ADM-HA DB streaming broken on 13.0-64.35
Article ID: CTX328037
Updated On:
Resolution
Do one of the following steps:
-
Upgrade ADM to the latest build.
-
Or follow the steps below:
1. Run "cat /var/mps/db_pgsql/data/pg_hba.conf" on the ADM primary node to verify if the following entries are present.
hostssl replication masrepuser <ADM Primary IP address>/32 cert clientcert=1
hostssl replication masrepuser <ADM Secondary IP address>/32 cert clientcert=1
2. If any of these entries are missing, add those missing entries to /var/mps/db_pgsql/data/pg_hba.conf and run "su -l mpspostgres /mps/scripts/pgsql/reloadpgsql.sh".
3. Verify the SSL certificate is expired or is valid < 30 days. You can validate the certificate expiry date using:
openssl x509 -enddate -noout -in /var/mps/pg_certs/client/masrepuser/pg_masrepuser.crt
If the certificate has already expired, log on to Citrix ADM primary node using an SSH client and perform the following steps:
1. printf "[ req ] \n distinguished_name = req_distinguished_name \n prompt = no \n\n [ req_distinguished_name ] \n C = US \n ST = California \n L = San Jose \n O = Citrix ADC SDX \n OU = Internal \n CN = masrepuser \n" > /var/mps/pg_certs/client/masrepuser/pg_masrepuser_csr.config ;
2. openssl genrsa -out /var/mps/pg_certs/client/masrepuser/pg_masrepuser.key 2048;
3. openssl req -days 1000000 -new -key /var/mps/pg_certs/client/masrepuser/pg_masrepuser.key -out /var/mps/pg_certs/client/masrepuser/pg_masrepuser.csr -config /var/mps/pg_certs/client/masrepuser/pg_masrepuser_csr.config ;
4. openssl x509 -req -days 1000000 -in /var/mps/pg_certs/client/masrepuser/pg_masrepuser.csr -CA /var/mps/pg_certs/server/root.crt -CAkey /var/mps/pg_certs/server/pg_server.key -out /var/mps/pg_certs/client/masrepuser/pg_masrepuser.crt -CAcreateserial ;
5. rm /var/mps/pg_certs/client/masrepuser/pg_masrepuser.csr;
6. rm /var/mps/pg_certs/client/masrepuser/pg_masrepuser_csr.config;
7. cp -R /var/mps/pg_certs/client /var/mps/db_pgsql/data/;
8. chown -R mpspostgres:nobody /var/mps/db_pgsql/data/client;
9. chmod 700 /var/mps/db_pgsql/data/client;
10. chmod 600 /var/mps/db_pgsql/data/client/masrepuser/*key;
11. chmod 600 /var/mps/db_pgsql/data/client/pg_rewind/*key;
12. touch /var/mps/adm_upgrade_pg_generate_certs;
13. masd restart
Problem Cause
Expired DB SSL certificates can cause the database streaming issue between the ADM HA nodes. If the SSL certificate expires, and the "join_streaming_replication.sh" command does not restore the streaming. This issue appears in ADM 13.0 64.35.
