Skip to main content
Hitachi Vantara Knowledge

Sharing SSL server certificates

Before replication can occur on a replication link, the two systems involved in the link each need to have installed at least one valid replication SSL server certificate. Each system also needs to have installed at least one valid replication SSL server certificate from the other system as a trusted replication server certificate.

A valid replication SSL server certificate on any given HCP system is one that:

  • Is associated with the domain that’s associated with the network that’s selected for replication on that system
  • Has already reached its start date
  • Has not expired

To share a certificate, the HCP administrator for the system in which the certificate is installed needs to download the certificate and give it to the administrator for the other system. That administrator then needs to upload the certificate as a trusted replication server certificate on the other system. Because what’s downloaded is only the public portion of each server certificate, you can transfer the certificate unsecured.

For any given replication link, the two systems directly involved must share certificates. In a replication chain, for example, from system A to system B to system C, systems A and B must share certificates, and systems B and C must share certificates, but systems A and C don’t need to do this.

If you take any of these actions on one of the systems in a replication pair, the replication certificate on that system automatically changes:

  • Delete the certificate that’s currently being used for replication
  • Associate a different domain with the network that’s selected for replication
  • Select a different network for replication, where that network is associated with a different domain from the previously selected network
  • Install a new valid certificate for the applicable domain where that certificate has an earlier start date than the certificate that’s currently being used for replication

The replication certificate also automatically changes if:

  • The certificate that’s currently being used for replication expires and the applicable domain has at least one other certificate that’s valid
  • A future certificate for the applicable domain becomes valid and the domain has no other valid certificates

In any of these cases, when the certificate changes, HCP automatically suspends replication or recovery activity on all links in which the system participates. At that point, you need to download the new certificate and upload it to the other system for each link. After you upload the new certificate, activity on the link resumes automatically.

 

  • Was this article helpful?