OnCommand System Manager recieves error 500 - Page 2

atinivelli · ‎2014-10-20

Good day, i am running OnCommand System Manager ver 3.1.1 on Windows.

Today, for the very first time, i have seen this issue: i can connect to my 3210 running DataONTAP 8.0.3P2 7-mode, but when i try to reach my new 2240 running DataONTAP 8.1.3P3 7-mode i recieve an error 500 "connection refused".

I have found this workaround: on the 2240s i have issued the command >options httpd.admin.enable on ;

after this the OnCommand System Manager probably still tries a secure connection, on the console i see errors like

[hostname: HTTPPool03:warning]: HTTP XML Authentication failed from MyClientIP .

But now i guess OnCommand System Manager falls back to a non secure connection, i see the question "do you want to set up a secure connection or continue without...", i answer "continue without" and i'm able to manage my filers again.

What's happened? Maybe something java updates related? Thanks in advance.

Alessandro

AOXBOROUGH · ‎2015-02-04

That's odd--I am running it just fine with 8u31. I only needed to have 7 present to get through the System Manager installation, which will stop if you do not have 7 installed. After installation, I removed 7 completely and it is still running.

The steps to turn off unsecure http admin, reset the certificate setup, and enable TLS made the difference for us.

SRay · ‎2015-02-05

/!\ Security Hole /!\

You must modify the file "C:\Program Files\Java\jre1.8.0_31\lib\security\java.security" and disable the last line "jdk.tls.disabledAlgorithms=SSLv3" with #.

The last Java disable SSLv3, you must reactivate him.

richardtully · ‎2015-02-05

@SRay wrote:
/!\ Security Hole /!\

You must modify the file "C:\Program Files\Java\jre1.8.0_31\lib\security\java.security" and disable the last line "jdk.tls.disabledAlgorithms=SSLv3" with #.

The last Java disable SSLv3, you must reactivate him.

This worked for me thanks SRay. I'll have to make do with toggling it on and off when required until a fix is released.

gkoufoud · ‎2015-05-11

Worked for me too thanks SRay.

LeonidB · ‎2015-05-19

THANK YOU!
That works for me.

I'm ruunig Java 8 update 45

The files is change his location to:

C:\Program Files\Java\jre1.8.0_45\lib\security

Hilmar · ‎2015-02-06

OK, what do we have learned the last days ?

With Java 8 there came a new security structure.

Regarding the flaws in SSL (Heartbleed, Poodle) Java completely disabled SSL in the usable protocols list with version 8

Thats why elder versions (like my preferred 7u25) work with OCSM, but newer doesnt.

We found a workaround to run OCSM with Java 8 (Thanks to my Java Admin Josua):

- open a DOS Box

- jump to the OCSM-directory:

cd "\Program Files\NetApp\OnCommand System Manager"

- start OCSM with parameter "i am sure what i do and i will run my OCSM with unsafe protocols" :

java -Dsun.security.ssl.allowUnsafeRenegotiation=true -Djdk.tls.client.protocols="TLSv1, SSLv3" –jar SystemManager.jar

and everything is fine

hope that works for you as well

Hilmar

SR · ‎2015-02-09

I think what the industry should have learned a long time ago is that Java on the client side is an absolute mess for many of the reasons already stated here. It is not a system to be able to allow any device any software to be able to work. I would have to have 5-10 vm's just for the different software that requires different versions. Netapp and others please upgrade to other tech. One that comes to mind would be HTML 5 .net or just pick something beside the proven to fail java! Don't care if this is what you call "political". It's not its a call for using tech that works.

greizt · ‎2015-04-30

Thanks,

i also had a

500 connection has been shutdown: javax.net.ssl.SSLException:Received fatal alert: bad_record_mac

an this solved my problem

great job.

greetings greizt

greizt · ‎2015-04-30

sorry,

solution was the one which worked for me

greizt

dsulli29 · ‎2015-05-20

simply enabling tls fixed the http 500 error for me

thollingworth · ‎2015-07-06

8.1.4P3 7-Mode

OnCommand System Manager 3.1.2

Both controllers had TLS disabled. One allowed me to connect and the other returned "500 Connection Refused."

I enabled TLS on the controller and it worked.

-Tim-

FV · ‎2024-01-16

This worked for me but with :

options httpd.admin.enable off

    secureadmin disable all
    secureadmin setup ssl
    secureadmin enable ssl
    secureadmin enable ssh2

options tls.enable on

options httpd.admin.enable on

And when creating the new SSL certificate, putting 2048 lenght

CHUCK_SAUNDERS · ‎2015-01-27

Uninstalling a current version of Java and re-installing and older more vulnerable version is not an option.

What is the real fix for this?

Our internal polices will simply remove the older version of Java and update again each night during inventory and version checks.

atinivelli · ‎2015-01-27

it is really impossible to guess why NetApp (but EMC, Equallogic also...) continues writing software to manage enteprise solutions -such as storage systems- using Java.

Java is not a reliable platform! You simply patch up your Java runtime environment (because of security issues) and voilà: nothing works any longer!

And, as anyone knows, every software based on JRE requires a specific, different version of JRE. Changing even the third subversion number of JRE breaks anything.

I think we, customers, should stop buying any product requiring JRE on admin's computer to be managed!

CHUCK_SAUNDERS · ‎2015-02-02

I found the solution for this. And, it does not require removing java, the OCSM and re-installing older versions

Make sure the httpd.admin is off (on is not secured)

options httpd.admin.enable off

Re-Run the setup for Secure Admin
secureadmin disable all
secureadmin setup ssl
secureadmin enable ssl
secureadmin enable ssh2

Enable TLS (in older version of ONTAP, this off by default)
options tls.enable on

Close any open OCSM Session and try again.

THis resolved the 500 Connection Refused erros for me and I am running Java 8x

AOXBOROUGH · ‎2015-02-03

You, sir, are a genius! This resolved the problem I was having!

rphelan · ‎2015-02-27

The SSL-setup re-run helped me out. Here's my situation:

Installed JRE8

Couldn't connect anymore.

Uninstalled OCSM

Uninstalled JRE8

Installed JRE7

Installed OCSM 3.1.2RC

Still couldn't connect.

Ran through the SSL settings on ONE filer of HA pair.

Still couldn't connect

Ran through the SSL setttings on the other filer of the HA pair.

SUCCESS! Was able to connect again.

nzmarkc · ‎2015-05-28

Fantastic - thank you Chuck! This solution cut through all the problems. My system details: OCSM 3.1.2RC2 on Win8.1 with Java 8 U45, connecting to FAS2240 Data ONTAP 8.1.3.

LITTLEREDCAR · ‎2015-08-31

the fix to this is to turn ON the following

httpd.admin.enable off
httpd.admin.hostsequiv.enable off

and try to login again.

AllenJohnson · ‎2015-09-03

Thanks this worked

AlexanderSH · ‎2015-10-06

INDEED. THANKS!