I found two options in OCUM to enforce validation of data sources.
# um option list
Name Default Value Value Requires Restart
-------------- -------------- -------------- --------------
ssl.host.verifyCertificates false false false
ssl.host.verifyHostNames false false false
If I activate these options the discovery of the data sources fails. I found the following in the log (/var/log/ocum/ocum-error.log)
ERROR [oncommand] [collection-completion-0] [c.n.d.o.o.service.OntapEmsService] EMS Configuration Check failed with error Connection error to Storage System foo.bar: com.netapp.dfm.core.security.TrustStoreEmptyException: Client truststore is empty. Please add trusted certificates to the client truststore.
Does anybody know where that client truststore is located?
There are lot of things i need to understand in this thread, so let me get started answering your question first
1. The error you pointed out from "ocum-error.log" file. This is related to "ems subscription" setup in UM. You may need to look up what name is setup in cluster (e.g: ::> event notification destination show) and what is the name you have on your UM server, either by looking at the UM certificate or you can use couple of other ways to check the UM hostname
> mysql -e "select * from ocum.managementstation;"
> um cli login -u <maintenance_user>
> um option list custom.hostname
2. The "um option list" output you mention that is showing "ssl.host.verifyCertificates" and "ssl.host.verifyHostNames" option as false and that is true in default configuration after the installation. These option was used in HA and local UM host name configuration settings but we have not tweaked these option when configuring/installing CA certificates.
A) Are you having problem installing CA certificate in UM 9.4? Is the CA certificate hold "intermediate/root" certs and if Yes, is the order correct? May be this KB will help you "https://kb.netapp.com/app/answers/answer_view/a_id/1071340".
B) Which Platform UM 9.4 is installed on "vApp/RHEL/Windows"?
c) If you have no issue installing the CA certificate in UM, After the certificate installation done, are you running into a cluster acquisition issue or adding new cluster or UM do not seems to recognize your new CA certificate?
d) If you dont mind sharing your CA certificate and steps you are talking to install?
I will stop here, may be i am going into complete wrong direction, so lets hear from you and then we will try to help.
OK, so let's take a step back. Maybe I have a misunderstanding about these options. My interpretation was these options are to secure the data acquistion of the ONTAP clusters. So OCUM would check only valid and CA signed certificates would be used on the acquired clusters.
Is that wrong? What are these options actually for?
ssl.host.verifyCertificates - boolean - enable/disable trust verification of certificates presented by managed hosts when OCUM initiates a connection.
ssl.host.verifyHostNames - boolean - enable/disable hostname verification of certificates presented by managed hosts when OCUM initiates a connection. (only effective if ssl.host.verifyCertificates is enabled)
Verification is off by default because OCUM does not verify certificates, and we want to ensure backwards compatibility.
Hostname verification will only be enforced if both certificate verification and hostname verification are enabled.
Ok so the options do what I assumed.
I tried to put the root CA certificate in the server.keystore and client.keystore. As soon as I activate the options the discovery fails and I see the mentioned errors.
Are you using the self signed certificate or a CA signed certificate? Can you provide the output for the below path
If you are using a CA signed certificate, you need to add the trusted ceritifcate again. If it doesn't work, I request you to open a support case.
I am using CA signed certificates.
The folder looks like this:
[~]$ ll /opt/netapp/essentials/jboss/server/onaro/cert total 20 drwxrw----. 2 jboss jboss 29 Jun 29 09:40 originator -rw-------. 1 jboss jboss 9721 Jul 25 13:34 server.keystore
Should the CA certificate be in that server.keystore or do I need to create a client.keystore file?
As you have mentioned that you are using a CA signed certificate, it should be present in the server.keystore.
Use the below command to read the keystore file,