Hub tunnels lost connection due to certificate expiration and no longer appear in IM
search cancel

Hub tunnels lost connection due to certificate expiration and no longer appear in IM

book

Article ID: 127959

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

Three Hubs/hub tunnels lost connection to the Primary hub due to certificate expiration and no longer appear in IM. 

Environment

- UIM any
- hub 7.80 and later

Cause

  • tunnel certificate expiration

Resolution

If you remember the password you used to generate the original certificate for this tunnel:

 

  1. Select the hub probe on the Tunnel Server 
  2. Delete the expired certificate under "Issued Certificates" 
  3. Click 'New' to generate a new certificate 
  4. When generating the certificate use the same password that you used before.  If you do not remember it - use a new one, then follow the steps below to replace the existing encrypted password string.
  5. View the certificate and save it in Notepad, but make sure there are no extra leading or trailing characters 
  6. RDP to each of the hubs that are having trouble connecting to the Tunnel server/Primary Hub 
  7. Navigate to the <install_dir>\hub\cert 
  8. Edit 'client1.pem' using Notepad 
  9. Replace the contents of the file with the certificate contents you copied from the Tunnel Server 
  10. Save the file 
  11. Restart the hub robot 
  12. Check that the hub now reappears in the Infrastructure Manager

 

If you do not remember the password you originally used

If you do not remember the original password, the above procedure still applies, but you will also need to do the following to generate a new encrypted password string:

  1. Navigate to an existing hub in the environment that has tunneling enabled - it can be a tunnel server or client
  2. Go to the Client Configuration tab and proceed as though you are creating a new Tunnel Client connection.
  3. For the IP address of the tunnel server to connect to, put in a bogus address like 10.10.10.10 for example.
  4. In the "certificate" window just put any random characters so that the window is not empty
  5. In the password field, put the same password that you used to generate the new certificate
  6. Click Apply/OK and restart the hub.
  7. Now you can open the hub.cfg and locate the <tunnel> section and then <client> 
  8. Find the "bogus" client entry you created, e.g. 10.10.10.10
  9. Copy the encrypted password string from here and paste it into hub.cfg on the client whose certificate you are replacing 

 

 

Additional Information

It is also possible to update the cert through the IM console session.

Select Security -> Login -> Advanced -> at the bottom enter the IP address of the secondary hub with the expired cert. 
Then select hub -> configure -> Tunnels -> Client Configuration -> Edit -> and then replace the cert.

Powered by Wolken Software