If I activate these options the discovery of the data sources fails. I found the following in the log (/var/log/ocum/ocum-error.log)
ERROR [oncommand] [collection-completion-0] [c.n.d.o.o.service.OntapEmsService] EMS Configuration Check failed with error Connection error to Storage System foo.bar: com.netapp.dfm.core.security.TrustStoreEmptyException: Client truststore is empty. Please add trusted certificates to the client truststore.
Does anybody know where that client truststore is located?
There are lot of things i need to understand in this thread, so let me get started answering your question first
1. The error you pointed out from "ocum-error.log" file. This is related to "ems subscription" setup in UM. You may need to look up what name is setup in cluster (e.g: ::> event notification destination show) and what is the name you have on your UM server, either by looking at the UM certificate or you can use couple of other ways to check the UM hostname
> mysql -e "select * from ocum.managementstation;"
> um cli login -u <maintenance_user>
> um option list custom.hostname
2. The "um option list" output you mention that is showing "ssl.host.verifyCertificates" and "ssl.host.verifyHostNames" option as false and that is true in default configuration after the installation. These option was used in HA and local UM host name configuration settings but we have not tweaked these option when configuring/installing CA certificates.
B) Which Platform UM 9.4 is installed on "vApp/RHEL/Windows"?
c) If you have no issue installing the CA certificate in UM, After the certificate installation done, are you running into a cluster acquisition issue or adding new cluster or UM do not seems to recognize your new CA certificate?
d) If you dont mind sharing your CA certificate and steps you are talking to install?
I will stop here, may be i am going into complete wrong direction, so lets hear from you and then we will try to help.
OK, so let's take a step back. Maybe I have a misunderstanding about these options. My interpretation was these options are to secure the data acquistion of the ONTAP clusters. So OCUM would check only valid and CA signed certificates would be used on the acquired clusters.
Is that wrong? What are these options actually for?
ssl.host.verifyCertificates - boolean - enable/disable trust verification of certificates presented by managed hosts when OCUM initiates a connection. ssl.host.verifyHostNames - boolean - enable/disable hostname verification of certificates presented by managed hosts when OCUM initiates a connection. (only effective if ssl.host.verifyCertificates is enabled)
Verification is off by default because OCUM does not verify certificates, and we want to ensure backwards compatibility.
Hostname verification will only be enforced if both certificate verification and hostname verification are enabled.