SL4000 - Default Certificate Expired. Certificate tab in the GUI is blank. (Doc ID 2820215.1)

Last updated on SEPTEMBER 18, 2023

Applies to:

Symptoms

The original Default Certificate that released with the SL4000 has expired. After the expiration date all users using the Default Certificate with HTTPS or any applications using the SL4000 SCI interface will not be able to connect to the library. The StorageTek Library Control Interface (SCI) is a programmatic Web Services (SOAP) interface provided by the StorageTek SL4000 Modular Library System. Third party applications can use SCI to control the library, but it is not common, and we are not aware of any customers using SCI to control the SL4000. The SCI interface is primarily used by ACSLS and STA as they require a Self-Signed certificate or CA signed certificate during the installation when connecting to the SL4000.
  
During the SL4000 installation and customer “Hand-Off” there is an option for the customer to generate a Self-Signed certificate, if that is not used the Library will use the Default Certificate. All customers must create a Self-Signed certificate or a Third-Party Signed Certificate (CA) to avoid any impact of the expired Default Certificate. Reference the StorageTek SL4000 Library Guide @ “Manage the Library's SSL/TLS Certificate for HTTPS”.
In summary, customers using the SL4000 default certificate will not be able to connect to the library using HTTPS or SCI and the connection will fail as noted in the log entry below. All SL4000 sites must create a Self-Signed certificate or CA signed certificate.

Notes:
The SL4000 GUI does not display the Default Certificate due to some limitations in WebLogic, see the attachment.
Critical: do not attempt to replace the LOC or LOH card with an Expired Certificate. There is a significant exposure the SL4000 will fail the Restart and the LOC and LOHs will need to be re-imaged for the site and the customer will be down for several days. Before any LOC or LOH card replacements, if the customer has as a default certificate create a Self-Signed certificate.
Critical: Do not attempt to upgrade the library firmware with an expired certificate. Create/Install a new certificate, save the library configuration a then proceed with the library firmware upgrade.

Some definitions…

1.    What is a “self-signed certificate?”  
Answer:  A certificate that is not certified by a Certificate Authority.  A self-signed certificate is generated via the SL4000 GUI.
2.    What is a “CA certificate?”
Answer:  A (CA) certificate is a certificate that has been certified by a trusted entity that issues Secure Sockets Layer (SSL/TLS) certificates and validates the user.
3.    What is a “default certificate?”
Answer:  A Default Certificate is a Security Certificate generated by Weblogic by default if a certificate is not previously defined.
  

From the lib1-node1-diagnostic.log

<Nov 2, 2021, 6:21:41 PM UTC> <Error> <Server> <BEA-002606> <The server is
unable to create a server socket for listening on channel
"DefaultSecure[iiops][8]". The address 192.168.6.194 might be incorrect or
another process is using port 7103: java.io.IOException: Identity certificate
has expired: [ 

SCI commands using https took an exception
 HTTPS:javax.xml.ws.WebServiceException: Failed to access the WSDL at:
https://keystone11.us.oracle.com/WebService/1.0.0?wsdl. It failed with:
Connection refused (Connection refused).

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.