Microsoft Virtualization Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Microsoft Virtualization Discussions

Ask a Question

Could not create SSL/TLS secure channel

ahmada
NetApp
‎2017-01-01 04:04 AM
14,607 Views

Happy New Year Smiley Happy

 

7-Mode 8.2.4

Windows server 2012 R2

 

I am trying to run my powershell script over https but I got the below error:-

Connect-NaController : Connection to FILERNAME using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
At D:\NetApp\Scripts\7-Mode\7Snap1.ps1:35 char:6
+      Connect-NaController $netapp -Credential $cred -HTTPS
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (FILERNAME:NaController) [Connect-NaController], NaConnectionSSLException
    + FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController

 

 

I have increased the key length to more than 2000 (secureadmin setup ssl)but still it is not working. Below are my filer options which I believe should be enough to get it to run over HTTPS.

 

httpd.access                 none       
httpd.admin.access           host=myhost1,myhost2,myhost3
httpd.admin.enable           off        
httpd.admin.hostsequiv.enable off        
httpd.admin.max_connections  512        
httpd.admin.ssl.enable       on         
httpd.admin.top-page.authentication on         
httpd.autoindex.enable       off        
httpd.bypass_traverse_checking off        
httpd.enable                 off        
httpd.ipv6.enable            off        
httpd.log.format             common     (value might be overwritten in takeover)
httpd.method.trace.enable    off        
httpd.rootdir                /vol/vol0/home/http 
httpd.timeout                300        (value might be overwritten in takeover)
httpd.timewait.enable        off      
tls.enable                   on
ldap.ssl.enable              off
ssl.enable                   on         
ssl.v2.enable                off        (same value required in local+partner)
ssl.v3.enable                on         (same value required in local+partner)

 

If I enable http and run the script over http it works fine. Moreover, I have the same exact configuration on my demo lab and it is working fine even with HTTPS.

I am not sure why it is not working on the production environment. Could it be a server related issue/policy ?

 

Your help is appriciated.

 

Thanks,

0 Kudos
View By:
7 REPLIES 7

MForster
‎2017-01-03 12:03 AM
14,427 Views

Hello ahmada,

 

happy new year!

 

Can you access the webfrontend by browser over https ?

Does it produce a warning ?

 

I guess that the powershell Toolkit uses .net Components for HTTPS Communication.

 

so you could try out the .NET Foundation to test the connection.

Please see

https://blogs.technet.microsoft.com/parallel_universe_-_ms_tech_blog/2014/06/26/reading-a-certificate-off-a-remote-ssl-server-for-troubleshooting-with...

 

And try if you can get more information out of it.

To help in Troubleshooting.

 

Kind Regards

 

 

0 Kudos

ahmada
NetApp
‎2017-01-03 09:42 PM
In response to MForster
14,386 Views

 Thanks for your replay

 

Can you access the webfrontend by browser over https ?

Does it produce a warning ?

I got the below error:-

 TLS.jpg

 

 

I have checked TLS1.1 and TLS 1.2 and both are enabled.

 

As for the code in the link provided, I got the below error:

ssl.jpg

 

However, in the test lab both tests works fine.

 

Could it be that some group policy is forced via AD that's causing the issue seen on the production environment ?

 

0 Kudos

tmac
NetApp Alumni
‎2017-01-05 07:33 AM
14,327 Views

make sure TLS 1.2 is actually enabled on your windows boxes

 

There were eveidently some "patches" that turned of TLS.

 

Verify these registry keys:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

 

you can also check out htis link: https://portal.chicagonettech.com/kb/a187/maximizing-ssl-security-for-windows-server-2012-ssl-tls.aspx

 

0 Kudos

Minser
‎2018-01-29 10:28 AM
11,851 Views

On 8.3 I had the same issue attempting to connect to system manager. I used three seperate browsers. Double checked TLS and SSL settings and certificates.

Finally figured it out.

Make sure the Server side is enabled.

wrote:

Happy New Year Smiley Happy

 

7-Mode 8.2.4

Windows server 2012 R2

 

I am trying to run my powershell script over https but I got the below error:-

Connect-NaController : Connection to FILERNAME using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
At D:\NetApp\Scripts\7-Mode\7Snap1.ps1:35 char:6
+      Connect-NaController $netapp -Credential $cred -HTTPS
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (FILERNAME:NaController) [Connect-NaController], NaConnectionSSLException
    + FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController

 

 

I have increased the key length to more than 2000 (secureadmin setup ssl)but still it is not working. Below are my filer options which I believe should be enough to get it to run over HTTPS.

 

httpd.access                 none       
httpd.admin.access           host=myhost1,myhost2,myhost3
httpd.admin.enable           off        
httpd.admin.hostsequiv.enable off        
httpd.admin.max_connections  512        
httpd.admin.ssl.enable       on         
httpd.admin.top-page.authentication on         
httpd.autoindex.enable       off        
httpd.bypass_traverse_checking off        
httpd.enable                 off        
httpd.ipv6.enable            off        
httpd.log.format             common     (value might be overwritten in takeover)
httpd.method.trace.enable    off        
httpd.rootdir                /vol/vol0/home/http 
httpd.timeout                300        (value might be overwritten in takeover)
httpd.timewait.enable        off      
tls.enable                   on
ldap.ssl.enable              off
ssl.enable                   on         
ssl.v2.enable                off        (same value required in local+partner)
ssl.v3.enable                on         (same value required in local+partner)

 

If I enable http and run the script over http it works fine. Moreover, I have the same exact configuration on my demo lab and it is working fine even with HTTPS.

I am not sure why it is not working on the production environment. Could it be a server related issue/policy ?

 

Your help is appriciated.

 

Thanks,

 

security SSL show

          Serial                                         Server  Client
Vserver   Number Common Name                             Enabled Enabled
--------- ------ --------------------------------------- ------- -------
uspdop6lus 561E4629E0E3E uspdop6lus            true    false
 Certificate Authority: uspdop6lus

0 Kudos

Minser
‎2018-01-29 01:39 PM
In response to Minser
11,828 Views

sorry,

I was using a clustered OnTap responce to a 7-mode issue.

0 Kudos

dvindika
‎2018-02-28 10:03 PM
11,300 Views

DId you resolve this issue? I'm having exact issue with Powershell.

Thanks!

0 Kudos

ahmada
NetApp
‎2018-02-28 10:34 PM
In response to dvindika
11,289 Views

I forced powershell to connect over RPC - that's for 7-mode systems-, the connection command will be something like : -

 

Connect-NaController storageName -RPC

0 Kudos
All Community Forums
Public