Active IQ Unified Manager Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active IQ Unified Manager Discussions

Ask a Question

Powershell error : The server committed a protocol violation

StockageUGA
‎2020-11-24 08:11 AM
4,225 Views

Hello all,

Since 5.1 upgrade and switch to sectigo certificates, we have problems with all of our workflows.

They all fail with :

 

Cannot get credentials for cluster XXXXX

Cause : The server committed a protocol violation

 

Since we did WFA & Cluster certificates upgrades at the same time, we cannot say whether the problem comes from one or another.

 

I tried removing and adding back cluster credentials in WFA configuration, all successfully.

 

WFA is running on Windows Server 2012 Standard (upgrade from WFA previous..... previous... versions)

 

Any ideas ?

Thanks,

GS.

0 Kudos
View By:
3 REPLIES 3

ttran
Community Manager
‎2020-11-24 06:48 PM
4,187 Views

Hi StockageUSA,

 

You are receiving the "protocol violation" error because the header in the negotiation request is considered "unsafe," resulting in the rejection. Please check the certificates on the WFA host and the NetApp Cluster were installed correctly. In addition, you must stop the WFA Database and WFA Server services prior to replacing the certificates and restarting the services afterward.

 

Here is a reference document walking you through how to update the WFA certificates:

Replacing WFA Certificate 

Managing digital certificates for server or client authentication 

 

 

Regards,

 

Team NetApp

Team NetApp
0 Kudos

StockageUGA
‎2020-11-24 11:46 PM
In response to ttran
4,175 Views

Hello, thank you for your answer.

The clusters certificates (we have 5 clusters here) are OK in my web browser (System Manager Web Access), and OK in openssl command :

 

> openssl s_client --connect cluster.fqdn:443 

> ... Verify return code: 0 (ok)

 

the WFA certificate is expired (more than 1 year), but since WFA acts as a client here, why is it involved ?

 

WFA was restarted mutiple times since certificates were renewed. Also, credentials were deleted and added back to WFA successfully (I guess a HTTPS connections is made at this time)

 

Is there any logfile we could check ?

 

Thanks,
GS

 

0 Kudos

StockageUGA
‎2020-11-25 11:18 PM
In response to StockageUGA
4,139 Views

Hi all,

 

Accessing the log through the web interface, in wfa.log show recurring Java error :

 

2020-11-26 05:56:45,751 WARN  [com.netapp.wfa.common.io.ExecutionUtils] (Thread-157 (ActiveMQ-client-global-threads)) Exception while getting password from Vault:: org.jboss.security.vault.SecurityVaultException: java.lang.IllegalArgumentException: Null input buffer

I won't paste the full stack but some interesting lines (IMO) :

 

Caused by: java.lang.IllegalArgumentException: Null input buffer
	at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2198)
	at org.picketbox//org.picketbox.util.EncryptionUtil.decrypt(EncryptionUtil.java:134)
	at org.picketbox//org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:293)

 If it can help...

Announcements
All Community Forums
Public