Active IQ Unified Manager Discussions

Harvest Unable to set tls.enable on

shem
5,147 Views

Harvest requires TLS to be enabled, however when running tls.enable on on a 7-mode 8.02P6 I receive the following error:

Setting invalid option tls.enable failed.

is TLS not supported in this version of ONTAP? according to the harvest install/admin guide ONTAP 8.0 is supported by harvest. 

4 REPLIES 4

madden
5,105 Views

Hi, @shem,

 

Because vulnerabilities were discovered in SSL v3 you can no longer guarantee communications using it are secure.  As a result the SDK was also adapted to require TLS and I added the instructions to enable TLS in Data ONTAP.  If you have controllers that don't support TLS and you can't or don't want to upgrade them to a release that does, as a workaround you could use an older version of the SDK, such as v 5.3, that still allows non TLS connections.

 

Here are the steps:

1) Download http://mysupport.netapp.com/NOW/download/software/nmsdk/5.3/ from the support site and copy to your poller host in /tmp.

 

2) Extract it:

cd /tmp

unzip netapp-manageability-sdk-5.3.zip netapp-manageability-sdk-5.3/lib/perl/NetApp/*

 

3) Stop the poller:

/opt/netapp-harvest/netapp-manager -stop

 

4) Rename current lib and create new empty one:

mv /opt/netapp-harvest/lib /opt/netapp-harvest/lib-old

mkdir /opt/netapp-harvest/lib 

 

5) Copy 5.3 lib in place:

mv netapp-manageability-sdk-5.3/lib/perl/NetApp/* /opt/netapp-harvest/lib

 

6) Start poller:

/opt/netapp-harvest/netapp-manager -start

 

Please post if this allows collection or not, and kudos if it is indeed a solution for you.

 

Cheers,
Chris Madden

Storage Architect, NetApp EMEA (and author of Harvest)

Blog: It all begins with data

 

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO

mattbowden
5,050 Views

With regards to the option of reverting back to 5.3 to allow non-TLS connectivity.  Would this library make the poller vulnerable to any SSL vulnerability?

 

http://mysupport.netapp.com/documentation/productlibrary/index.html?productID=60427

madden
4,986 Views

Hi @mattbowden

 

From the SDK 5.3.1 release notes:

Default disablement of SSLv3 protocol for HTTPS transport, because of the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability

 

More on the vulnerability is here: https://www.us-cert.gov/ncas/alerts/TA14-290A

 

Since the vulnerability is in the design of SSLv3 itself you should not assume your communications using it are secure.  Updating Data ONTAP to a release with TLS support is the answer.  If it isn't possible then you could take steps to reduce the risk such as (a) using RBAC so that the user login details that could be compromised is capable of only read-only actions, (b) modify options httpd.admin.access  so that a small set of hosts are allowed to manage the system.

 

If you have an environment with a mix of systems, some supporting TLS and some not, you could still use the 5.3 SDK and just make sure that SSLv3 is disabled on the systems that support TLS.  In this way you are vulnerable only on the systems where there is no alternative.

 

Cheers,
Chris Madden

Storage Architect, NetApp EMEA (and author of Harvest)

Blog: It all begins with data

 

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO

 

 

DaV
4,241 Views

Hi Chris

I had follow your steps (on 7-Mode 8.0.2P4 TLS dosen't exist) and it still doesn't work

 

Error message :

 

"

[WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: No response received from server; Recommend to verify TLS is enabled (7-mode: options tls.enable) and/or setup ssl again (7-mode: secureadmin setup ssl)

[WARNING] [main] system-info update failed; will try again in 10 seconds.

"

 

Upgrade DataOntap is not possible.

Do you have an alternate solution ?

 

Best regards

 

Public