QHA_COMM_STRICT_CERT_CHECK PowerHA Policy
The PowerHA policy, QHA_COMM_STRICT_CERT_CHECK controls the configuration of certificate checking settings governing communication between PowerHA and IBM Copy Services Manager (CSM).
Adding a QHA_COMM_STRICT_CERT_CHECK Policy
Each QHA_COMM_STRICT_CERT_CHECK policy is uniquely identified by the configuration description name in the qualifier. To add a QHA_COMM_STRICT_CERT_CHECK policy, specify:
Policy Name | QHA_COMM_STRICT_CERT_CHECK |
---|---|
Domain | *NONE |
Qualifier | CFGD(*ALL | name) |
Value | INACTDAYS(1-366) [OMITPRF(name1 name2 …)] |
Qualifier
The qualifier for this policy consists of a single keyword, CFGD
. Possible values include:
*ALL
The value for this policy applies to all configuration descriptions of type *STGCTL, and subtype *CSM.
name
The value for this policy applies to the configuration description specified.
If a policy with a qualifier of CFGD(*ALL) and a policy for a specific configuration description both exist, the value for the specific configuration description is used for communication with the specific configuration description.
Value
The value indicates if communication to the storage will use strict certificate validation or if certain certificate errors will be ignored. Possible values include:
*YES
Specifies that strict certificate validation is enforced. This is the default value if the policy is not specified.
*NO
Specifies that PowerHA will ignore the following certificate errors when communicating with CSM:
Untrusted certificates, such as self-signed certificates
Expired certificates
Warning:
Similar to accepting the security risk for a self-signed certificate in a web browser, specifying a value of *NO can make the environment susceptible to a man-in-the-middle attack. A more secure method of communication can be achieved by importing the certificate into digital certificate manager.
Examples
Example 1 - Ignoring Certificate Errors for All CSM Configuration Descriptions
To add a policy that ignores certificate errors for all CSM configuration descriptions, specify the following command:
ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(*ALL)')) VALUE(*NO)
This specifies that PowerHA will ignore untrusted and expired certificates when communicating with IBM Copy Services Manager.
Example 2 - Ignoring Certificate Errors for a Specific CSM Configuration Description
To add a policy that ignores certificate errors for the CSM configuration description, named MYCSM, specify the following command:
ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(MYCSM)')) VALUE(*NO)
This specifies that PowerHA will ignore untrusted and expired certificates when communicating with IBM Copy Services Manager identified by the HA Configuration Description named MYCSM.
Example 3 - Changing the Policy from a Specific CSM Configuration Description to All Configuration Descriptions
The configuration description for an existing policy cannot be changed. Instead, the policy must be removed and a new policy added.
In this example, if you have an existing QHA_COMM_STRICT_CERT_CHECK policy that applies to a configuration description named MYCSM:
Policy Name | Policy Domain | Policy Qualifier | Policy Value |
---|---|---|---|
QHA_COMM_STRICT_CERT_CHECK | *NONE | CFGD(MYCSM) | *NO |
If you want to change it to apply to all configuration descriptions, you need to remove the existing policy and add the new policy:
ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(*ALL)')) VALUE(*NO)
RMVHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(MYCSM)'))
The above commands first add a policy for all configuration descriptions, and then removes the policy for the specific configuration description, effectively changing the qualifier on the policy from CFGD(MYCSM) to CFGD(*ALL).
Tip: In this instance, the new policy is added for *ALL prior to removing the specific policy to ensure that there is no period of time where communication with CSM is interrupted due to certificate errors while changing the policy.
Â
Privacy Policy | Cookie Policy | Impressum
From time to time, this website may contain technical inaccuracies and we do not warrant the accuracy of any posted information.
Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.