two certificates are used: a root certificate and a client certificate.

1. Root Certificate:

   • HCP uses the root certificate to authenticate the identity of the KM server. This certificate belongs to the KM server.

2. Client Certificate:

   • The KM server uses the client certificate to authenticate the identity of the HCP cluster. This certificate belongs to the HCP cluster and can be:
   1. A CA-generated certificate returned for an HCP-generated Certificate Signing Request (CSR).
   2. The Domain Certificate of the HCP.

Important: The same client certificate of the HCP needs to be added to the KM server as well.

Authentication Process

• The KM server sends HCP a server certificate, and HCP uses the root certificate to authenticate the identity the certificate claims to represent.
• HCP sends the KM server a client certificate, and the KM server uses the information on the server to authenticate the identity the certificate claims to represent.

Log Analysis

Based on the logs provided:

02/21 20:54:41.300 00005169 00011817 001 The client certificate supplied does not match any certificate signing request or domain certificate.
02/21 ? at com.hds.ui.cluster.security.KmipOverviewAction.checkConnection(KmipOverviewAction.java:296) Unable to connect to KM server

The client certificate being provided does not match any existing CSR or the domain certificate of the HCP.

Recommended Actions

1. Use Existing HCP Domain Certificate: Add the existing HCP domain certificate to the KM server.
2. Generate New Certificate:
   • Create a new CSR on HCP.
   • Download the CSR and provide it to your internal CA to generate a new certificate.
   • Use the new certificate as the client certificate while adding the KM server.

If the error persists, review the latest logs for further analysis.

Case Example

In a particular situation, the customer was advised to:

• Use the root certificate exported from the CA rather than the root certificate of the KM server.
• Use the certificate generated using the HCP CSR as the client certificate.

By following these steps, the issue was resolved successfully.