Active IQ Unified Manager Discussions

NetApp-Harvest: Update of system-info cache DOT Version failed with reason: Authorization failed

maartendeboer
9,593 Views

After installing NetApp-Harvest 1.3 using ssl_cert I sitll get "Update of system-info cache DOT Version failed with reason: Authorization failed".

Used with user 

::> security login create -user-or-group-name netapp-harvest -application ontapi -role netapp-harvest-role -authmethod password

And only SSL

::> security login create -user-or-group-name netapp-harvest -application ontapi -role netapp-harvest-role -authmethod cert

 

How can I see where it goes wrong?

And how to fix?

 

KR, Maarten de Boer

 

1 ACCEPTED SOLUTION

maartendeboer
9,407 Views

Hello Chris,

 

The advise of "Common Name (eg, your name or your server's hostname) " at creation the cer-files (`openssl ...`) seems to be crucial.

 

Indeed when the "Common Name" is the same as the username (in this case "netapp-harvest") it works.

Sounds logis, because the crations of the user is:

::> security login create -user-or-group-name netapp-harvest -application ontapi -role netapp-harvest-role -auth cert

What makes the "connection" with the cert authentiaction.

 

I see now you've writen this down into the userguide (Note: The ‘Common Name’ must match the username you create on the cDOT cluster later.) 

As many time when having issue, you've overlooked something.

 

Thanks for your help.

 

KR, Maarten de Boer

 

View solution in original post

8 REPLIES 8

madden
9,569 Views

Hi,

 

The Harvest v1.3 documentation on page 18 has steps to create ssl certs and install to the Harvest host and the cluster.  Did you use these?

 

In the poller entry you also need something like to tell harvest to use cert (not the default password) auth and provide the files (that are in the ./cert subdir):

 

 

auth_type      = ssl_cert
ssl_cert = 10yr.pem
ssl_key = 10yr.key

 

 

Cheers,

Chris Madden

Solution Architect - 3rd Platform - Systems Engineering NetApp EMEA (and author of Harvest)

Blog: It all begins with data

 

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO or both!

 

 

maartendeboer
9,536 Views

Hello Chris,

Thanks for the quick response.

I followewd the ssl_cert part in the manual

So created 2 files in cert/

-rw-r--r--. 1 root root 916 Sep 27 12:10 netapp-harvest.key
-rw-r--r--. 1 root root 1078 Sep 27 12:10 netapp-harvest.pem

 

 

And the part in netapp-harvest.conf is:

 

## If using ssl_cert (and not password auth)
## uncomment and populate next three lines
auth_type = ssl_cert
# ssl_cert = INSERT_PEM_FILE_NAME_HERE
# ssl_key = INSERT_KEY_FILE_NAME_HERE
ssl_cert = netapp-harvest.pem
ssl_key = netapp-harvest.key

 

[nlnaf100]
hostname = nlnaf100
group = nl

 

 

Still getting:

[2017-09-27 18:51:55] [WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: Authorization failed
[2017-09-27 18:51:55] [WARNING] [main] system-info update failed; will try again in 10 seconds.

 

 

 

madden
9,508 Views

Hi @maartendeboer

 

Your config syntax looks ok.  I would start try the instructions fresh with new cert files, and use a new username.  I suspect either re-using the username is causing an issue or somewhere in the steps there was a small mistake.  Retrying from scratch is my suggestion.

 

Cheers,

Chris Madden

Solution Architect - 3rd Platform - Systems Engineering NetApp EMEA (and author of Harvest)

Blog: It all begins with data

 

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO or both!

 

 

maartendeboer
9,459 Views

Hello Chris,

 

I followed the steps from page 18 from the NH Admin Guide.

 

- Emptied netapp-harvest/cert/

 

- Created new CERT-files : # openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout 10yr.key -out 10yr.pem

 

- In the CERT-dir:

ls -l
total 12
-rw-r--r--. 1 root root 916 Sep 28 11:17 10yr.key
-rw-r--r--. 1 root root 1078 Sep 28 11:17 10yr.pem
-rw-r--r--. 1 root root 184 Nov 10 2016 README.txt

 

- Entered ALL the info (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) from 10yr.pem

::> security certificate install -type client-ca -vserver <clustername>

Answer: You should keep a copy of the CA-signed digital certificate for future reference.

