Active IQ Unified Manager Discussions
Active IQ Unified Manager Discussions
After installing NetApp-Harvest 1.3 using ssl_cert I sitll get "Update of system-info cache DOT Version failed with reason: Authorization failed".
Used with user
::> security login create -user-or-group-name netapp-harvest -application ontapi -role netapp-harvest-role -authmethod password
And only SSL
::> security login create -user-or-group-name netapp-harvest -application ontapi -role netapp-harvest-role -authmethod cert
How can I see where it goes wrong?
And how to fix?
KR, Maarten de Boer
Solved! See The Solution
Hello Chris,
The advise of "Common Name (eg, your name or your server's hostname) " at creation the cer-files (`openssl ...`) seems to be crucial.
Indeed when the "Common Name" is the same as the username (in this case "netapp-harvest") it works.
Sounds logis, because the crations of the user is:
::> security login create -user-or-group-name netapp-harvest -application ontapi -role netapp-harvest-role -auth cert
What makes the "connection" with the cert authentiaction.
I see now you've writen this down into the userguide (Note: The ‘Common Name’ must match the username you create on the cDOT cluster later.)
As many time when having issue, you've overlooked something.
Thanks for your help.
KR, Maarten de Boer
Hi,
The Harvest v1.3 documentation on page 18 has steps to create ssl certs and install to the Harvest host and the cluster. Did you use these?
In the poller entry you also need something like to tell harvest to use cert (not the default password) auth and provide the files (that are in the ./cert subdir):
auth_type = ssl_cert ssl_cert = 10yr.pem ssl_key = 10yr.key
Cheers,
Chris Madden
Solution Architect - 3rd Platform - Systems Engineering NetApp EMEA (and author of Harvest)
Blog: It all begins with data
If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO or both!
Hello Chris,
Thanks for the quick response.
I followewd the ssl_cert part in the manual
So created 2 files in cert/
-rw-r--r--. 1 root root 916 Sep 27 12:10 netapp-harvest.key
-rw-r--r--. 1 root root 1078 Sep 27 12:10 netapp-harvest.pem
And the part in netapp-harvest.conf is:
## If using ssl_cert (and not password auth)
## uncomment and populate next three lines
auth_type = ssl_cert
# ssl_cert = INSERT_PEM_FILE_NAME_HERE
# ssl_key = INSERT_KEY_FILE_NAME_HERE
ssl_cert = netapp-harvest.pem
ssl_key = netapp-harvest.key
[nlnaf100]
hostname = nlnaf100
group = nl
Still getting:
[2017-09-27 18:51:55] [WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: Authorization failed
[2017-09-27 18:51:55] [WARNING] [main] system-info update failed; will try again in 10 seconds.
Your config syntax looks ok. I would start try the instructions fresh with new cert files, and use a new username. I suspect either re-using the username is causing an issue or somewhere in the steps there was a small mistake. Retrying from scratch is my suggestion.
Cheers,
Chris Madden
Solution Architect - 3rd Platform - Systems Engineering NetApp EMEA (and author of Harvest)
Blog: It all begins with data
If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO or both!
Hello Chris,
I followed the steps from page 18 from the NH Admin Guide.
- Emptied netapp-harvest/cert/
- Created new CERT-files : # openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout 10yr.key -out 10yr.pem
- In the CERT-dir:
ls -l
total 12
-rw-r--r--. 1 root root 916 Sep 28 11:17 10yr.key
-rw-r--r--. 1 root root 1078 Sep 28 11:17 10yr.pem
-rw-r--r--. 1 root root 184 Nov 10 2016 README.txt
- Entered ALL the info (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) from 10yr.pem
::> security certificate install -type client-ca -vserver <clustername>
Answer: You should keep a copy of the CA-signed digital certificate for future reference.
