Active IQ Unified Manager Discussions

Host Services 1.1

drewmoganias
12,231 Views

I am troubleshooting the new Host Service 1.1 on vSphere5 and
having trouble registering it.

Just says “Failed to configure DataFabric Manager server IP
address: 172.16.3.32 and port: 8488 on the Host Service”

  

When I look on the vCenter server (where host services is
installed) I see it trying on the log...says
Communication failure between
HostAgent and DFM server: Could not establish trust relationship for the
SSL/TLS secure channel with authority 'dfm-32:8488'.  Please make sure DFM
server is up running.

DFM server is up and running with no problems.

Windows Firewalls are turned off on both servers.

DNS is working both forward/reverse on both hosts.

I have re-installed Host Services on vcenter server, but no change and installer completes with no errors on both initial and reinstall.

Any ideas?

Thanks,

drew

34 REPLIES 34

malcolmpenn
5,461 Views

Hi Arun,

Thanks for all your assistance with this issue.

I have tried the above but we are still seeing the same issues, we have an open case with NetApp support to investigate the issue - it seems whatever we try and results are the same

12/13/2011 12:03:18:716 PM : ProcessID= 1996 ThreadID= 8

StateChangeEventProcessor::ProcessEventMessages-Exit

12/13/2011 12:03:18:716

PM : ProcessID= 1996 ThreadID= 8 EventManager::ProcessEvents-Exit

12/13/2011

12:03:19:904 PM : ProcessID= 1996 ThreadID= 6 CheckHostServiceCertificate:

Certificate [E=support@NetApp.com, CN=CSONETAPPMGR01.uk.xxx.net, OU=Storage

Management, O=NetApp, L=San Jose, S=California, C=US] received. Errors

[RemoteCertificateChainErrors]

12/13/2011 12:03:19:904 PM : ProcessID= 1996

ThreadID= 6 CheckHostServiceCertificate: Certificate validation failed.

Denied

12/13/2011 12:03:19:920 PM : ProcessID= 1996 ThreadID= 6 invoke has

CommunicationException, details: Could not establish trust relationship for the

SSL/TLS secure channel with authority '10.11.8.31:8488'.

12/13/2011

12:03:19:920 PM : ProcessID= 1996 ThreadID= 6 ApiDispatcher failed to call dfm

with DfmSoapProxyException exception : Could not establish trust relationship

for the SSL/TLS secure chan

We are also seeing this error from protection manager:

"Error 403 fault: SOAP-ENV:Server[no subcode]

"HTTP Error"

Detail: HTTP/1.1 403 Forbidden

I belive that it's burt 507569 but this was fixed in 1.1 and we are using 1.1

When we have a fix I will post how this problem was resolved.

Cheers

Malcolm

svijay
5,221 Views

Malcolm,

Also, If you are running a Server Core version, The configuration is not a supported one.

regards,

Vijay

malcolmpenn
5,221 Views

Vijay,

We passed our configuration through the IMT (OnCommand Core Package) and everything we are using says it's supported.

On-Command Core Package 5.0 with On-Command Host Package 1.1, Core server Windows 2008 R2 and Host (vCenter) Windows 2003 R2.

Cheers

Malcolm

pmalar
5,221 Views

Hi,

Please check if https is disabled before generating the ssl ceritificate.

1. dfm option list | findstr http

2. If https is enabled, please disable https

3. Then re-generate ssl cerificate using command "dfm ssl service setup -f"

4. After generating the certifcate enable https back on dfm server.

Regards,

Malar.

kjag
5,221 Views

Hi,

Please try regenerating the certificate on the HS by running the below command.

1. Unregister the HS from dfm using "dfm hs unregister -f "

2. From HS powershell run "New-HSCertificate" and create a new certificate.

3. Run "Get-HSConfiguration -certificateinfo" to see the certificate is generated properly.

4. Register the Host Service in DFM by accepting the new certificate.

Also ensure that the Host Service and DFM time are not having more than 5mins difference.

Thanks,

KJag

pattar
5,221 Views

Hi Malcom,

We faced a similar issue with HS on Win 2003. Are you using HS on Win 2003?

If so there are issues with certificate decoding and is fixed through  hot fix reported through KB 968730.

If its not yet applied please apply that hot fix and let us know if it works fine,

Thanks and regards,

Vishwanath Pattar!!

pattar
5,221 Views

Hi Malcom,

We faced a similar issue with HS on Win 2003. Are you using HS on Win 2003?

If so there are issues with certificate decoding and is fixed through  hot fix reported through KB 968730.

