1. Oracle ZFS Storage Appliance Administration Guide, Release OS8.8.x
  2. Appliance Services
  3. Configuring Services
  4. RADIUS Configuration
  5. Configuring RADIUS Server Certificates

Configuring RADIUS Server Certificates

If the RADIUS service uses a TLS connection, a valid RADIUS server certificate must be used with the service. A RADIUS server's certificate can be CA-signed or self-signed. This section describes how to initially configure certificates and how to manage a new certificate when the previous certificate expires. This section does not apply to the UDP protocol.

Initially Configuring RADIUS Server Certificates

For more information about trusted certificates, see the sections about trusted certificates in Configuring Certificates.

You can supply a list of trusted CA certificates. RADIUS server certificates issued by those trusted CAs and marked as trusted by RADIUS do not require special management.

If a RADIUS server's certificate is not issued by a trusted CA, whether the certificate is issued by a CA or is self-signed, you will be asked to review and approve the certificate. If you accept the certificate, that certificate is added to the list of trusted certificates.

Managing Expired and New RADIUS Server Certificates

If you individually accepted a certificate, either a CA-signed certificate or a self-signed certificate, then when the RADIUS server's certificate expires, you must approve the new certificate. Select the server, test the connection, and examine and approve the new certificate. See Approving a New RADIUS Server Certificate - BUI, CLI.

If you supply CA certificates, changes in the individual server certificates are handled automatically. When your server changes CA certificates, ensure that the new CA certificate is added to the appliance before your RADIUS server starts using it. If the server starts using the new CA certificate before you add it to the appliance, your RADIUS service will be interrupted.

Approving a New RADIUS Server Certificate (BUI)

Use the following procedure to accept a new certificate after the previous certificate has expired.

  1. From the Configuration menu, select Services.
  2. Under Directory Services, select RADIUS.
  3. On the Properties tab, scroll to the RADIUS Servers section of the page.
  4. In the table, click the edit icon image showing the edit icon for the server that has the new certificate.
  5. Click the Test Connection button in the Edit RADIUS Server dialog box to test the TLS connection.

    A new dialog box reports whether the new certificate is trusted.

  6. Click OK in the trusted certificate dialog box.

    If the trusted certificate dialog box reported that the certificate is not trusted, the Accept RADIUS Server Certificate dialog box opens. This dialog box displays information about the certificate, and has REJECT and ACCEPT buttons.

  7. Review the certificate information, and click ACCEPT.

    The certificate is added to the list of trusted certificates.

Related Topics

Viewing Trusted Certificate Details (BUI)

Approving a New RADIUS Server Certificate (CLI)

Use the following procedure to accept a new certificate after the previous certificate expired.

  1. Go to configuration services radius.
  2. Enter the list command to show the list of RADIUS servers' ordinal names.
  3. Select a server by its ordinal name.
  4. Enter the test command to test the TLS connection.

    Information about the new certificate is displayed.

  5. Examine and approve the new certificate.

    The certificate is added to the list of trusted certificates. If you enter the test command again, the message Certificate is trusted is displayed.

Related Topics

Viewing Trusted Certificate Details (CLI)