OCUM 9.4 Verify certificates

moep · ‎2018-08-21

I found two options in OCUM to enforce validation of data sources.

# um option list

Name                          Default Value    Value            Requires Restart
--------------                --------------   --------------   --------------

...

ssl.host.verifyCertificates   false            false            false
ssl.host.verifyHostNames      false            false            false

If I activate these options the discovery of the data sources fails. I found the following in the log (/var/log/ocum/ocum-error.log)

ERROR [oncommand] [collection-completion-0] [c.n.d.o.o.service.OntapEmsService] EMS Configuration Check failed with error Connection error to Storage System foo.bar: com.netapp.dfm.core.security.TrustStoreEmptyException: Client truststore is empty. Please add trusted certificates to the client truststore.

Does anybody know where that client truststore is located?

RajeshPanda · ‎2018-09-24

@moep

The OnCommand Ask The Expert session is live from today and we have posted this question for our Experts. You will receive a response shortly.

Follow our ATE forum for our Expert’s response.

aattar · ‎2018-09-24

@moep

Are you using the self signed certificate or a CA signed certificate? Can you provide the output for the below path

/opt/netapp/essentials/jboss/server/onaro/cert

If you are using a CA signed certificate, you need to add the trusted ceritifcate again. If it doesn't work, I request you to open a support case.

moep · ‎2018-09-24

I am using CA signed certificates.

The folder looks like this:

[~]$ ll /opt/netapp/essentials/jboss/server/onaro/cert
total 20
drwxrw----. 2 jboss jboss   29 Jun 29 09:40 originator
-rw-------. 1 jboss jboss 9721 Jul 25 13:34 server.keystore

Should the CA certificate be in that server.keystore or do I need to create a client.keystore file?

aattar · ‎2018-09-25

As you have mentioned that you are using a CA signed certificate, it should be present in the server.keystore.

Use the below command to read the keystore file,

keytool -list -v -keystore path_to_keystore_file

The path for client.keystore is below,

/opt/netapp/essentials/au/conf/cert

moep · ‎2018-09-27

I added the CA certificate to the server.keystore. The were already present in the client keystore. I still get the same error in the log.

hamdani · ‎2018-09-28

There are lot of things i need to understand in this thread, so let me get started answering your question first

1. The error you pointed out from "ocum-error.log" file. This is related to "ems subscription" setup in UM. You may need to look up what name is setup in cluster (e.g: ::> event notification destination show) and what is the name you have on your UM server, either by looking at the UM certificate or you can use couple of other ways to check the UM hostname

> mysql -e "select * from ocum.managementstation;"

> um cli login -u <maintenance_user>

> um option list custom.hostname

2. The "um option list" output you mention that is showing "ssl.host.verifyCertificates" and "ssl.host.verifyHostNames" option as false and that is true in default configuration after the installation. These option was used in HA and local UM host name configuration settings but we have not tweaked these option when configuring/installing CA certificates.

Clarification:

A) Are you having problem installing CA certificate in UM 9.4? Is the CA certificate hold "intermediate/root" certs and if Yes, is the order correct? May be this KB will help you "https://kb.netapp.com/app/answers/answer_view/a_id/1071340".

B) Which Platform UM 9.4 is installed on "vApp/RHEL/Windows"?

c) If you have no issue installing the CA certificate in UM, After the certificate installation done, are you running into a cluster acquisition issue or adding new cluster or UM do not seems to recognize your new CA certificate?

d) If you dont mind sharing your CA certificate and steps you are talking to install?

I will stop here, may be i am going into complete wrong direction, so lets hear from you and then we will try to help.

moep · ‎2018-09-28

OK, so let's take a step back. Maybe I have a misunderstanding about these options. My interpretation was these options are to secure the data acquistion of the ONTAP clusters. So OCUM would check only valid and CA signed certificates would be used on the acquired clusters.

Is that wrong? What are these options actually for?

aattar · ‎2018-10-02

ssl.host.verifyCertificates - boolean - enable/disable trust verification of certificates presented by managed hosts when OCUM initiates a connection.
ssl.host.verifyHostNames - boolean - enable/disable hostname verification of certificates presented by managed hosts when OCUM initiates a connection. (only effective if ssl.host.verifyCertificates is enabled)

Verification is off by default because OCUM does not verify certificates, and we want to ensure backwards compatibility.

Hostname verification will only be enforced if both certificate verification and hostname verification are enabled.

moep · ‎2018-10-02

What are "managed hosts"? Are we talking about ONTAP clusters here?

Sultana · ‎2018-10-03

Hi @moep,

Yes we are refrerring to ONTAP clusters here.

moep · ‎2018-10-05

Ok so the options do what I assumed.

I tried to put the root CA certificate in the server.keystore and client.keystore. As soon as I activate the options the discovery fails and I see the mentioned errors.

OCUM 9.4 Verify certificates

Portfolio Updates | NetApp ONAIR