Active IQ Unified Manager Discussions

OnCommand System Manager recieves error 500

atinivelli

Good day, i am running OnCommand System Manager ver 3.1.1 on Windows.

 

Today, for the very first time, i have seen this issue: i can connect to my 3210 running DataONTAP 8.0.3P2 7-mode, but when i try to reach my new 2240 running DataONTAP 8.1.3P3 7-mode i recieve an error 500 "connection refused".

 

I have found this workaround: on the 2240s i have issued the command >options httpd.admin.enable on ;

after this the OnCommand System Manager probably still tries a secure connection, on the console i see errors like 

[hostname: HTTPPool03:warning]: HTTP XML Authentication failed from MyClientIP . 

 

But now i guess OnCommand System Manager falls back to a non secure connection, i see the question "do you want to set up a secure connection or continue without...", i answer "continue without" and i'm able to manage my filers again.

 

What's happened? Maybe something java updates related? Thanks in advance.

Alessandro

 

 

94 REPLIES 94

EricLotgerink

In our case we had to run:

 

secureadmin setup ssl

 

And we had to change the key length from 512 to 2048.

All other options were already activated (see the KB article named in this thread) and tried.

This solved it.

Quelqu 'un a trouve la solution a ce problème. Merci pour votre aide

namil7869

For System Manager 3.1.2 to manage storage systems running Data ONTAP 7.3.x , 8.1.x and 8.2.x operating in 7-Mode ,TLS protocol must be enabled

If TLS protocol is not setup , System Manager 3.1.2 will display an error while adding to home page that TLS is not setup

TLS protocol is enabled by default for storage systems running Data ONTAP in Cluster mode.

Refer to https://kb.netapp.com/support/index?page=content&id=9010008/WebForPC

 

The next version of 3.1.2, targeted for end of March or early April, will officially support Java 8

LPrice

I have a related issue. I am applying STIGs and hardening my filers. Here is an overview of the equipment.

 

FAS2050 running 7.3.5.1 7-Mode

V3240 running 8.2.3P3 7-Mode

FAS2240-4 running 8.2.3P3  7-Mode

 

I thought I had everything running perfect on my V3240 filers but security scans (HBSS with NetApp Plugin) still find several SSL findings. I was hoping switching to TLS would eliminate them but it seems not.

 

Question is, how can I check to ensure that TLS is being used and SSL is being refused?

 

I am not talking about just checking "options tls" and seeing what it is set to. I mean how can I verify that TLS is in fact working, and SSL connections are being refused?

 

For Cluster DataOnTap I saw something about a command like "Services Web Show" I think there is a 4th word to the command. I do not know how to perform this similarly in 7-Mode.

 

 

 

edwardmou

So after being trying to fix this for a few hours I thought I would share. My version of java had updated to the 8u73 when it stopped working.

OCSM version 3.1.2 on Windows 10 (obiously 64bit)

Getting 500 error when trying to connect to all filers.

Solution, uniinstall all versions of java and install version jre-8u51-windows-x64.exe. Java must recognise this as the system version for it to work. This seems to be the highest version of Java that works.

Also ensure TLS is enabled on filers as per previous posts.

Ed

SLC_TAYLOR

@edwardmou wrote:

So after being trying to fix this for a few hours I thought I would share. My version of java had updated to the 8u73 when it stopped working.

OCSM version 3.1.2 on Windows 10 (obiously 64bit)

Getting 500 error when trying to connect to all filers.

Solution, uniinstall all versions of java and install version jre-8u51-windows-x64.exe. Java must recognise this as the system version for it to work. This seems to be the highest version of Java that works.

Also ensure TLS is enabled on filers as per previous posts.

Ed


The reason you need the old version is that they started forcing a larger minimum key size after that.  If you edit Java.security to allow a 512 Key size as a I mentioned above, it should work on the newer versions. 

fedaynnetapp

The options from this reddit post worked for me:

 

 

options TLS

 

For TLS to take effect on HTTPS, ensure that the httpd.admin.ssl.enable option is also set to ON. options tls.enable on options httpd.admin.ssl.enable on

 

Regards.

abailly

This is how I resolv 500 connection refused with lastest version of java-8  on Debian :

 

Latest java version refuse small RSA key size (<1024)

 

To get arround, edit /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/java.security

 

and change

 

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

 

to

 

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 128

 

No very safe but OnCommand is working

SLC_TAYLOR

@abailly wrote:

This is how I resolv 500 connection refused with lastest version of java-8  on Debian :

 

Latest java version refuse small RSA key size (<1024)

 

To get arround, edit /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/java.security

 

and change

 

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

 

to

 

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 128

 

No very safe but OnCommand is working


 

I did the same on Windows, but used 512 instead of 128 since I think that is the old key size.  512 should be a bit more secure than 128!  

