Introduction
This document describes ACI Fault F3081 and its remediation steps.
Background Information
This fault occurs when a SAML X.509 Certificate is going to expire in one month on an APIC.
F3081: fltAaaSamlEncCertSamlEncCertExpiring
Severity: major
Explanation: This fault occurs when the SAML X.509 Certificate is going to expire in one month.
Recommended Action: If you see this fault, take the following actions:
Update SAML X.509 Certificate soon.
Note: The same occurrence can happen even without SAML implementation. However, if SAML is not being used, it has no impact on the system.
Intersight Connected ACI Fabrics
This fault is actively monitored as part of Proactive ACI Engagements.
If you have an Intersight-connected ACI fabric, a Service Request is generated on your behalf in order to indicate that instances of this fault were found within your Intersight-connected ACI fabric.
Quick Start to Address Fault
1. Validate SAML X.509 Certificate Expiry status, if it shows Expiring or Expired Fault, F3081 is raised.
2. Verify if the Certificate Issuer is Cisco or Third-Party.
3. If the Issuer is Cisco, continue with regenerating the SAML Encryption Key Pair.
Detailed Steps to Address Fault
Validate SAML X.509 Certificate Expiry Status
Via the APIC GUI
1. Navigate to Admin > AAA > Authentication > SAML > Management
.
2. Validate SAML X.509 Certificate Expiry status. Expiring
means the certificate is about to expire within a month.
Regenerate and Renew SAML X.509 Certificate
In order to resolve this fault, you can clear it by regenerating and renewing the certificate and extending its expiration date.
Regenerating the SAML X.509 certificate does not have any impact.
Before proceeding, ensure to double-check if the certificate authority (CA) issuer for the certificate is Cisco or a third-party entity.
In order to obtain the certificate content from APIC, decode the certificate in any X.509 decoder to get the certificate parameters:
If the certificate was issued by a third-party CA, contact the CA to renew your SAML X.509 Certificate.
However, if the certificate issuer is Cisco, you can proceed with these steps.
Via APIC GUI
1. Navigate to Admin > AAA > Authentication > SAML > Management > Regenerate SAML Encryption Key Pair
.
Note: By renewing the certificate, the expiration date displayed in the Certificate Validity is extended to a date that is three years after the renewal date.
Validate if Expiry Status Changed to Active
Via the APIC GUI
1. Navigate to Admin > AAA > Authentication > SAML > Management
.
Additional Information
SAML is an XML-based open standard data format that enables administrators to access a defined set of Cisco collaboration applications seamlessly after signing into one of those applications. SAML describes the exchange of security-related information between trusted business partners. It is an authentication protocol used by service providers in order to authenticate a user. SAML enables the exchange of security authentication information between an Identity Provider (IdP) and a service provider.
SAML SSO uses the SAML 2.0 protocol in order to offer cross-domain and cross-product SSO for Cisco collaboration solutions. SAML 2.0 enables SSO across Cisco applications and enables federation between Cisco applications and an IdP. SAML 2.0 also allows Cisco administrative users to access secure web domains in order to exchange user authentication and authorization data, between an IdP and a Service Provider while maintaining high-security levels. The feature provides secure mechanisms to use common credentials and relevant information across various applications.