Software Development Kit (SDK) and API Discussions

FPolicy server-auth mode failing when using third party CA signed certificates.

Anshul
3,523 Views

For Cluster Mode NetApp
FPolicy server-auth mode failing when using third party CA signed certificates.

 

Fpolicy server is getting "tlsv1 alert unknown ca" error while doing SSL handshaking with FPolicy client.

 

We have installed public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate on SVM using following command:
> security certificate install -type client-ca -vserver <vserver name>

Configured external-engine in FPolicy to enable server-auth mode:

> vserver fpolicy policy external-engine show -vserver <vserver name> -engine-name <engine name>

Vserver: <vserver name>
Engine: <engine name>
Primary FPolicy Servers: <server ip>
Port Number of FPolicy Service: <server port number>
Secondary FPolicy Servers: -
External Engine Type: asynchronous
SSL Option for External Communication: server-auth
FQDN or Custom Common Name: -
Serial Number of Certificate: -
Certificate Authority: -
Is Resiliency Feature Enabled: false
Maximum Notification Retention Duration: 3m
Directory for Notification Storage: -


In FPolicy server we are using certificate file to initialize SSL server in following format:

                   The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.
We are also using certificate's key file for initialize SSL server.


Now when we got FPolicy client connection in FPolicy server we are trying to do SSL handshaking and getting following error and SSL handshake failed:
"
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca".

Note: we are using OpenSSL library API for SSL handshaking.

 

Also, same issue produces when we use OpenSSL server tool as FPolicy Server.

Our Fpolicy Server can handshake and have the cert chain validated with the OpenSSL client tool. NetApp SVM doesn't work with an OpenSSL server tool using the same certs.

Does anybody let us know where we are going wrong, what are the correct steps for FPolicy SSL communication using third party CA signed certificate. How to resolve this error/issue?

1 ACCEPTED SOLUTION

Anshul
2,786 Views

NetApp does not support intermediate certificates chain in this case.

View solution in original post

5 REPLIES 5

GidonMarcus
3,449 Views

Hi

 

is it not server-ca you need to install it for?

"server-ca - includes the public key certificate for the root CA of the SSL server to which Data ONTAP is a client"

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__certificate__install.html

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

Anshul
3,439 Views

The "vserver fpolicy policy external-engine create" doc mentioned below says to use "client-ca".
Although, We have tried it with "server-ca" and it is failing with same error.

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-980%2Fvserver__fpolicy__policy__external-engine__create.html

server-auth : When set to server-auth, only the FPolicy server is authenticated by the Vserver. With this option, before creating the FPolicy external engine, the administrator must install the public certificate of the certificate authority (CA) that signed the FPolicy server certificate.

The public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate is installed using the security certificate install command with -type set to client_ca.

Anshul
3,423 Views

These are the error on NetApp for Fpolicy SSL handshake failure, if it can help understand this issue:

Anshul_1-1623418145029.png

These error log are from command
> event log show



And for more detail on this issue:-

Same SSL certs are working when
     SSL Server : our Fpolicy Server
      SSL Client : openssl s_client tool

and same SSL certs NOT working when

1> SSL Server : our Fpolicy Server
     SSL Client : NetApp FPolicy

 

2> SSL Server : openssl s_server tool
     SSL Client : NetApp FPolicy

Jared1
3,026 Views

Did you ever get this working?  we are experiencing the exact same problem with the exact outcome as your testing. 

Anshul
2,787 Views

NetApp does not support intermediate certificates chain in this case.

Public