Old kafka, cluster, node certificates are not deleted from SSP After doing certificate replacements on NSX side
search cancel

Old kafka, cluster, node certificates are not deleted from SSP After doing certificate replacements on NSX side

book

Article ID: 390539

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

When the common-agent/cluster/node certificate is updated on the NSX side, the old certificate does not get deleted from the SSP environment

 

Environment

SSP 5.0

Cause

This issue occurs because the deletion of NSX agent certificates is not automatically propagated to the SSP system. After replacing the cluster/node/common-agent certificate on the NSX side, the old certificate remains in the system, and a delete operation for the old certificate is not triggered on the SSP side.

Resolution

Workaround:

For kafka client certificates we have a job that runs every 10 minutes and cleans up the stale kafka client certificates.

For cluster/node certificates customer needs to contact GSS as we can only remove these using an internal API. Removing certificate without proper verification can lead to catastrophic situations

 

Powered by Wolken Software