 

Works now.   Thanks for the tip.  I spent 2 hours monkeying with Java and I already had all the TLS settings, etc,  enabled

 

 

 

 

 

BLAINE

Java 8u66 brings back the 500 error.

 

I am running 3.1.2 and it was working fine with older versions of Java but as soon as Java updated to 8u66 that brought back the 500 error.    I had to remove Java and install an older version to get it working again.

 

 

PeterSun

I  have the same problem, after upgrading to java 8u65 or java 8u66, I get a error 500 message.

yuvaraju

Refer to KB 2025623 and public report on BURT 960004

 

Details:

If you are running System Manager and if you upgrade the Java version to JRE 8u65, you might no longer be able to log into the storage system using System Manager. The connection to the storage system is refused because JRE 8u65 version requires a certificate with a key length of at least 1024.

 

Perform the following steps:

  1. If TLS is not enabled, Run the following command to enable TLS on the storage system: option tls.enable on
  1. Regenerate the SSL certificate on the storage system running the secureadmin setup ssl command and specifying a key length of at least 1024. (Advanced mode)  secureadmin setup -f -q ssl t <country> <state> <locality> <organization> <unit> <fqdn> <email> 1024
  1. After updating the certificates on the storage systems, ensure that there is no java processes related to System Manager running and then relaunch System Manager.

PeterSun

I regenerate new SSL cert. by using OnCommand System Manager, but it was failed.

 

I try to regenerate SSL cert. from CLI, and it works!

 

Thank you, yuvaraju.

 

mzaragoza

I have to day. the error

Error : 500 NetApp-Error.PNG

CHUCK_SAUNDERS

Here are the orignal steps I used.

Make sure the httpd.admin is off (on is not secured)

options httpd.admin.enable off

 

Re-Run the setup for Secure Admin
secureadmin disable all
secureadmin setup ssl
secureadmin enable ssl
secureadmin enable ssh2

 

Enable TLS (in older version of ONTAP, this off by default)
options tls.enable on

 

Close any open OCSM Session and try again.

 

This resolved the 500 Connection Refused erros for me and I am running Java 8x (Currently 8u51 and working great)

CHUCK_SAUNDERS

Make sure to run this command on the controller(s)

options tls.enable on

 

Tow other things that may need to happen to make this work as well

1.)   In addition, you may need to run through the secure admin setup again as well on your filers

2.)  In the Java Control panel on the security tab, the controllers should be added as trusted hosts/sites or Java may reject the certificate and block the connection.

 

I have had this working very well for me through all of the 8uX updates.

seilogramp

Went thru all sorts of combinations of java versions. Reinstalling system commander multiple times. No version of java made this work without the "connection refused" error.

 

Then tried this...

 

       options tls.enable on

 

I'm back in business. Thanks!

TedGordon

Thank you seilogramp, that worked for me!

 

Set the following on each node to resolve the issue:

 

options tls.enable on

aborzenkov
It was mentioned recently that the latest Java requires larger key size (at least 1024 bits). Try to reconfigure SSL on filet specifying larger size.

cbdallas79

Thank you aborzenkov for that info, that fixed my problem. I had to run through the secureadmin setup ssl process again on both my filers and specify a key size of at least 1024 bits as you mentioned, was able to connect with OCSM just fine after that.

 

For other's having the same problem, here's the info from the KB ID: 2025623

 

OnCommand System Manager displays error message: The storage system is not configured for secure management with TLS after upgrading to Java 8u65 and later

KB ID: 2025623 Version: 6.0 Published date: 11/03/2015 Views: 219
 
Environment

OnCommand System Manager (OCSM) 3.1.2
Java 8u65+

Symptoms

While attempting to manage a storage system through HTTPS using System Manager while on Java 8u65 or later version, the following error message is displayed:
The storage system is not configured for secure management with TLS.
When selecting No at the prompt, another error message is displayed: TLS is not set up.

The storage system configuration has TLS enabled (both partners for Data ONTAP 7-Mode).
The Java configuration has TLS 1.0, 1.1, and 1.2 enabled.
The browser being used has TLS 1.0, 1.1, and 1.2 enabled.

Attempts to connect to the same storage system succeed on earlier versions of Java (less than 8u65).

Cause

Starting with version 8u65, Java requires certificates with a key length of at least 1024.

Solution

To resolve the issue, regenerate the SSL certificate on the storage system running the secureadmin setup ssl command and specifying a key length of at least 1024.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public