- Enabling:
::> security ssl modify -client-enabled true -vserver <clustername>
- Creating (new) user:
::> security login create -user-or-group-name netapp-harvest-2 -application ontapi -role netapp-harvest-role -authmethod cert
Modify config-file:
# vi netapp-harvest.conf
username = netapp-harvest-2
auth_type = ssl_cert
ssl_cert = 10yr.pem
ssl_key = 10yr.key
Resulting in log-file:
[2017-09-28 11:26:39] [NORMAL ] WORKER STARTED [Version: 1.3] [Conf: netapp-harvest.conf] [Poller: <cluster>]
[2017-09-28 11:26:39] [NORMAL ] [main] Poller will monitor a [FILER] at [<cluster>:443]
[2017-09-28 11:26:39] [NORMAL ] [main] Poller will use [ssl_cert] authentication with ssl_cert [10yr.pem] and ssl_key [10yr.key]
[2017-09-28 11:26:39] [WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: Authorization failed
[2017-09-28 11:26:39] [WARNING] [main] system-info update failed; will try again in 10 seconds.
Comes my question.
How does netapp-harvest connects to the cluster?
I've configured in conf-file:
username = netapp-harvest-2
And created at the cluster the user "netapp-harvest-2"
But I thought it would NOT use username (& password)
Or should I still create a user WITH password like:
security login create -user-or-group-name netapp-harvest-2 -application ontapi -role netapp-harvest-role -authmethod password
This is NOT clear to me.
I've made a process-trace (strace) of it. But thats not usefull to add it to this community.
Hope yoiu can help me how to solve "Authorization failed".
Kind Regards, Maarten de Boer
Trying more;
Switched to username + password (at cDOT).
Do I get in the log-file:
[2017-09-28 13:38:00] [NORMAL ] WORKER STARTED [Version: 1.3] [Conf: netapp-harvest.conf] [Poller: <clustername>]
[2017-09-28 13:38:00] [NORMAL ] [main] Poller will monitor a [FILER] at [nlnaf107:443]
[2017-09-28 13:38:00] [NORMAL ] [main] Poller will use [password] authentication with username [netapp-harvest-2] and password [**********]
[2017-09-28 13:38:00] [WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: in Zapi::invoke failed to connect SSL ; Recommend to verify TLS is enabled (7-mode: options tls.enable) and/or setup ssl again (7-mode: secureadmin setup ssl)
[2017-09-28 13:38:00] [WARNING] [main] system-info update failed; will try again in 10 seconds.
Does Netapp-Harvest NOT recognize cDOT?
Because its complaining about TLS (at 7-mode)
KR, Maarten de Boer
Did you set the common name on the certificate to netapp-harvest-2 when you created it?
When using ssl_cert auth your config file would be something like:
auth_type = ssl_cert ssl_cert = 10yr.pem ssl_key = 10yr.key
No username = value is needed in the harvest conf file.
On the cluster you do not need to configure an -authmethod password either.
I just verified by creating a netapp-harvest-2 user on my cluster with the instructions from the install and admin guide and it worked. Cluster is running 9.1 (but I have another running 8.2 with the same config).
Cheers,
Chris
Hello Chris,
No I did not.
I used the nonFQHN servername of the netapp-harvest-server
Common Name (eg, your name or your server's hostname) []:<nh-servername>
But now I, might, understand how the "connection" with CERT & username is made.
Keep you posted.
KR, Maarten de Boer
Hello Chris,
The advise of "Common Name (eg, your name or your server's hostname) " at creation the cer-files (`openssl ...`) seems to be crucial.
Indeed when the "Common Name" is the same as the username (in this case "netapp-harvest") it works.
Sounds logis, because the crations of the user is:
::> security login create -user-or-group-name netapp-harvest -application ontapi -role netapp-harvest-role -auth cert
What makes the "connection" with the cert authentiaction.
I see now you've writen this down into the userguide (Note: The ‘Common Name’ must match the username you create on the cDOT cluster later.)
As many time when having issue, you've overlooked something.
Thanks for your help.
KR, Maarten de Boer