Certificate Troubleshooter
The purpose of this troubleshooter is to help diagnose issues with EMS or OLT certificates:
- Verify that there are no expired certificate alarms within the alarms view. If these alarms exist, you need to get new certificates before the EMS and OLT can communicate. Typical custom certificates have lifetimes of two years or less. (Tellabs self signed certificates are good until 2049)
- Verify that there are no certificate expiring alarms within the events view as a preventative measure. Certificate expiring events are sent once the certificates are down to 90 days and are re-issued weekly until expiry.
- You must have a login to the OLT with the certificate admin rights to view the certificates on the OLT. You can also validate the OLT certificate and validity dates by displaying the certificates at the CLI and verifying their validity:
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS9pbWFnZSgxNzkpLnBuZyIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTc2MjA5MDIyN319fV19&Signature=FaxsF6icmz3gNuPfUAzkZ2BkeRHgho7doN4y8~GyTVPRzuj0R3fKQg1ABgomBDJLJeeUoF4g7DYuhn676F3wzOVMGP6L7eQJBxQc6iukR4GUu5TZsp6LG3eIkiPgp8QqcAaQyS1EVOvkCTBWP-9UN8wmE5S43NhF8NJ~S3iLv7b-4oil2zciCdSufbv7Srq3mOBAe-SvKq~oVi1gz0vZnuPc4VT6Vw~bzee4yShYGB7b3jdp3WqE~4KxTKEFSHG0peLk7~hPVRdKQAJJJVRI3KNJl2NAgwRAVaq3AHQpUZsxlE8z2wnhHu5y58kGeI5KpEjp5Y6FcDA1Q3yRgIqDOA__&Key-Pair-Id=K2TK3EG287XSFC)
- On the EMS you can use the Certificate Mgr to see the EMS certificate and check its validity
First go to the directory \Tellabs\PanoramaPon\bbmgr\server on the server machine and issue the command certificateMgr.bat.
You will be presented with the main menu, select 99, then 1 display certificate detail.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS9pbWFnZSgxODApLnBuZyIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTc2MjA5MDIyN319fV19&Signature=Py7FqDLv93y~EyuIhDbyGd12ONCL~XrGAChy8lpZM3Q4nZp-wqGOdgpLZzWvPKoB6M~M~0jwT3WuvtqE1NQh9uy0NWTZpMw4~vwRLpMSujUUNmmML-PibMjJDIy5W3e0zUIyaa8RE4b7OHKl52~Genhl2tbIOTspz~naF-3WJNFXrcnGI4tWwNsZAFlT6MqCmFNVgcMpw4X9MlumR4IHC2MQKtT-2KAHwpZcMscvmFEYm2tWutsySXE3Txp5x3S8FG2vxx69xHm2G8Vp4O3sw13zZB~PJlcTgAL3VZ3vqOcmYffnO7ZivuDxIqhQS19FebqvBKJGqKzHGeYmxkJHtw__&Key-Pair-Id=K2TK3EG287XSFC)
- Select 1, then the name of the device certificate, it will be the one that has the u,u,u attributes. For stock certificates, it will be named TellabsDevice. For custom certs, will vary. You can then check the certificate validity dates:
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS9pbWFnZSgxODEpLnBuZyIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTc2MjA5MDIyN319fV19&Signature=pYAnvD4vBfai2Mb2bfOT3oFm7VnJ0fJ8JJ8d2paFQIhNFbxpdlKpcEG4LAH4D0gEOOJCNgZFsfLvsW-1aUszUtfOHypk0a9T~zH-k-iBjl4sgPa82ocO3AHwVQ5CvV1gNdmNLO1JnegpgKV0r0KvcrYFhyQ0iIMqkdM-CmzUI-0Wv5JIk8J0FK~RPNoA-UgCOmMWcVnh3LodcRTFjhT-1YRxXXNuJjFz04aeFu-o8fErNgTnVJaWX3QIvBWWpLI9VunQVzyqlCHFqEjjakg2Un0Vo6i9UqNO2j-iHdHyJTQh6xnrxYEdtbj1Vq~Wm074L~nVU~XSmBom4jb8NH8xzw__&Key-Pair-Id=K2TK3EG287XSFC)
- Both the EMS and OLT will not allow a certificate to be assigned to device if it is not valid. So if the certs are both within their validity dates, one other possible issue is that the trust anchors are incorrect.
- For proper operation the EMS and OLT must have a certificate signed by someone they trust.
The device certificate is what a device offers when it tries to authenticate a connection.
The anchor certificate is what a device uses to authenticate a certificate that is presented to authenticate a connection.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS9pbWFnZSgxODIpLnBuZyIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTc2MjA5MDIyN319fV19&Signature=ElluNSlTMw-JUjrjWTLQZsKXxt3tq~PPX99hyTZ8eLnhX~Yz9QO96HPzOwdoshAE3v6RI1QDt3iuyz-bKrZRd9GwDgmC2gZXZQbL7fynUsFE8g1LBrDhJXoQvAEgHgYVsZHNWiHJrMs8ulkIrvlgjWtQa7yiIiALJIVzUt1danuuJ1y~9HgPy2cRlZ-5n~dN8wqkw6x~NLO9ItMS-VzBGVZPoTL7qv8iLLVhxEmu~3bs9fJCsMYGuyWiv29FrI8GEFH9zzLUhAzBOvSXripY2qMBT~EGDKbJCXmt-PaVV7pAXonTh0CggKCz234AL-eYsfx7FbVJppraSgVNz2cFig__&Key-Pair-Id=K2TK3EG287XSFC)
- Verify that the certificates are set up properly for operation.
FEEDBACK: Are you happy with this material?
Thank you Your feedback helps us to continually improve our content.