Software Development Kit (SDK) and API Discussions

FPolicy server-auth mode failing when using third party CA signed certificates.


For Cluster Mode NetApp
FPolicy server-auth mode failing when using third party CA signed certificates.


Fpolicy server is getting "tlsv1 alert unknown ca" error while doing SSL handshaking with FPolicy client.


We have installed public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate on SVM using following command:
> security certificate install -type client-ca -vserver <vserver name>

Configured external-engine in FPolicy to enable server-auth mode:

> vserver fpolicy policy external-engine show -vserver <vserver name> -engine-name <engine name>

Vserver: <vserver name>
Engine: <engine name>
Primary FPolicy Servers: <server ip>
Port Number of FPolicy Service: <server port number>
Secondary FPolicy Servers: -
External Engine Type: asynchronous
SSL Option for External Communication: server-auth
FQDN or Custom Common Name: -
Serial Number of Certificate: -
Certificate Authority: -
Is Resiliency Feature Enabled: false
Maximum Notification Retention Duration: 3m
Directory for Notification Storage: -

In FPolicy server we are using certificate file to initialize SSL server in following format:

                   The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.
We are also using certificate's key file for initialize SSL server.

Now when we got FPolicy client connection in FPolicy server we are trying to do SSL handshaking and getting following error and SSL handshake failed:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca".

Note: we are using OpenSSL library API for SSL handshaking.


Also, same issue produces when we use OpenSSL server tool as FPolicy Server.

Our Fpolicy Server can handshake and have the cert chain validated with the OpenSSL client tool. NetApp SVM doesn't work with an OpenSSL server tool using the same certs.

Does anybody let us know where we are going wrong, what are the correct steps for FPolicy SSL communication using third party CA signed certificate. How to resolve this error/issue?





is it not server-ca you need to install it for?

"server-ca - includes the public key certificate for the root CA of the SSL server to which Data ONTAP is a client"


Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK


The "vserver fpolicy policy external-engine create" doc mentioned below says to use "client-ca".
Although, We have tried it with "server-ca" and it is failing with same error.

server-auth : When set to server-auth, only the FPolicy server is authenticated by the Vserver. With this option, before creating the FPolicy external engine, the administrator must install the public certificate of the certificate authority (CA) that signed the FPolicy server certificate.

The public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate is installed using the security certificate install command with -type set to client_ca.


These are the error on NetApp for Fpolicy SSL handshake failure, if it can help understand this issue:


These error log are from command
> event log show

And for more detail on this issue:-

Same SSL certs are working when
     SSL Server : our Fpolicy Server
      SSL Client : openssl s_client tool

and same SSL certs NOT working when

1> SSL Server : our Fpolicy Server
     SSL Client : NetApp FPolicy


2> SSL Server : openssl s_server tool
     SSL Client : NetApp FPolicy

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner