April 01, 2016

Error adding DD in Enterprise Manager "Deleting the Local CA Certificate is Not Allowed"


The Data Domain Enterprise Manager has a feature that allows the management of other Data Domain systems from the same interface;
however, this feature requires the Data Domain system to use certificate based authentication. When the Data Domain system hostname
or DNS record is changed, the certificate that is used for authentication still contains the old hostname, causing authentication to fail.

There are two methods to resolve this issue:

Method 1

1.Return the hostname back to the original hostname.
2.Remove the trust for that hostname.
3.Change the hostname to the desired new name.
4.Add the Data Domain system.


Method 2

The other method requires assistance from Data Domain support. If you need or want to keep the new hostname, please open a case and

support will be happy to assist you.
  1. Connect to the Data Domain system using the Command Line Interface (CLI) 180649 .
  2. Enable SE Menu 181582 (Level 40 article=only for employess and partners)
  3. Go to BASH 180719 (Level 50 article)
  4. Move the old certificate directories to a backup folder within BASH. At the BASH prompt, type the following commands in succession:
    cd /root/certs
    mkdir oldcerts
    NOTE: If the mkdir fails, then likely this procedure was done before and you either need to clear the existing oldcerts directory
    or create a newer oldcerts directory.

    mv CA host trustedCA oldcerts/
    NOTE: If the move fails, then the oldcerts directory already had info in it, so create a new oldcerts_ directory and mv the certificate directories to it.
    EXAMPLE:  "mv CA host trustedCA oldcerts_2015_07_15/"

    Confirm that the CA host trustedCA directories are not in /root/certs with an ls -l
    !!! MYHOSTNAME YOUR DATA IS IN DANGER !!!! # ls -l
    total 4
    drwxr-xr-x  4 root root 4096 Jul 15 07:01 oldcerts
  5. Enable the DD OS command line from within BASH.
    ddsh -s
  6. Generate a new Local CA certificate from SE mode 181582 (Level 40 artilce=only for Employees and Partners)
    adminaccess certificate generate

    NOTE: In DD OS 5.3 or later, the certificate generate command changed slightly and you have to use the following.
    adminaccess certificate generate self-signed-cert
  7. Verify if the new Local CA certificate has been created with the correct hostname.
    adminaccess certificate show ca
    adminaccess certificate show host
  8. Exit the DD OS command line, returning to the BASH prompt.
    exit
  9. Verify if the new certificate has been created within BASH.
    ls -la
    Look for CA, host, and trusted CA certificate with the current date.
  10. Enable to DD OS command line.
    exit
    priv set admin