The PowerHA policy, QHA_COMM_STRICT_CERT_CHECK controls the configuration of certificate checking settings governing communication between PowerHA and IBM Copy Services Manager (CSM).
...
Untrusted certificates, such as self-signed certificates
Expired certificates
Note |
---|
Warning: Similar to accepting the security risk for a self-signed certificate in a web browser, specifying a value of *NO can make the environment susceptible to a man-in-the-middle attack. A more secure method of communication can be achieved by importing the certificate into digital certificate manager. |
...
The configuration description for an existing policy cannot be changed. Instead, the policy must be removed and a new policy added. For example, if a policy was added for a specific configuration description, and the desire is to change the policy so that it applies to all configuration descriptions, the following commands would be required.
Existing Policy:
...
In this example, if you have an existing QHA_COMM_STRICT_CERT_CHECK policy that applies to a configuration description named MYCSM:
Policy Name | Policy Domain | Policy Qualifier | Policy Value |
---|---|---|---|
QHA_COMM_STRICT_CERT_CHECK |
...
*NONE |
...
CFGD(MYCSM) |
...
*NO |
...
If you want to change it to apply to all configuration descriptions, you need to remove the existing policy and add the new policy:
Code Block |
---|
ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(*ALL)')) VALUE(*NO) RMVHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(MYCSM)')) |
The above command commands first adds add a policy for all configuration descriptions, and then removes the policy for the specific configuration description, effectively changing the qualifier on the policy from CFGD(MYCSM) to CFGD(*ALL).
Tip |
---|
Tip: In this instance, the new policy is added for *ALL prior to removing the specific policy to ensure that there is no period of time where communication with CSM is interrupted due to certificate errors while changing the policy. |