Subscribe
Accepted Solution

Invoke-NaSSH and FipsAlgorithmPolicy Enabled = .NET error

Running DataONTAP PowerShell v 1.3.0.38 on Windows 2008 SP2 with .NET 3.5

If registry entry "HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled" is set to "1", enabled,

and I run the Invoke-NaSSH command on a controller, I get the following .NET error

Session.connect: System.NullReferenceException:Object reference not set to an instance of an object.
   at Tamir.SharpSsh.jsch.jce.HMACMD5.update(Int32 i)
   at Tamir.SharpSsh.jsch.Session.read(Buffer buf)
   at Tamir.SharpSsh.jsch.UserAuth.start(Session session)
   at Tamir.SharpSsh.jsch.UserAuthNone.start(Session session)
   at Tamir.SharpSsh.jsch.Session.connect(Int32 connectTimeout)]

In our test environment, setting it to "0" yields no such error.

Unfortunately, this registry entry is set by our security group in the 2008 images we deploy out in the field

and disabling it is a no-no.

Is this a problem with Tamir.SharpSsh.jsch package or with how a call is made or something else?

-Jose

Re: Invoke-NaSSH and FipsAlgorithmPolicy Enabled = .NET error

Hello, Jose.  The released build of Toolkit 1.3 was 1.3.0.130.  How did you get such an early build?

The FIPS algorithm issues were reported during internal beta testing of Toolkit 1.3, and I fixed them before release.  In any case, with FIPS enabled on my development system (Windows Server 2008 R2), Invoke-NaSsh in Toolkit 1.3 and later works.  Would you please download Toolkit 1.4 and report whether that works for you?

Re: Invoke-NaSSH and FipsAlgorithmPolicy Enabled = .NET error

v1.4 took care of it!

Thanks!

(that build was given to us as part of custom built installation script)

Re: Invoke-NaSSH and FipsAlgorithmPolicy Enabled = .NET error

Looks like going to v1.4 broke my storage configuration script.

That early build toolkit given to us also included a "Invoke-NaSystemCli" cmdlet which I used extensively throughout my configuration script.

Any chance of putting that cmdlet back?

If not, I'll have to go back to the toolkit I was using.  I'm thinking I can just disable then enable that registry entry

$RegKey ="HKLM:\System\CurrentControlSet\Control\Lsa"
Set-ItemProperty -path $RegKey -name FIPSAlgorithmPolicy  -value 0 (or 1)

-Jose

Re: Invoke-NaSSH and FipsAlgorithmPolicy Enabled = .NET error

The system-cli API is unsupported, so I'm afraid we can't ship that cmdlet.  But all is not lost.  v1.4 adds a more generic cmdlet, Invoke-NaSystemApi, from which you could roll your own script cmdlet fairly easily.  Just be careful using unsupported APIs!