Solved: Re: Certificates for DNS Name (high availability)

blaxucisco · ‎04-29-2010

Hi all,

we have CAM and CAS in HA mode. we need to generate CSR but I have some cofusion about the DNS name.

network setup is like this

hostname name IP address

============ ========

CAM01 192.168.0.8

CAM02 192.168.0.9

192.168.0.10 (virtual ip address)

CAS01 172.30.1.8

CAS02 172.30.1.9

172.30.1.10 (virtual ip address)

all hostnames are already registered in local dns, and all devices are pingable with FQDN eg. CAM01.test.com, CAM02.test.com

and which host name should I use during the CSR?

thank you

Faisal Sehbai · ‎04-29-2010

Hi,

Create a third name, call it CAM, and make it resolvable to the Service IP. Generate your CSR for that.

The same thing for CAS. The name should resolve to the service IP and you should get certificate for that name.

HTH,

Faisal

View solution in original post

Faisal Sehbai · ‎04-30-2010

Laxman,

Wireless IB guides: http://tinyurl.com/2ef2kk Look at chapter 3 for design considerations.

HTH,

Faisal

View solution in original post

Faisal Sehbai · ‎04-29-2010

Hi,

Create a third name, call it CAM, and make it resolvable to the Service IP. Generate your CSR for that.

The same thing for CAS. The name should resolve to the service IP and you should get certificate for that name.

HTH,

Faisal

blaxucisco · ‎04-29-2010

Hi Faisal,

thank you very much for solution.

we have to implement wireless on in-band virtual gateway mode if you have any configuration sampel for this please provide me.

Thanks again

--Laxman

Faisal Sehbai · ‎04-30-2010

Laxman,

Wireless IB guides: http://tinyurl.com/2ef2kk Look at chapter 3 for design considerations.

HTH,

Faisal

blaxucisco · ‎05-02-2010

Hi Faisal,

this question is regarding certificates.

in our scenario CAS is in HA mode for HA configuration I created temp certificates in both cas with its hostname. and configure HA primary and after configuration, service ip is pingable. for CAS add to CAM I have to create new certificate using by service ip and have to put in CAM, after generate new certificate with service ip address old Certificate of CAS will be replaced by new certificate. at that moment which certificate will be use for CAS HA peer?

this question is regarding license

we have to implement in-band virtual gateway mode. but when I tried to connect new CAS server there is no option for ib-band virtual gateway. olny these options are available in CAM

1. virtual gateway
2. real ip gateway

3. out-of-band virtual gateway
4. out-of-band real ip gateway

license detail is here

1. Standard Manager License present
2. Manager Failover License present
3. Out-of-Band Server Count 2

do we need to have seperate CAS license for in-band mode?

waiting for your reply

Thank you

Faisal Sehbai · ‎05-03-2010

Hi,

For certs, you need one cert for BOTH you CAS devices if they're in HA. Basically you need a cert for each CAS, and a CAS in HA is counted as one.

So let's say you have one HA OOB CAS, and a single IB CAS, then you need two certs for CASs

For licensing, where it says Virtual Gateway or Real-IP only, it means in-band.

HTH,

Faisal

blaxucisco · ‎05-03-2010

Hi Faisal,

Thank you for your answer. your answers are always valauable to me.

If we have CAS or CAM in HA mode we don't need to have separate certifiacate only one certificate will be ok. that means If we have 2 CAS, CAS1 and CAS 2 in HA mode I don't need to generate CSR from seperate CAS servers, virtual ip/host CA signed certificate is enough for both CAS servers?

Thank you

Faisal Sehbai · ‎05-04-2010

Hi,

That is correct. For CAS1 and CAS2, you should have one cert only which you'll install on both devices.

HTH,

Faisal