Active IQ Unified Manager Discussions

OnCommand System Manager recieves error 500

atinivelli
130,101 Views

Good day, i am running OnCommand System Manager ver 3.1.1 on Windows.

 

Today, for the very first time, i have seen this issue: i can connect to my 3210 running DataONTAP 8.0.3P2 7-mode, but when i try to reach my new 2240 running DataONTAP 8.1.3P3 7-mode i recieve an error 500 "connection refused".

 

I have found this workaround: on the 2240s i have issued the command >options httpd.admin.enable on ;

after this the OnCommand System Manager probably still tries a secure connection, on the console i see errors like 

[hostname: HTTPPool03:warning]: HTTP XML Authentication failed from MyClientIP . 

 

But now i guess OnCommand System Manager falls back to a non secure connection, i see the question "do you want to set up a secure connection or continue without...", i answer "continue without" and i'm able to manage my filers again.

 

What's happened? Maybe something java updates related? Thanks in advance.

Alessandro

 

 

95 REPLIES 95

AOXBOROUGH
27,284 Views

That's odd--I am running it just fine with 8u31.  I only needed to have 7 present to get through the System Manager installation, which will stop if you do not have 7 installed.  After installation, I removed 7 completely and it is still running.

 

The steps to turn off unsecure http admin, reset the certificate setup, and enable TLS made the difference for us.

SRay
27,221 Views

/!\ Security Hole /!\

 

You must modify the file "C:\Program Files\Java\jre1.8.0_31\lib\security\java.security" and disable the last line "jdk.tls.disabledAlgorithms=SSLv3" with #.

 

The last Java disable SSLv3, you must reactivate him.

richardtully
27,065 Views

@SRay wrote:

/!\ Security Hole /!\

 

You must modify the file "C:\Program Files\Java\jre1.8.0_31\lib\security\java.security" and disable the last line "jdk.tls.disabledAlgorithms=SSLv3" with #.

 

The last Java disable SSLv3, you must reactivate him.


This worked for me thanks SRay.   I'll have to make do with toggling it on and off when required until a fix is released. 

 

gkoufoud
18,520 Views

Worked for me too thanks SRay.

LeonidB
13,853 Views

THANK YOU!
That works for me.

I'm ruunig Java 8 update 45 

 

The files is change his location to:

C:\Program Files\Java\jre1.8.0_45\lib\security

 

Smiley Wink

Hilmar
27,126 Views

 

OK, what do we have learned the last days ?

 

With Java 8 there came a new security structure.

Regarding the flaws in SSL  (Heartbleed, Poodle) Java completely disabled SSL in the usable protocols list with version 8

 

Thats why elder versions (like my preferred 7u25) work with OCSM, but newer doesnt.

 

We found a workaround to run OCSM with Java 8  (Thanks to my Java Admin Josua):

- open a DOS Box

- jump to the OCSM-directory:

    cd "\Program Files\NetApp\OnCommand System Manager"

- start OCSM with parameter "i am sure what i do and i will run my OCSM with unsafe protocols" :

    java -Dsun.security.ssl.allowUnsafeRenegotiation=true -Djdk.tls.client.protocols="TLSv1, SSLv3" –jar SystemManager.jar

 

and everything is fine

 

hope that works for you as well

  Hilmar

SR
27,010 Views

I think what the industry should have learned a long time ago is that Java on the client side is an absolute mess for many of the reasons already stated here. It is not a system to be able to allow any device any software to be able to work. I would have to have 5-10 vm's just for the different software that requires different versions. Netapp and others please upgrade to other tech. One that comes to mind would be HTML 5 .net or just pick something beside the proven to fail java! Don't care if this is what you call "political". It's not its a call for using tech that works. 

greizt
19,418 Views

Thanks,

i also had a

500 connection has been shutdown: javax.net.ssl.SSLException:Received fatal alert: bad_record_mac

an this solved my problem

great job.

greetings greizt

greizt
18,889 Views

sorry,

 
solution was the one which worked for me

greizt

dsulli29
13,925 Views

simply enabling tls fixed the http 500 error for me

thollingworth
13,097 Views

8.1.4P3 7-Mode

 

OnCommand System Manager 3.1.2

 

Both controllers had TLS disabled. One allowed me to connect and the other returned "500 Connection Refused." 

 

I enabled TLS on the controller and it worked.

 

 

 

-Tim-

FV
533 Views

This worked for me but with :

options httpd.admin.enable off

    secureadmin disable all
    secureadmin setup ssl
    secureadmin enable ssl
    secureadmin enable ssh2

    options tls.enable on

options httpd.admin.enable on

 

And when creating the new SSL certificate, putting 2048 lenght

CHUCK_SAUNDERS
53,609 Views

Uninstalling a current version of Java and re-installing and older more vulnerable version is not an option.

What is the real fix for this?

Our internal polices will simply remove the older version of Java and update again each night during inventory and version checks.

atinivelli
53,540 Views

it is really impossible to guess why NetApp (but EMC, Equallogic also...) continues writing software to manage enteprise solutions -such as storage systems- using Java.

Java is not a reliable platform! You simply patch up your Java runtime environment (because of security issues) and voilà: nothing works any longer!

 

And, as anyone knows, every software based on JRE requires a specific, different version of JRE. Changing even the third subversion number of JRE breaks anything.

 

I think we, customers, should stop buying any product requiring JRE on admin's computer to be managed!

CHUCK_SAUNDERS
53,243 Views

I found the solution for this.  And, it does not require removing java, the OCSM and re-installing older versions

 

Make sure the httpd.admin is off (on is not secured)

options httpd.admin.enable off

 

Re-Run the setup for Secure Admin
secureadmin disable all
secureadmin setup ssl
secureadmin enable ssl
secureadmin enable ssh2

 

Enable TLS (in older version of ONTAP, this off by default)
options tls.enable on

 

Close any open OCSM Session and try again.

 

THis resolved the 500 Connection Refused erros for me and I am running Java 8x

AOXBOROUGH
50,935 Views

You, sir, are a genius!  This resolved the problem I was having!

rphelan
17,888 Views

The SSL-setup re-run helped me out.  Here's my situation:

 

Installed JRE8

Couldn't connect anymore.

Uninstalled OCSM

Uninstalled JRE8

Installed JRE7

Installed OCSM 3.1.2RC

Still couldn't connect.

Ran through the SSL settings on ONE filer of HA pair.

Still couldn't connect

Ran through the SSL setttings on the other filer of the HA pair.

SUCCESS! Was able to connect again.

 

 

 

nzmarkc
13,863 Views

Fantastic - thank you Chuck! This solution cut through all the problems. My system details: OCSM 3.1.2RC2 on Win8.1 with Java 8 U45, connecting to FAS2240 Data ONTAP 8.1.3.

LITTLEREDCAR
11,992 Views

the fix to this is to turn ON the following

 

httpd.admin.enable                 off
httpd.admin.hostsequiv.enable off

 

and try to login again.

AllenJohnson
10,110 Views

Thanks this worked

AlexanderSH
9,677 Views

INDEED. THANKS!

Public