QHA_COMM_STRICT_CERT_CHECK PowerHA Policy

The PowerHA policy, QHA_COMM_STRICT_CERT_CHECK controls the configuration of certificate checking settings governing communication between PowerHA and IBM Copy Services Manager (CSM).

Adding a QHA_COMM_STRICT_CERT_CHECK Policy

Each QHA_COMM_STRICT_CERT_CHECK policy is uniquely identified by the configuration description name in the qualifier. To add a QHA_COMM_STRICT_CERT_CHECK policy, specify:

Policy Name	QHA_COMM_STRICT_CERT_CHECK
Domain	*NONE
Qualifier	CFGD(*ALL \| name)
Value	INACTDAYS(1-366) [OMITPRF(name1 name2 …)]

Qualifier

The qualifier for this policy consists of a single keyword, CFGD. Possible values include:

*ALL

The value for this policy applies to all configuration descriptions of type *STGCTL, and subtype *CSM.

name

The value for this policy applies to the configuration description specified.

If a policy with a qualifier of CFGD(*ALL) and a policy for a specific configuration description both exist, the value for the specific configuration description is used for communication with the specific configuration description.

Value

The value indicates if communication to the storage will use strict certificate validation or if certain certificate errors will be ignored. Possible values include:

*YES

Specifies that strict certificate validation is enforced. This is the default value if the policy is not specified.

*NO

Specifies that PowerHA will ignore the following certificate errors when communicating with CSM:

Untrusted certificates, such as self-signed certificates
Expired certificates

Warning:

Similar to accepting the security risk for a self-signed certificate in a web browser, specifying a value of *NO can make the environment susceptible to a man-in-the-middle attack. A more secure method of communication can be achieved by importing the certificate into digital certificate manager.

Examples

Example 1 - Ignoring Certificate Errors for All CSM Configuration Descriptions

To add a policy that ignores certificate errors for all CSM configuration descriptions, specify the following command:

ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(*ALL)')) VALUE(*NO)

This specifies that PowerHA will ignore untrusted and expired certificates when communicating with IBM Copy Services Manager.

Example 2 - Ignoring Certificate Errors for a Specific CSM Configuration Description

To add a policy that ignores certificate errors for the CSM configuration description, named MYCSM, specify the following command:

ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(MYCSM)')) VALUE(*NO)

This specifies that PowerHA will ignore untrusted and expired certificates when communicating with IBM Copy Services Manager identified by the HA Configuration Description named MYCSM.

Example 3 - Changing the Policy from a Specific CSM Configuration Description to All Configuration Descriptions

The configuration description for an existing policy cannot be changed. Instead, the policy must be removed and a new policy added.

In this example, if you have an existing QHA_COMM_STRICT_CERT_CHECK policy that applies to a configuration description named MYCSM:

Policy Name	Policy Domain	Policy Qualifier	Policy Value

Policy Name	Policy Domain	Policy Qualifier	Policy Value
QHA_COMM_STRICT_CERT_CHECK	*NONE	CFGD(MYCSM)	*NO

If you want to change it to apply to all configuration descriptions, you need to remove the existing policy and add the new policy:

ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(*ALL)')) VALUE(*NO)
RMVHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(MYCSM)'))

The above commands first add a policy for all configuration descriptions, and then removes the policy for the specific configuration description, effectively changing the qualifier on the policy from CFGD(MYCSM) to CFGD(*ALL).

Tip: In this instance, the new policy is added for *ALL prior to removing the specific policy to ensure that there is no period of time where communication with CSM is interrupted due to certificate errors while changing the policy.