×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Session & SMGR Servers VMware Certficates

Session & SMGR Servers VMware Certficates

Session & SMGR Servers VMware Certficates

(OP)
We are running HA Session Managers and Geo-Redundant SMGR servers on version 7.1.3. For security reasons I need to apply our domain certificates to the SM & SMGR VMware AVP platforms to replace the self signed certificates which will require a reboot.

Do I have to shutdown the Session Manager application before the AVP reboot or disable the geo-redundancy on the SMGR before either of the VMware AVP reboots? Avaya documentation is not helpful.

iggy1952

RE: Session & SMGR Servers VMware Certficates

VMware requires you be in maintenance mode before rebooting. Going into maintenance mode requires no running VMs, so you'll be shutting down your Session Manager anyway.

I'd test that on one AVP server first - I'm not sure how SMGR brokers the trust relationship when it goes to AVP. Maybe it accepts self-signed certs from the VMware webservice by default, maybe you'll need to add your own domain cert authority to SMGR to make that happen.

I tried this once. Word of warning - learn from my fail: if you reboot and that cert isn't happy in vSphere and you can't get to the web page yourself or something about that cert is goofy it could prevent the VMware management web service from starting up and you'd need to go in by SSH. And you get in by SSH by enabling it thru vSphere or the console and you could be calling people at 2 in the morning begging them to get a console cable and enable SSH so you can run he script in the esxcli that regenerates a self-signed cert to get management access back to your box and turn on your Session Manager again. Fun times!

RE: Session & SMGR Servers VMware Certficates

(OP)
kyle555,

Thank you for your response and words of warning as I have the same concerns after reading some previous posts about the pitfalls of certificates.

Our Business Partner previously applied both root and identity company domain certificates to our Session Manager and SMGR servers leaving only the VMware hypervisors with self signed certificates. I know from rebooting CM server VMware hypervisors that SSH is automatically disabled so I totally agree with your cautions.

I could reboot the secondary Session Manager hypervisor first after Deny Service to keep call traffic off the server. I will post the result.


iggy1952

RE: Session & SMGR Servers VMware Certficates

SSH disabled in VMware is a VMware thing, not an Avaya thing - it's always that way. There's no way to leave it on persistent thru reboots.

It's perfectly normal to leave the default certs on VMware. See how long they last/when the expire. Avaya knows people aren't going to keep on top of it, so mark your calendar.

2 years after the fact, SMGR won't be able to access it anymore. You'll need to use a PC that you turn back the clock on and access the VMware web interface to enable ssh to either regenerate a valid self signed certificate or import your new SMGR cert ;)

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close