Symptoms

This certificate change causes the cloud unit to go into a disconnected state for Data Domain systems configured with Cloud Tier: # alert show currentId Post Time Severity Class Object Message----- ------------------------ -------- ----- ------------------------ ------------------------------------------------------------m0-76 Mon Apr 19 15:34:03 2021 CRITICAL Cloud CloudUnit=aws-unit EVT-CLOUD-00001: Unable to access provider for cloud unit aws-unit.----- ------------------------ -------- ----- ------------------------ ------------------------------------------------------------There is 1 active alert. # cloud unit listName Profile Status-------------- --------- ------------aws-unit aws Disconnected-------------- --------- ------------ For Data Domain Virtual Edition (DDVE) deployed on AWS with Active Tier on Object Storage (ATOS), file system is disabled with the following alerts messages: Alert History-------------Id Post Time Clear Time Severity Class Object Message----- ------------------------ ------------------------ -------- ----------------- ------ ----------------------------------------------------------------------m0-26 Tue Apr 6 13:58:41 2021 Tue Apr 6 13:59:03 2021 ERROR Filesystem EVT-FILESYS-00008: Filesystem has encountered an error and is restarting.m0-27 Tue Apr 6 14:19:59 2021 Tue Apr 6 14:20:03 2021 ALERT Filesystem EVT-FILESYS-00002: Problem is preventing filesystem from----- ------------------------ ------------------------ -------- ----------------- ------ ----------------------------------------------------------------------

Cause

AWS is changing their server certificates from S3 to certificates issued by Amazon Trust Services CA. This is happening starting March 23, 2021.To access S3 buckets, systems require Amazon Root CA1 certificate instead of Baltimore CyberTrust Root certificate.See the following Amazon security Blog for detailed information:https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority

Resolution

The following steps are applicable to support AWS own certificate authority for Data Domain systems configured either with Cloud Tier or DDVE deployed on AWS Cloud platform with ATOS. Confirm that the Data Domain system has "Baltimore CyberTrust Root" certificate for cloud application as per the following example: sysadmin@dd01# adminaccess certificate showSubject Type Application Valid From Valid Until Fingerprint------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------dd01.example.com host https Tue Mar 26 10:38:34 2019 Wed Jan 31 10:48:38 2024 30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BAdd01.example.com ca trusted-ca Wed Mar 27 17:38:34 2019 Wed Jan 31 10:16:38 2024 CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8Baltimore CyberTrust Root imported-ca cloud Fri May 12 11:46:00 2000 Mon May 12 16:59:00 2025 D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr Download Amazon Root CA1 certificate from the following page: https://www.amazontrust.com/repository/ Distinguished NameSHA-256 Hash of Subject Public Key InformationSelf-Signed CertificateTest URLsCN=Amazon Root CA 1,O=Amazon,C=USfbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2DER PEMValid Revoked Expired Right click on the word "PEM" on this web page and select save as: Import AmazonRootCA1.pem certificate file from folder using Data Domain system manager UI. For Data Domain system configured with Cloud Tier: Data Management > File System > Cloud Units > Manage Certificates > Add. For Data Domain system running on AWS Platform with ATOS: Data Management > File System > Summary > Modify Object Store > CERTIFICATE > Add Run the following command using SSH session and confirm that the following highlighted certificates are added to the system: sysadmin@dd01# adminaccess certificate showSubject Type Application Valid From Valid Until Fingerprint------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------dd01.example.com host https Tue Mar 26 10:38:34 2019 Wed Jan 31 10:48:38 2024 30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BAdd01.example.com ca trusted-ca Wed Mar 27 17:38:34 2019 Wed Jan 31 10:16:38 2024 CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8Baltimore CyberTrust Root imported-ca cloud Fri May 12 11:46:00 2000 Mon May 12 16:59:00 2025 D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74Amazon Root CA 1 imported-ca cloud Mon May 25 17:00:00 2015 Sat Jan 16 16:00:00 2038 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16------------------------- ------------- ----------- ------------------------ ------------------------ -----------------------------------------------------------Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr If the certificate is added other than "cloud" under the "Application" field, remove it from Certification Authority certificate under Access Management UI as follows: Note: Do not remove old "Baltimore CyberTrust Root" certificate. For Data Domain systems that are configured with Cloud Tier file system, a restart may be required to reestablish connection with Cloud Units. Arrange for downtime and run the following command to restart the file system: #filesys restart For Data Domain systems running on AWS Platform, reboot DDVE: #system reboot

Support Cases