If its not yet applied please apply that hot fix and let us know if it works fine,

Thanks and regards,

Vishwanath Pattar!!

malcolmpenn
5,221 Views

Hi Vishwanath,

Yes our HS is using Windows 2003 - i had an email from support on Frirday that the following hotfix should be applied:

http://support.microsoft.com/kb/968730/en

and then:

1.       Apply This hotfix to the HS server http://support.microsoft.com/kb/968730/en

2.       dfm ssl service setup -f (To create new certificate in dfm)

3.       dfm ssl service reload (To use this new certificate on DFM)

4.       On the HS server Open the HS powershell and run “Configure-HostService –options authorize::false”

5.       Dfm hs unregister –f <host>

6.       Dfm hs register <hosts>

We are planning to test in the coming days but this certainly makes sense to the errors we are seeing in the logfiles.

Cheers

Malcolm

sanderbreur
5,221 Views

Thanks, this really helped me out, hotfix resolved the problem.

JANDREWARTHA
5,460 Views

Hi Malcom,

Did you find a fix to the

"Error 403 fault: SOAP-ENV:Server[no subcode]

"HTTP Error"

Detail: HTTP/1.1 403 Forbidden

problem?

Thanks

DOMINIC_WYSS
6,242 Views

had the same issue after updating to OnCommand Core 5.2 and HostPackage 1.3

the solution was unregister, recreate the HS cert (not the dfm cert) and reregister.

on dfm server:

dfm hs list

dfm hs unregister -f <hs-id>

on hs server in powershell:

Configure-HostService -options authorize::false

New-HSCertificate

on dfm server:

dfm hs register -i <dfm-IP> <hs-IP>

dfm hs list (hs should still have the same id)

dfm hs authorize <hs-id>

dfm hs discover <hs-id>

dfm hs diag <hs-id>

zmizmizmi
6,242 Views

ocum 5.2, hostpackage 1.3, same problem. But I can't get it working. Even re-installed hostpackage now. Diag says this:

Network Connectivity
IP Address                    <hidden>, but OK
FQDN                         <hidden>, but OK
Admin Port                    8699
HTTPS                         Failed
Plugin Reachable              Unknown

DataFabric Manager server configuration
Port                          Unknown
IP Address/DNS                Unknown
DFM Reachable                 Unknown

Acording to:                  DataFabric Manager server              Host Service
Management Port               8799                                   Unknown

Host Service version          1.3.0.1537                             Unknown

Plugin Information
Plugin version                1.1.0.0                                Unknown
Plugin Type                   OnCommand Host Service VMware Plug-in  Unknown

Why is HTTPS=failed? What does it mean? Also, "dfm hs list" says Status=down, and the TZ should be GMT+2 (where to fix?):

Id         Host Name                                Host Address         Version    Status                 Timezone
---------- ---------------------------------------- -------------------- ---------- ---------------------- ----------------------------------------
184       <hidden>                           <hidden>                  1.3.0.1537     down                   GMT-2:00(2 hours East of UTC).

# dfm hs configure -i <hidden> 184

Error: Failed to configure Host Service. Reason: Host Service status is down. Please check if Host Service is running.

There's something wrong - I originaly came here because in the web interface of oncommand, I cannot edit a dataset:

Error:     The task: Push dataset xxx (1450) configuration to host service VCENTER (184) cannot be done at this time.

Action:   Push dataset xxx (1450) configuration to host service VCENTER (184).

Reason:  The Host Service is down at this time.

Suggestion: Resolve the problem with the Host Service.

The service is running - what is the problem?

zmizmizmi
5,174 Views

I think the problem is with the certificate. I created it new as suggested above, still always get this in the oncommandhostsvc.log:

10.17.2013 06:00:48:442  :  ProcessID= 10024 ThreadID= 6 CheckHostServiceCertificate: Certificate [E=hostmaster@zmi.at, CN=vCenter.hosting.zmi.at, OU=Storage Management, O=Proteger, L=Korneuburg, S=Korneuburg, C=AT] received. Errors [RemoteCertificateChainErrors]

10.17.2013 06:00:48:445  :  ProcessID= 10024 ThreadID= 6 CheckHostServiceCertificate: Certificate validation failed. Denied

10.17.2013 06:00:48:451  :  ProcessID= 10024 ThreadID= 6 invoke has CommunicationException, details: Es konnte keine Vertrauensstellung für den sicheren SSL/TLS-Kanal mit Autorität 10.127.4.10:8488 eingerichtet werden.

(the last line means "couldn't create trust relationship for secure SSL/TLS"

Any ideas how to fix?

JANDREWARTHA
5,174 Views

So by default the DFM certificate is valid for two years, which means for me it just expired. Fortunately I found this thread again and the following worked:

dfm ssl service setup -f (setting the expiry to 3650 days this time)

dfm ssl service reload

And it was all good. I did run Configure-HostService -options authorize::false but I don't think it was needed or had any effect.

Public