Re-establishing SIC Trust with Virtual Devices
In the event you encounter connectivity problems due to the loss of SIC Trust for a specific Virtual Device (Virtual System or Virtual Router), you can use the procedure below to manually re-establish the SIC trust.
To manually re-establish SIC Trust with a Virtual Device (except VS0):
Follow the instructions in the sk34098.
- On the VSX Gateway or each VSX Cluster Member:
- Connect to the command line the VSX Gateway or each VSX Cluster Member.
- Log in to the Expert mode.
- Examine the VSX configuration to determine the ID of the Virtual Device:
vsx stat -v
- Go to the context of the Virtual Device:
vsenv <>
- Reset the SIC with the specified Virtual Device:
vsx sicreset <>
- On the Management Server:
- Connect to the command line the Management Server.
- Log in to the Expert mode.
- On the Multi-Domain Server, change the context to the applicable Target Domain Management Server used to manage the Virtual Device:
# mdsenv <>
- Determine the SIC name of the Virtual Device:
# cpca_client lscert -stat valid -kind SIC | grep -i -A 2 <>
- Revoke the SIC certificate of the Virtual Device:
# cpca_client revoke_cert -n <>
- Connect with SmartConsole to the Security Management Server or Main Domain Management Server used to manage the VSX Cluster.
- From the view or , double-click the Virtual Device object.
- Click (without changing anything).
This action creates a new SIC certificate for the Virtual Device and saves it on the VSX Gateway or each VSX Cluster Member.
Resetting SIC in Security Groups
Resetting SIC on a VSX Gateway (VS0)
Workflow to reset SIC on a VSX Gateway (VS0):
- Initialize SIC on the Security Group.
- Initialize SIC in SmartConsole in the Security Group object.
- Make sure that on the Security Group.
To initialize SIC on the Security Group:
- Use a serial console to connect to the Security Group.
- Log in to the Expert mode.
- Run:
# asg stat –i tasks
This tells you which Security Group Member is the SMO.
- Run:
# g_all cp_conf sic init <>
Note - SIC Reset takes 3 to 5 minutes.
Important - Do the next steps immediately.
To initialize SIC in SmartConsole:
- In the Security Group object, click the > .
- Click .
- Enter the same activation key you used when you initialized SIC on the Security Group.
- Click .
Make sure that .
- Click .
- Install the policy on the Security Group object.
To make sure that Trust is established on the Gateway:
Run:
# g_all cp_conf sic state
|
Example of the expected output:
-*- 6 blades: 1_01 1_02 1_03 2_01 2_02 2_03 -*-
Trust State: Trust established
|
Resetting SIC for Non-VS0 Virtual Systems
To reset SIC on Virtual Systems that are not VS0:
- Log into the SMO over an SSH.
- Log in to the Expert mode.
- Go to the applicable context ID:
# vsenv <>
- Initialize SIC:
# g_all cp_conf sic init <>
- Revoke the Virtual Systems certificate defined in the Management Server.
For the detailed procedure, see Part II of sk34098.
- In SmartConsole, open the Virtual System object and just click without changing anything.
This pushes the VSX configuration and re-establishes SIC trust with the SMO.
- Install a policy on the Virtual System object.
Troubleshooting SIC Reset in Security Groups
Resetting SIC takes 3-5 minutes.
If resetting of the SIC was interrupted (for example, by loss of network connectivity), run the g_all cp_conf sic state
SIC state
|
Do this
|
Trust established
|
Repeat the SIC reset procedure.
|
Initialized, but Trust was not established
|
- Reboot all Security Group Members.
- In SmartConsole, open the Security Group object.
- Go to page > .
- Initialize SIC.
- Install the policy.
|
SIC Cleanup
To resolve other SIC issues, do a SIC cleanup in the Expert mode:
# asg_blade_config reset_sic -reboot_all <>
|