 

- Enabling:

::> security ssl modify -client-enabled true -vserver <clustername>

 

- Creating (new) user:

::> security login create -user-or-group-name netapp-harvest-2 -application ontapi -role netapp-harvest-role -authmethod cert

 

Modify config-file:

# vi netapp-harvest.conf

username = netapp-harvest-2
auth_type = ssl_cert
ssl_cert = 10yr.pem
ssl_key = 10yr.key

 

Resulting in log-file:

[2017-09-28 11:26:39] [NORMAL ] WORKER STARTED [Version: 1.3] [Conf: netapp-harvest.conf] [Poller: <cluster>]
[2017-09-28 11:26:39] [NORMAL ] [main] Poller will monitor a [FILER] at [<cluster>:443]
[2017-09-28 11:26:39] [NORMAL ] [main] Poller will use [ssl_cert] authentication with ssl_cert [10yr.pem] and ssl_key [10yr.key]
[2017-09-28 11:26:39] [WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: Authorization failed
[2017-09-28 11:26:39] [WARNING] [main] system-info update failed; will try again in 10 seconds.

 

Comes my question.

How does netapp-harvest connects to the cluster?

I've configured in conf-file:

username = netapp-harvest-2

 

And created at the cluster the user "netapp-harvest-2"

 

But  I thought it would NOT use username (& password)

 

Or should I still create a user WITH password like:

security login create -user-or-group-name netapp-harvest-2 -application ontapi -role netapp-harvest-role -authmethod password

 

This is NOT clear to me.

 

I've made a process-trace (strace) of it. But thats not usefull to add it to this community.

 

Hope yoiu can help me how to solve "Authorization failed".

 

Kind Regards, Maarten de Boer

 

 

 

maartendeboer
9,447 Views

Trying more;

Switched to username + password (at cDOT).

Do I get in the log-file:

 

[2017-09-28 13:38:00] [NORMAL ] WORKER STARTED [Version: 1.3] [Conf: netapp-harvest.conf] [Poller: <clustername>]
[2017-09-28 13:38:00] [NORMAL ] [main] Poller will monitor a [FILER] at [nlnaf107:443]
[2017-09-28 13:38:00] [NORMAL ] [main] Poller will use [password] authentication with username [netapp-harvest-2] and password [**********]
[2017-09-28 13:38:00] [WARNING] [sysinfo] Update of system-info cache DOT Version failed with reason: in Zapi::invoke failed to connect SSL ; Recommend to verify TLS is enabled (7-mode: options tls.enable) and/or setup ssl again (7-mode: secureadmin setup ssl)
[2017-09-28 13:38:00] [WARNING] [main] system-info update failed; will try again in 10 seconds.

 

Does Netapp-Harvest NOT recognize cDOT?

Because its complaining about TLS (at 7-mode)

 

KR, Maarten de Boer

 

madden
9,430 Views

Hi @maartendeboer

 

Did you set the common name on the certificate to netapp-harvest-2 when you created it?

 

When using ssl_cert auth your config file would be something like:

 

auth_type = ssl_cert
ssl_cert = 10yr.pem
ssl_key = 10yr.key

No username = value is needed in the harvest conf file.

 

On the cluster you do not need to configure an -authmethod password either.

 

I just verified by creating a netapp-harvest-2 user on my cluster with the instructions from the install and admin guide and it worked.  Cluster is running 9.1 (but I have another running 8.2 with the same config).

 

Cheers,

Chris

 

 

maartendeboer
9,427 Views

Hello Chris,

No I did not.

 

I used the nonFQHN servername of the netapp-harvest-server

 

Common Name (eg, your name or your server's hostname) []:<nh-servername>

 

But now I, might, understand how the "connection" with CERT & username is made.

 

Keep you posted.

 

KR, Maarten de Boer

 

maartendeboer
9,408 Views

Hello Chris,

 

The advise of "Common Name (eg, your name or your server's hostname) " at creation the cer-files (`openssl ...`) seems to be crucial.

 

Indeed when the "Common Name" is the same as the username (in this case "netapp-harvest") it works.

Sounds logis, because the crations of the user is:

::> security login create -user-or-group-name netapp-harvest -application ontapi -role netapp-harvest-role -auth cert

What makes the "connection" with the cert authentiaction.

 

I see now you've writen this down into the userguide (Note: The ‘Common Name’ must match the username you create on the cDOT cluster later.) 

As many time when having issue, you've overlooked something.

 

Thanks for your help.

 

KR, Maarten de Boer

 

Public