Subscribe

Be aware that upgrading to OnCommand 6.2P1 might bring major issues

Hi,

 

I was using 6.2 and because of the announced security issues in java and mysql I upgraded to 6.2P1.

So now when I try to open the website with Chrome of FF I get this nice error:

 

"

Server has a weak ephemeral Diffie-Hellman public key

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
Hide details
This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to set up a secure connection but, due to a disastrous misconfiguration, the connection wouldn't be secure at all!

In this case the server needs to be fixed. Google Chrome won't use insecure connections in order to protect your privacy."

 

When I try to open it with IE the page get`s displayed but my password won't get accepted.

 

User+PW work fine when using the shell directly.

 

So great update! (At least for me) a total desaster!

 

 

Re: Be aware that upgrading to OnCommand 6.2P1 might bring major issues

[ Edited ]

Thanks for reporting the issue and sorry for any inconvenience caused. Please read through on the Issue, Cause and Solution.

 

Issue:

1. You mentioned that the issue is occurred while upgrading from 6.2 to 6.2P1.

2. Observation was that your web browser shows that SSL/TLS handshake attempts to use a public key smaller than 1024 bits, for ephemeral Diffie-Hellman key agreement. Error: ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY.

 

Cause:

1. 6.2P1 build was generated on 06,May,2015.

2. The issue you are observing is caused by: https://access.redhat.com/security/cve/CVE-2015-4000  Reported on 2015-05-20. The CVE was observed much after the 6.2P1 was published.

3. You would have used latest browser with security updates that would have notified about ths CVE.

 

Solution:

While we work towards addressing new set of Vulnerabilities, below is the solution to bring Unified Manager up and running. As we donot have the exact web browser/client system versions that you are using, we request you to confirm if the below solution works.

 

Login to the System as ROOT and Execute the below commands in the specified order. The steps backs-up /opt/netapp/essentials/jboss/server/onaro/deploy/jbossweb.sar/server.xml.backup and removes weaker cipher from server.xml

 

service ocie stop


cp /opt/netapp/essentials/jboss/server/onaro/deploy/jbossweb.sar/server.xml /opt/netapp/essentials/jboss/server/onaro/deploy/jbossweb.sar/server.xml.backup


sed 's/TLS_DHE_RSA_WITH_AES_128_CBC_SHA,//' /opt/netapp/essentials/jboss/server/onaro/deploy/jbossweb.sar/server.xml > tmp && mv -f tmp /opt/netapp/essentials/jboss/server/onaro/deploy/jbossweb.sar/server.xml


sed 's/TLS_DHE_DSS_WITH_AES_128_CBC_SHA,//' /opt/netapp/essentials/jboss/server/onaro/deploy/jbossweb.sar/server.xml > tmp && mv -f tmp /opt/netapp/essentials/jboss/server/onaro/deploy/jbossweb.sar/server.xml


service ocieau start


service ocie start

 

Need More Information:

1. Please provide the version of web browser you are using.

2. Did you make any modification to web browser in terms of security settting and installing any security add-ons. if Yes please specify the details.

 

 

 

 

   

Re: Be aware that upgrading to OnCommand 6.2P1 might bring major issues

You are right, it`s caused by an up to date browser - which everybody should have.

 

And yes 6.2 P1 was released before, but 6.2 P2 is also available for download. And this was released on 10th of June 2015, so...

 

login with the root account is not working for me. I set the username to admin when installing it.

Is there a default pw for the root account? How can I reset the pw?

 

When logged in with the admin account I can't go to directly to the shell just use a few network/systems options.

 

Thanks!

Re: Be aware that upgrading to OnCommand 6.2P1 might bring major issues

Thanks for the information and confirmation. Looks like you are using Unified Manager Virtual Appliance (vApp). For getting to root shell you can need contact NetApp Customer Support.

 

Mean while, could you please provide below information. This would help engineering in recreating the issue locally.

 

1. What is browser version you were using before update?

 

2. What is browser version after update?

 

3. Did you enable/disble/install any security addons or Configured any browser settings?

 

4. What is Client Operating System on which Browser was Opened?

 

5. Does the communication from  Browser  to Unified Manager Server goes via Firewall/VPN (Virtual Private Network)/IPSec?

Re: Be aware that upgrading to OnCommand 6.2P1 might bring major issues

Could you please provide more information on the queries that I've put in. This would help engineering in providing the right set of solution and cipher settings required. Awaiting your reply.

Re: Be aware that upgrading to OnCommand 6.2P1 might bring major issues

Hello,

 

I hook up in this thread, because I have the same problem with Unified Manager.

Our installed version of Unified Manager was 6.1 (vApp).

My browser (Opera) updated from version 29 to 30. Since then this error occurs.

I updated Unified Manager to 6.2p1 but the error stayed.

 

We have solved this issue on another system by editing the server.xml of tomcat and catalina to use only specific cipher entries. 

How can we do that at the vApp?

 

br

Re: Be aware that upgrading to OnCommand 6.2P1 might bring major issues

Thanks for reporting the issue and also providing more information. As mentioned in my 2nd reply, for vApp You need to contact NetApp Customer Support to gain the root access to the Virtual Appliance. The reason is vApp is locked down system and hence Customer Support Engineer will help you in making necessary changes. Please raise support ticket.

Re: Be aware that upgrading to OnCommand 6.2P1 might bring major issues

[ Edited ]

While Opera is NOT supported browser to be used with Unified Manager product. Supported Browsers include : IE, FireFox, Chrome and Safari. Please follow below to access Unified Manager and Update your finding accordingly.

 

1. Firefox Latest Version.

2. In case you are using Google Chrome 45.0.2414.0 dev-m or other which is showing the error. You must first uninstall Chrome and use Google Chrome latest version 45.0.2431.0 or higher.

 

Re: Be aware that upgrading to OnCommand 6.2P1 might bring major issues

how do i access the Cli?  i'm running v6.1R1

when i connect via SSH or open the console to the VM, and login with "admin" it takes me to this menu with no option to access CLI to enter the commands you've listed

 


Main Menu:
--------------------------
1 ) Upgrade (Disabled. Must be run on virtual machine console.)
2 ) Network Configuration
3 ) System Configuration
4 ) Support/Diagnostics

x ) Exit

Enter your choice:

Re: Be aware that upgrading to OnCommand 6.2P1 might bring major issues

As VApp is closed system, Please contact NetApp Customer Support to get further assistance.