Active IQ Unified Manager Discussions

SSL/TSL connection breaking while invoking REST post AIQUM upgrade to 9.9P2

harshitmarwah
2,814 Views

Hi All,

 

We have created an in-house monitoring dashboard for all our storage system. We are using AIQUM REST API to pull the Netapp information.

But recently we upgraded our AIQUM from 9.7 to 9.9P2 due Log4j vulnerability. Post the upgrade our data collector script is here few snippets from my script and the error I'm getting .

 

##set environment up for previous support for encryption
[Net.ServicePointManager]::SecurityProtocol = "Tls12, Tls11, Tls, Ssl3"
##set environment up for ignore certificate issues
if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type)
{
$certCallback = @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class ServerCertificateValidationCallback
{
public static void Ignore()
{
if(ServicePointManager.ServerCertificateValidationCallback ==null)
{
ServicePointManager.ServerCertificateValidationCallback +=
delegate
(
Object obj,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors errors
)
{
return true;
};
}
}
}
"@
Add-Type $certCallback
}
[ServerCertificateValidationCallback]::Ignore()

PS C:\Users>
$volumeresponses = @()
function get-aiqumpaginateddata {

param(
[string]$aiqumuri,
$Restheaders

)

[int]$offsetnumber = 0
$response = @()
$responserecords = @()
#testing variables
#$pagesize = 1
#$aiqumuri = "https://xx.xxx.xx.xx/api/datacenter/storage/volumes"

$response_total_records = (Invoke-RestMethod $aiqumuri -Method 'GET' -Headers $headers -UseBasicParsing).total_records

 

for ([int]$i = $response_total_records; $i -gt 0; $i= $i - 1000)
{
$response = Invoke-RestMethod "$($aiqumuri)?offset=$($offsetnumber)&limit=1000" -Method 'GET' -Headers $headers
$responserecords += $response.records
$offsetnumber += 1000
$i
$offsetnumber
$responserecords.count

}

$responserecords

}
#Pass the uri as shown in aiquim tutorial
$aiqumaggruri = "https://xx.xxx.xx.xx/api/datacenter/storage/aggregates"
$aiqumVolumeuri = "https://xx.xxx.xx.xx/api/datacenter/storage/volumes"
$aggrresponses = @{}
$volumeresponses = @{}
$aggrresponses_formatted = @{}
$volumeresponses_formatted = @{}
$aggrresponses = get-aiqumpaginateddata -aiqumuri $aiqumaggruri -Restheaders $headers
$volumeresponses = get-aiqumpaginateddata -aiqumuri $aiqumVolumeuri -Restheaders $headers

 

Invoke-RestMethod : The request was aborted: Could not create SSL/TLS secure channel.
At line:18 char:32
+ ... _records = (Invoke-RestMethod $aiqumuri -Method 'GET' -Headers $heade ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Invoke-RestMethod : The request was aborted: Could not create SSL/TLS secure channel.
At line:18 char:32
+ ... _records = (Invoke-RestMethod $aiqumuri -Method 'GET' -Headers $heade ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

1 ACCEPTED SOLUTION

mbeattie
1,960 Views

Hi,

 

What client OS are you running? I recently encountered a similar issue for a customer running a legacy OS (Windows Server 2012 R2) resulting in the error "Error The request was aborted: Could not create SSL/TLS secure channel."

 

I took a packet trace using wireshark and compared the client OS supported ciphers used to negotiate with AIQUM and found that the ciphers configured in AIQUM did not support the client OS (hence the authentication failure). I enabled TLS 1.2 on the client and configured the AIQUM ciphers to append "TLS_RSA_WITH_AES_256_GCM_SHA384" to the  "tls.ciphersuites.selected.v12" configuration and rebooted both the client OS and AIQUM. I was then able to successfully authenticate to the REST API from the client OS.

 

The following KB articles might be helpful to enable the diag user in AIQUM so you can SSH to it and update the cipher configuration.

 

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Infrastructure_Management/Active_IQ_Unified_Manager/How_to_access_Active_IQ_Unified_Manager_Virt... 

https://kb.netapp.com/Advice_and_Troubleshooting%2FData_Infrastructure_Management%2FActive_IQ_Unified_Manager%2FHow_to_disable_TLS_cipher_suites_in_Ac... 

 

Hope that helps

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

3 REPLIES 3

mbeattie
2,759 Views

Hi,

 

I tested it on a AIQUM 9.10. Not sure what the issue is but my code still works against the latest version: https://github.com/matthew-beattie/AIQUM . Try the GetUMClusters.ps1 in the repo and see if that works. I noticed the .NET Certificate code i used is different from your code. Hope this example helps?

 

/Matt

 

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

harshitmarwah
2,664 Views

Hi Matt, 

 

Thanks for sharing your repository code, but unfortunately getting same error where it says

Invoke-RestMethod : The request was aborted: Could not create SSL/TLS secure channel........

 

2 things i have noticed my code is working when using 9.7 version AIQUM and also Postman is also able to get the details for me.

 

So not sure how to proceed the only way out is to update the whole code or use the same script as postman

mbeattie
1,961 Views

Hi,

 

What client OS are you running? I recently encountered a similar issue for a customer running a legacy OS (Windows Server 2012 R2) resulting in the error "Error The request was aborted: Could not create SSL/TLS secure channel."

 

I took a packet trace using wireshark and compared the client OS supported ciphers used to negotiate with AIQUM and found that the ciphers configured in AIQUM did not support the client OS (hence the authentication failure). I enabled TLS 1.2 on the client and configured the AIQUM ciphers to append "TLS_RSA_WITH_AES_256_GCM_SHA384" to the  "tls.ciphersuites.selected.v12" configuration and rebooted both the client OS and AIQUM. I was then able to successfully authenticate to the REST API from the client OS.

 

The following KB articles might be helpful to enable the diag user in AIQUM so you can SSH to it and update the cipher configuration.

 

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Infrastructure_Management/Active_IQ_Unified_Manager/How_to_access_Active_IQ_Unified_Manager_Virt... 

https://kb.netapp.com/Advice_and_Troubleshooting%2FData_Infrastructure_Management%2FActive_IQ_Unified_Manager%2FHow_to_disable_TLS_cipher_suites_in_Ac... 

 

Hope that helps

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public