Wireless Access

The MSM765 controller is reporting these certificates about to expire:

Management Console Dummy Authority HP Management console 2010-05-19 2020-05-16

Management Console Default client certificate Management Console Dummy Authority HP Management console 2010-05-19 2020-05-16

The current listed firmware here is about a year old:

https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=J9370A

Does anyone have some info on the renewal, or where the certs might be downloaded?

Updated info is in the post below from Emil_Gogushev

Hello,
At the moment there is no firmware version which renews this certificates and no new certificates are available for download. The question was brought to the attention of the lab and the support is also waiting for information if this certificates will be renewed until the 16 of May.
According to the documentation this certificates are used when the management tool communicates with the HP PCM/PMM (ProCurve Mobility Manager) software.
PCM/PMM are end of support since December 2015 so there shouldnt be many customers using this tools nowadays. For this reason it is possible that there is no renew.
Going to Controller -->Management ->Management Console will let you see if you are using the certificates. If you don't have an IP address of a Mobility Manager then the controller is not managed by a mobility manager and the expiring certificates are not needed.

We are currently checking if this certificates may be necessary for other types of management platforms like iMC or AirWave.

@Ivan_B This is the not the same certificate, you are referring to.

I will update the post once I have more information.

Thanks for the prompt reply. I'm running IMC and the MSM does indeed talk to IMC through that interface. When enabled it shows the service running. There are a number of items that interface through this, one example down further

data gathered in WLAN client monitor

unchecked no data or host name

Hi @NeilR! the "HPE MSM Controller Series - Certificates for the ‘HP Management console’ are Expiring in May 2020" Support a00099698en_us HPE Communication - Customer Advisory (published today 13-05-2020) should be related to (and provide a fix for) your issue.

Thanks Parnassus, however....

New certs installed as per instructions DO NOT WORK with imc.

I tested on a spare controller and would not connect. to IMC (unfortunately deleted the certs as per instructions - DOH! - you can leave them installed until everything looks good. Also a  password protected configuration backup will inlcude the certs so you can recover)

I tested again on primary controller (w/o deleting) and switching between certs old vs new  has same result. for new

New certs - stuck connecting - see below

Old Certs - connect right away on port 7668

New cert in MSM - stuck like this?

View In IMC

Hello, 

Sorry for the delayed answers, I am currenlty OOO.

The first thing I can think of is - maybe iMC doesnt trust the new CA root certificate and thats why an error is displayed. The advisory provides 2 certificates -   new_mgmt_console_ca.crt which is the CA root certificate and new_mgmt_console_client.pfx which is the client certificate for the MSM controller. Maybe it is necessary to install the CA certificate on iMC as trusted CA. Because they are not signed by any public CA and wont be trusted by default.

It would be good to see what exactly report iMC and MSM in the logs. A wired trace can also be helpful in identifying where the communication is breaking.

This is just a guess. I am not iMC specialist. Maybe it is better to open a separate question in the iMC section and even much better open a support case if you are entitled to support.

Thx. Only just started looking into - this was FYI for anyone else. CA trust could be an issue - yes. Certs on imc are not something I've worked w. Time to learn I guess. i will check the logs and do a capture. I do have IMC support so I can work with them.

UPDATE: Wireshark capture shows unknown CA error so looks like I need to figure out how to install that CA cert

This has been resolved. IMC needs the certs as well. These should be in the next patch to IMC/WSM

I've got a similar issue with IMC. Was it a case of loading them through the OS running the IMC server, or loading them into IMC itself?

Thanks.

Good day

When i upload the cert under certificate and prvate key store i get the following error "Certificate found to have inappropriate starting or ending dates in regard to the product's system time." how can i resolve this,

Good morning, 

What is the current system time of your MSM controller? You can see it in the webUI in the lower left corner. Under Contoller ->Management ->System Time you can check how exactly the system time is configured and from which sources it is taken. 

Keep in mind that the MSM765 and MSM775 use the time settings of the zl switch in which they are installed. If the switch has wrong time the MSM controller will also have wrong time. The time has to be fixed on the switch and not on the System TIme menu of the controller.