Applies To:
All versions
Symptom:
Using a local account and iDRAC adaptable driver, renewing an iDRAC certificate takes much longer than using an AD account and may fail with a timeout. The error may look similar to this:
Failed to generate CSR on \VED\Policy\Dell_???\iDRAC. Error: PowerShell Script Invocation Error: DRAC Error code: 1 - Failed on SSL CSR Generation - HTTP Service unavailable for <xxx.xxx.xxx.xxx> - full error: . Additional error data at Venafi.Drivers.Applications.AdaptableBase.callScriptFunction(String function, Hashtable general, Hashtable specific, List`1 validResultList) at Venafi.Drivers.Applications.Adaptable.createCSR(String& status)
Cause:
The response time that it takes for the iDRAC to respond to the renewal takes much longer when using a local user. This is not a problem with the TPP software as it seems it is an issue with a customer-specific environment which you can workaround by increasing the default script timeout. We allow specifying custom timeouts for the Adaptable scripts to compensate for the timeouts.
Resolution:
To allow the process to complete without failure, you will need to increase the timeout policy.
To increase the timeout (default is 240 seconds), from TPP go to the Policy Tree and then to the policy folder for that certificate.
1. Make sure the Sample iDRAC adaptable script is placed here on each TPP server
2. In WebAdmin add Adaptable Script to the policy folder where iDRAC application object will get created, and then you can make an attribute change. Select Adaptable App -> Support -> +Add
If the +Add option is unavailable, you will need a code from Venafi support to add the attribute. To enable the support tab, go to Support -> Attributes -> Authorize Edit - send the code generated to Venafi (support@venafi.com) with a reason as to what and why you want to edit/add.
When the customer receives the Authorization Response, enter it in the bottom field and the +Add will now be available.
The +Add in the support tab will become available but please note, once logged out, another challenge code and response code are needed to edit the support tab again.
3. Create an Adaptable Application object. After the Adaptable Application Object is created go to the support tab and Add Attribute. Choose Script Execution Timeout and set it to 600 and press OK. After testing it may need to be as high as 600 to 800.
4. Wait patiently for the certificate to renew.
Comments