Microsoft Virtualization Discussions

Windows 2016 can't connect using PowerShell

CGulde
4,553 Views

I have a OnTAP 8.2.5 (7-mode) system and have been using PowerShell scripts to generate reports from a windows 2012 server.  I upgraded the Server to Windows 2016 and the scripts now fail performing the connect-nacontroller command.

    Connect-NaController <..> -Credential $Creds -HTTPS

    Connect-NaController : API invoke failed.

 

Windows 2016 disabled SSLv3 by default.

If enabled, I get a different error.

    Connection to <..> using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.

    The error may be resolved by generating a new certificate on the storage controller, with a longer key length.

 

The server has PSTK 9.7.1 installed.

Suggestions?

 

5 REPLIES 5

cole
4,471 Views

You just need to generate a new certificate on the 7-mode nodes using the 'secureadmin setup ssl' command (using a key length of at least 1024). After that the connection should succeed.

 

Jason

CGulde
4,389 Views

I generated a new Cert but there was no change.

 
********
node1> secureadmin setup -f ssl
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (city, town, etc.) [Santa Clara]:
Organization Name (company) [Your Company]:
Organization Unit Name (division):
Common Name (fully qualified domain name) [node1.xxx.com]:
Administrator email:
Days until expires [5475] :
Key Type (RSA or ECDSA) [RSA]:
Key length (bits) [2048] :2048
Fri Mar 27 18:06:14 CDT [node1:secureadmin.ssl.setup.success:info]: Restarting SSL with new certificate.
node1>
PS C:\Users\admin\Desktop> Connect-NaController node1 -HTTPS -Credential (get-credential)
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Connect-NaController : Connection to node1 using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
At line:1 char:1
+ Connect-NaController node1 -HTTPS -Credential (get-credential)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (node1:NaController) [Connect-NaController], NaConnectionSSLException
    + FullyQualifiedErrorId : HttpConnectionFailed,DataONTAP.PowerShell.SDK.ConnectNaController
 ********
I enabled SSL3 on the Windows 2016 server first.  It is disabled by default.
 

CGulde
4,357 Views

I was able to get it working partly by enabling TLS 1.0 client in the Windows 2016 server registry.

I left SSL 2 & 3 Disabled and just enabled TLS 1.0 Client (not server).

 

I could connect to OnTAP 8.2.5P1 systems but not OnTAP 8.1.4P8 systems even after increasing the SSL Key length.

 

Any suggestions there?

 

Thanks

 

cole
4,313 Views

What is the value of 'options tls.enable'?

 

If that is off, set it to on and try again.

CGulde
4,270 Views

node1> options httpd
httpd.access legacy
httpd.admin.access legacy
httpd.admin.enable on
httpd.admin.hostsequiv.enable off
httpd.admin.max_connections 512
httpd.admin.ssl.enable on
httpd.admin.top-page.authentication on
httpd.autoindex.enable off
httpd.bypass_traverse_checking off
httpd.enable off
httpd.ipv6.enable off
httpd.log.format common
httpd.method.trace.enable off
httpd.rootdir /vol/vol0_NA_root/home/http
httpd.timeout 300
httpd.timewait.enable off


node1> options ssl
ssl.enable on
ssl.v2.enable off
ssl.v3.enable off


node1> options tls
tls.enable on

Public