For Cluster Mode NetApp
FPolicy server-auth mode failing when using third party CA signed certificates.
Fpolicy server is getting "tlsv1 alert unknown ca" error while doing SSL handshaking with FPolicy client.
We have installed public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate on SVM using following command:
> security certificate install -type client-ca -vserver <vserver name>
Configured external-engine in FPolicy to enable server-auth mode:
> vserver fpolicy policy external-engine show -vserver <vserver name> -engine-name <engine name>
Vserver: <vserver name>
Engine: <engine name>
Primary FPolicy Servers: <server ip>
Port Number of FPolicy Service: <server port number>
Secondary FPolicy Servers: -
External Engine Type: asynchronous
SSL Option for External Communication: server-auth
FQDN or Custom Common Name: -
Serial Number of Certificate: -
Certificate Authority: -
Is Resiliency Feature Enabled: false
Maximum Notification Retention Duration: 3m
Directory for Notification Storage: -
In FPolicy server we are using certificate file to initialize SSL server in following format:
Now when we got FPolicy client connection in FPolicy server we are trying to do SSL handshaking and getting following error and SSL handshake failed:
"error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca".
Note: we are using OpenSSL library API for SSL handshaking.
Also, same issue produces when we use OpenSSL server tool as FPolicy Server.
Does anybody let us know where we are going wrong, what are the correct steps for FPolicy SSL communication using third party CA signed certificate. How to resolve this error/issue?
Solved! See The Solution
is it not server-ca you need to install it for?
"server-ca - includes the public key certificate for the root CA of the SSL server to which Data ONTAP is a client"
The "vserver fpolicy policy external-engine create" doc mentioned below says to use "client-ca".
Although, We have tried it with "server-ca" and it is failing with same error.
server-auth : When set to server-auth, only the FPolicy server is authenticated by the Vserver. With this option, before creating the FPolicy external engine, the administrator must install the public certificate of the certificate authority (CA) that signed the FPolicy server certificate.
The public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate is installed using the security certificate install command with -type set to client_ca.
These are the error on NetApp for Fpolicy SSL handshake failure, if it can help understand this issue:
These error log are from command
> event log show
And for more detail on this issue:-
Same SSL certs are working when
SSL Server : our Fpolicy Server
SSL Client : openssl s_client tool
and same SSL certs NOT working when
1> SSL Server : our Fpolicy Server
SSL Client : NetApp FPolicy
2> SSL Server : openssl s_server tool
SSL Client : NetApp FPolicy