<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Harvest Unable to set tls.enable on in Active IQ Unified Manager Discussions</title>
    <link>https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Harvest-Unable-to-set-tls-enable-on/m-p/117894#M20945</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/45993"&gt;@mattbowden﻿&lt;/a&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;From the&amp;nbsp;SDK 5.3.1 release notes:&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;Default disablement of SSLv3 protocol for HTTPS transport, because of the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability&lt;/EM&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;More on the vulnerability is here: &lt;A href="https://www.us-cert.gov/ncas/alerts/TA14-290A" target="_self"&gt;https://www.us-cert.gov/ncas/alerts/TA14-290A&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Since the vulnerability is in the design of SSLv3 itself you should not assume your communications using it are secure. &amp;nbsp;Updating Data ONTAP to a release with TLS support is the answer. &amp;nbsp;If it isn't possible then you could take steps to reduce the risk such as (a) using RBAC so that the user login details&amp;nbsp;that could be compromised is capable of only read-only actions, (b) modify options httpd.admin.access&amp;nbsp; so that a small set of hosts are allowed to manage the system.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If you have an environment with a mix of systems, some supporting TLS and some not, you could still use the 5.3 SDK and just make sure that SSLv3 is disabled on the systems that support TLS. &amp;nbsp;In this way you are vulnerable only on the systems where there is no alternative.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Cheers,&lt;BR /&gt;Chris Madden&lt;/P&gt;&lt;P&gt;Storage Architect, NetApp EMEA (and author of Harvest)&lt;/P&gt;&lt;P&gt;Blog:&amp;nbsp;&lt;A href="http://blog.pkiwi.com/" target="_blank"&gt;It all begins with data&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;If this post resolved your issue, please help others by selecting&amp;nbsp;&lt;STRONG&gt;ACCEPT AS SOLUTION&lt;/STRONG&gt;&amp;nbsp;or adding a&amp;nbsp;&lt;STRONG&gt;KUDO&lt;/STRONG&gt;&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Mon, 04 Apr 2016 09:33:28 GMT</pubDate>
    <dc:creator>madden</dc:creator>
    <dc:date>2016-04-04T09:33:28Z</dc:date>
    <item>
      <title>Harvest Unable to set tls.enable on</title>
      <link>https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Harvest-Unable-to-set-tls-enable-on/m-p/117215#M20853</link>
      <description>&lt;P&gt;Harvest requires TLS to be enabled, however when running&amp;nbsp;tls.enable on on a 7-mode 8.02P6 I receive the following error:&lt;/P&gt;&lt;P&gt;Setting invalid option tls.enable failed.&lt;/P&gt;&lt;P&gt;is TLS not supported in this version of ONTAP? according to the harvest install/admin guide ONTAP 8.0 is supported by harvest.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 18 Mar 2016 22:26:29 GMT</pubDate>
      <guid>https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Harvest-Unable-to-set-tls-enable-on/m-p/117215#M20853</guid>
      <dc:creator>shem</dc:creator>
      <dc:date>2016-03-18T22:26:29Z</dc:date>
    </item>
    <item>
      <title>Re: Harvest Unable to set tls.enable on</title>
      <link>https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Harvest-Unable-to-set-tls-enable-on/m-p/117220#M20857</link>
      <description>&lt;P&gt;Hi, &lt;a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/5356"&gt;@shem﻿&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Because vulnerabilities were discovered in SSL v3 you can no longer guarantee&amp;nbsp;communications using it are secure. &amp;nbsp;As a result&amp;nbsp;the SDK was also adapted to require TLS and I added the instructions to enable TLS in Data ONTAP. &amp;nbsp;If you have controllers that don't support TLS and you can't or don't want to upgrade them to a release that does, as a workaround you could use an older version of the SDK, such as v&amp;nbsp;5.3, that still allows non TLS connections.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Here are the steps:&lt;/P&gt;&lt;P&gt;1) Download &lt;A href="http://mysupport.netapp.com/NOW/download/software/nmsdk/5.3/" target="_self"&gt;http://mysupport.netapp.com/NOW/download/software/nmsdk/5.3/&lt;/A&gt;&amp;nbsp;from the support site and copy to your poller host in&amp;nbsp;/tmp.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;2) Extract it:&lt;/P&gt;&lt;P&gt;cd /tmp&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;unzip netapp-manageability-sdk-5.3.zip netapp-manageability-sdk-5.3/lib/perl/NetApp/*&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;3) Stop the poller:&lt;/P&gt;&lt;P&gt;/opt/netapp-harvest/netapp-manager -stop&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;4) Rename current lib and create new empty one:&lt;/P&gt;&lt;P&gt;mv /opt/netapp-harvest/lib /opt/netapp-harvest/lib-old&lt;/P&gt;&lt;P&gt;mkdir &lt;SPAN&gt;/opt/netapp-harvest/lib&lt;/SPAN&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;5) Copy 5.3&amp;nbsp;lib in place:&lt;/P&gt;&lt;P&gt;mv netapp-manageability-sdk-5.3/lib/perl/NetApp/* /opt/netapp-harvest/lib&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;6)&amp;nbsp;Start poller:&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;/opt/netapp-harvest/netapp-manager -start&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Please post if this allows collection or not, and kudos if it is indeed a solution for you.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Cheers,&lt;BR /&gt;Chris Madden&lt;/P&gt;&lt;P&gt;Storage Architect, NetApp EMEA (and author of Harvest)&lt;/P&gt;&lt;P&gt;Blog:&amp;nbsp;&lt;A href="http://blog.pkiwi.com/" target="_blank" rel="nofollow"&gt;It all begins with data&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;If this post resolved your issue, please help others by selecting&amp;nbsp;&lt;STRONG&gt;ACCEPT AS SOLUTION&lt;/STRONG&gt;&amp;nbsp;or adding a&amp;nbsp;&lt;STRONG&gt;KUDO&lt;/STRONG&gt;&lt;/EM&gt;&lt;/P&gt;</description>
