Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Words and Phrases
| Search for | Example | Results |
|---|---|---|
| A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
|
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Using Boolean Operators
| Search for | Operator | Example |
|---|---|---|
|
Two or more words in the same topic |
|
|
| Either word in a topic |
|
|
| Topics that do not contain a specific word or phrase |
|
|
| Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
| A combination of search types | ( ) parentheses |
|
- SA Core and component security
SA Core recertification
SA provides a Core Recertification Tool that allows you to recertify SA Cores and Agents. The Core Recertification Tool automates and speeds the process of issuing new security certificates.
This tool is separate from and compatible with the existing Agent Recertification tool. For more information, see Agent recertification.
Carrying out a Core Recertification does not require additional SA downtime. SA services will be fully available during the complete procedure. The following service restarts are required, but can be synchronized with internal maintenance windows:
1. Phases 3 and 7: Automatic restarts for mesh-wide SA gateways.
2. Phases 4, 8, and 12: Automatic restarts for mesh-wide SA Agents.
3. Phases 6: Automatic restarts for primary spin components of each SA facility.
4. Phases 6, 9, and 13: Manual mesh restarts.
Major advantages of the Core Recertification Tool are:
- The ability to regenerate all SA certificates before their expiration, which effectively shortens their life span.
- The ability to mitigate certificate compromises.
SA is a closed Public Key Infrastructure (PKI) system that uses X.509 v3 certificates to facilitate authentication, authorization, and secure network communications. An X.509 certificate is a form of identification that binds a specified principal with a public key.
A certificate, along with its corresponding private key, constitutes a digital identity. Like many other forms of identification, a certificate is valid for a finite period of time. X.509 certificate validity period is specified by the Not Before and Not After date. A given X.509 certificate is considered valid only if the current date is within its validity period. Conversely, a given X.509 certificate is considered invalid if the current date is outside of its validity period. SA does not accept invalid certificates.
SA CAs are automatically generated during bootstrap and subsequently used to issue the rest of the Core Component certificates. SA Agent certificates are issued by the Agent CA during initial Agent registration.
All SA certificates are valid for 10 years by default. There is no way to change the life span of the SA certificates through configuration. The only way to make changes to the SA certificate policies is through customization.
SA uses class certificates where all the Core components of a class share one certificate. For example, all the Command Engines share one Command Engine certificate. Compromising one Command Engine certificate means all the Command Engine certificates are compromised. Furthermore, SA does not support certificate revocation. The only way to invalidate a compromised Core Component certificate is to recertify the entire Core.
This release of Core Recertification Tool does not support customized Core installations. Any customization that has been done outside the realm of the SA Installer, which requires certain SA certificates and keys to be on a different host or under a different directory, will not be supported by this tool.
SA will warn administrators about upcoming certificate expiration through System Diagnosis on the Data Access Engine. The warning period is configurable (crypto.expire.warn_days) with the default being 300 days.
There are two use cases for re-certifying a core; the crypto material is expiring or a security breach has exposed the crypto. In the case of a security breach phases 11 through 13 must be executed.
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to hpe_sa_docs@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: