Microsoft Virtualization Discussions

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Microsoft Virtualization Discussions

Ask a Question

Windows 2016 can't connect using PowerShell

CGulde
‎2020-03-18 12:39 PM
4,893 Views

I have a OnTAP 8.2.5 (7-mode) system and have been using PowerShell scripts to generate reports from a windows 2012 server.  I upgraded the Server to Windows 2016 and the scripts now fail performing the connect-nacontroller command.

    Connect-NaController <..> -Credential $Creds -HTTPS

    Connect-NaController : API invoke failed.

 

Windows 2016 disabled SSLv3 by default.

If enabled, I get a different error.

    Connection to <..> using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.

    The error may be resolved by generating a new certificate on the storage controller, with a longer key length.

 

The server has PSTK 9.7.1 installed.

Suggestions?

 

0 Kudos
View By:
5 REPLIES 5

cole
NetApp
‎2020-03-19 07:44 AM
4,811 Views

You just need to generate a new certificate on the 7-mode nodes using the 'secureadmin setup ssl' command (using a key length of at least 1024). After that the connection should succeed.

 

Jason

0 Kudos

CGulde
‎2020-03-27 07:11 PM
In response to cole
4,729 Views

I generated a new Cert but there was no change.

 
********
node1> secureadmin setup -f ssl
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (city, town, etc.) [Santa Clara]:
Organization Name (company) [Your Company]:
Organization Unit Name (division):
Common Name (fully qualified domain name) [node1.xxx.com]:
Administrator email:
Days until expires [5475] :
Key Type (RSA or ECDSA) [RSA]:
Key length (bits) [2048] :2048
Fri Mar 27 18:06:14 CDT [node1:secureadmin.ssl.setup.success:info]: Restarting SSL with new certificate.
node1>
PS C:\Users\admin\Desktop> Connect-NaController node1 -HTTPS -Credential (get-credential)
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Connect-NaController : Connection to node1 using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
At line:1 char:1
+ Connect-NaController node1 -HTTPS -Credential (get-credential)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (node1:NaController) [Connect-NaController], NaConnectionSSLException
    + FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController
 ********
I enabled SSL3 on the Windows 2016 server first.  It is disabled by default.
 
0 Kudos

CGulde
‎2020-03-28 05:36 PM
In response to CGulde
4,697 Views

I was able to get it working partly by enabling TLS 1.0 client in the Windows 2016 server registry.

I left SSL 2 & 3 Disabled and just enabled TLS 1.0 Client (not server).

 

I could connect to OnTAP 8.2.5P1 systems but not OnTAP 8.1.4P8 systems even after increasing the SSL Key length.

 

Any suggestions there?

 

Thanks

 

0 Kudos

cole
NetApp
‎2020-03-30 03:44 PM
In response to CGulde
4,653 Views

What is the value of 'options tls.enable'?

 

If that is off, set it to on and try again.

0 Kudos

CGulde
‎2020-03-31 10:01 AM
In response to cole
4,610 Views

node1> options httpd
httpd.access legacy
httpd.admin.access legacy
httpd.admin.enable on
httpd.admin.hostsequiv.enable off
httpd.admin.max_connections 512
httpd.admin.ssl.enable on
httpd.admin.top-page.authentication on
httpd.autoindex.enable off
httpd.bypass_traverse_checking off
httpd.enable off
httpd.ipv6.enable off
httpd.log.format common
httpd.method.trace.enable off
httpd.rootdir /vol/vol0_NA_root/home/http
httpd.timeout 300
httpd.timewait.enable off


node1> options ssl
ssl.enable on
ssl.v2.enable off
ssl.v3.enable off


node1> options tls
tls.enable on

0 Kudos
Announcements
All Community Forums
Public