      <pubDate>Sun, 20 Mar 2016 08:42:55 GMT</pubDate>
      <guid>https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Harvest-Unable-to-set-tls-enable-on/m-p/117220#M20857</guid>
      <dc:creator>madden</dc:creator>
      <dc:date>2016-03-20T08:42:55Z</dc:date>
    </item>
    <item>
      <title>Re: Harvest Unable to set tls.enable on</title>
      <link>https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Harvest-Unable-to-set-tls-enable-on/m-p/117528#M20902</link>
      <description>&lt;P&gt;With regards to the option of reverting back to 5.3 to allow non-TLS connectivity. &amp;nbsp;Would this library make the poller vulnerable to any SSL vulnerability?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;A href="http://mysupport.netapp.com/documentation/productlibrary/index.html?productID=60427" target="_blank"&gt;http://mysupport.netapp.com/documentation/productlibrary/index.html?productID=60427&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 24 Mar 2016 21:29:51 GMT</pubDate>
      <guid>https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Harvest-Unable-to-set-tls-enable-on/m-p/117528#M20902</guid>
      <dc:creator>mattbowden</dc:creator>
      <dc:date>2016-03-24T21:29:51Z</dc:date>
    </item>
    <item>
      <title>Re: Harvest Unable to set tls.enable on</title>
      <link>https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Harvest-Unable-to-set-tls-enable-on/m-p/117894#M20945</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/45993"&gt;@mattbowden﻿&lt;/a&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;From the&amp;nbsp;SDK 5.3.1 release notes:&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;Default disablement of SSLv3 protocol for HTTPS transport, because of the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability&lt;/EM&gt;&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;More on the vulnerability is here: &lt;A href="https://www.us-cert.gov/ncas/alerts/TA14-290A" target="_self"&gt;https://www.us-cert.gov/ncas/alerts/TA14-290A&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Since the vulnerability is in the design of SSLv3 itself you should not assume your communications using it are secure. &amp;nbsp;Updating Data ONTAP to a release with TLS support is the answer. &amp;nbsp;If it isn't possible then you could take steps to reduce the risk such as (a) using RBAC so that the user login details&amp;nbsp;that could be compromised is capable of only read-only actions, (b) modify options httpd.admin.access&amp;nbsp; so that a small set of hosts are allowed to manage the system.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If you have an environment with a mix of systems, some supporting TLS and some not, you could still use the 5.3 SDK and just make sure that SSLv3 is disabled on the systems that support TLS. &amp;nbsp;In this way you are vulnerable only on the systems where there is no alternative.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Cheers,&lt;BR /&gt;Chris Madden&lt;/P&gt;&lt;P&gt;Storage Architect, NetApp EMEA (and author of Harvest)&lt;/P&gt;&lt;P&gt;Blog:&amp;nbsp;&lt;A href="http://blog.pkiwi.com/" target="_blank"&gt;It all begins with data&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;If this post resolved your issue, please help others by selecting&amp;nbsp;&lt;STRONG&gt;ACCEPT AS SOLUTION&lt;/STRONG&gt;&amp;nbsp;or adding a&amp;nbsp;&lt;STRONG&gt;KUDO&lt;/STRONG&gt;&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 04 Apr 2016 09:33:28 GMT</pubDate>
      <guid>https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Harvest-Unable-to-set-tls-enable-on/m-p/117894#M20945</guid>
      <dc:creator>madden</dc:creator>
      <dc:date>2016-04-04T09:33:28Z</dc:date>
    </item>
    <item>
      <title>Re: Harvest Unable to set tls.enable on</title>
      <link>https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Harvest-Unable-to-set-tls-enable-on/m-p/135825#M24617</link>
      <description>&lt;P&gt;Hi Chris&lt;/P&gt;&lt;P&gt;I had follow your steps (on 7-Mode 8.0.2P4 TLS dosen't exist) and it still doesn't work&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Error message :&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;"&lt;/P&gt;&lt;P&gt;[WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: No response received from server; Recommend to verify TLS is enabled (7-mode: options tls.enable) and/or setup ssl again (7-mode: secureadmin setup ssl)&lt;/P&gt;&lt;P&gt;[WARNING] [main] system-info update failed; will try again in 10 seconds.&lt;/P&gt;&lt;P&gt;"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Upgrade DataOntap is not possible.&lt;/P&gt;&lt;P&gt;Do you have an alternate solution ?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Best regards&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 07 Nov 2017 14:39:30 GMT</pubDate>
      <guid>https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Harvest-Unable-to-set-tls-enable-on/m-p/135825#M24617</guid>
      <dc:creator>DaV</dc:creator>
      <dc:date>2017-11-07T14:39:30Z</dc:date>
    </item>
  </channel>
</rss>

