Welcome to Dell Technologies Power Protect series appliance protection storage data Domain. In this video, we are going to see how to handle Microsoft Azure storage certificate changes for systems that are configured with cloud time reference to article 192537 This is only applicable if you have data domain in your environment, having cloud tier configured which is integrated with Microsoft Azure cloud provider.
This video was created too and show data domain connectivity with Azure cloud provider isn't interrupted as starting February 2022 Microsoft Azure has started updating their TLS certificates, updating these new certificates to data domain will allow it to continue to make use of cloud tire functionality having endpoint as Azure without disruption.
This video presents the following how to identify if your system is impacted downloading required certificates, renaming and converting in PM format, importing the certificates to data domain and lastly restarting data domain file system to re establish connection with cloud unit and performing final validation to verify if data domain and your environment is impacted.
Follow below log into protection storage, data domain, verify the existing cloud unit and its provider on domain using below command cloud profile show cloud unit list.
If the cloud provider is Azure, move to next step, verify the existing certificates, admin access certificate show earlier DD used only Baltimore cyber trusts root certificate for connectivity with Azure.
If only that certificate is seen in above output, then it's time to update the new certificates from Microsoft Azure note, there is no need to delete the existing Bale to more cyber trusts root certificate.
Here we are going to download all the required certificates to your local windows workstation for that first, create a folder with any name example MS AZ certificates. Now go to the link to KB article 192537, go to the resolution section.
Option one, you will see direct links same as seen inside right, click on those direct links provided and save them on your local workstation under the newly created folder.
Next, we are going to convert all the downloaded certificates in PM format open command prompt on your local workstation. Navigate to the location where the certificates were downloaded to convert digit global route two G three certificate in pen format.
You may just use rename command as shown here for ECC and RSA root certificate. We will need to use the command to anchor them in format as shown as the certificates have been downloaded and converted in pen format.
You would be now ready to import it to data domain log into the protection, storage, data, domain system manager traverse to data management file system, cloud units tab under that you will notice manage certificate button, click on that to start adding the new certificates.
Ensure you are only adding the pan format certificates. Once all certificates are imported successfully, we need to bounce the DD file system to re establish connection with cloud units.
File system restart does require a few minutes of downtime. So ensure no backups are running and then proceed to restart using the command file system restart, final validation.
We will first ensure that the FS is back enabled and running and then verify the cloud unit is active to ensure its tenacity with Azure is intact.
Now, let's see a quick demo for the same step one log into the data domain cli now I'm going to check the cloud unit's existing using command cloud unit list, verify the cloud unit state and cloud unit name.
Irrespective of whether it's active or disconnected, do proceed to check the cloud provider using command cloud profile. Show check the provider and account type.
If the cloud provider is Azure proceed to check the existing certificates, admin access certificate show we see only Baltimore cyber trusts root certificate existing here.
So let's proceed to step two that is to download the new required certificates for that first open the KB article 000192537 titled How To handle upcoming Microsoft Azure storage transport layer security TLS certificate changes for systems that are configured with cloud tire, scroll down to the resolution section.
Option one as stated first, create a folder with any name on your local machine. Example MS E certificates. Now let's click on the links provided and save them on your local workstation under the newly created folder.
First, I am going to save digit global route G two CRT then digit global route G three C RT P. Now let's save Microsoft our S A root certificate and lastly Microsoft ECC root certificate, we now have all the required certificates on our local machine.
As the third step, we are going to convert all the downloaded certificates in PAM format, open command prompt and navigate to the location where the certificates were downloaded, use D I or command to list the certificates now to convert digit global root G two and G three certificate in pen format.
You may just use rename, command, rename dier global route G two C RT digit, global route G two, then rename digit global route G three cr tmm digit global route G three P. Now let's go back to KB. Here we see. We are done with the rename step.
Next we are going to convert Microsoft ECCRS a root certificate, authority certificate from C RT to PAM format. You may now copy the command from KB and paste it in the command prompt for ECC and RS or root certificates.
Now, we can see all the certificates have been converted in format step four. As the certificates have been downloaded and converted in pen format, we are now ready to import them to data domain, log into the protection storage, data, domain system manager traverse the data management file system, cloud units tab under that you will notice manage certificate button, click on that to start adding the new certificates.
Click add, click on X's file to browse to the location where you had kept new certificates in format starting with digit global route G two, click on that again, then do the same for the rest of the certificates.
Did you search global route G three P? Then comes the turn of MS ECC route. Ensure you are only adding the format certificates. And finally the MS RS A root certificate, verify all the required certificates have been added. Click ok.
We can also verify using C admin access certificate, show verify all the required certificates have been imported successfully insure each certificate, fingerprint matching with that provided in KB. With that we are now ready for the final step that is to bounce the DD file system to re establish connection with cloud unit.
So ensure no backups are running as we would require a few minutes down time to restart the file system. Once you are ready, you may use files, just restart command to do the same as we can see.
File system has been restarted and it is now up and enabled once dds is up, let us do the final validation by checking the cloud units status using command cloud unit list.
As we can see cloud unit is active with all the required certificates imported. This confirms the connectivity with Azure is now intact. Thank you for watching.
