VMware Solutions Discussions

Virtual Storage Console 2.1 and SSL

avbohemen
7,404 Views

Hi all,

We have 2 filers, both serving some nfs volumes to an ESX farm, both running Ontap 8.0.1P1. One filer was set up using SSL from the start. The other one was upgraded from Ontap 7.3.x, and SSL was enabled later. Now, the first filer has no problems when I add it in VSC. The second one (the upgraded one) can only be added to VSC if I disable SSL on the filer. If I enable SSL, I get the error "the hostname cannot be resolved" when I try to add it in VSC. DNS resolving is working fine, so that is not a problem. And, like I said, if I don't use SSL, I can also add the filer without problems.

The same goes for the SMVI setup within VSC. With SSL, I get the error "could not login to the storage system with the provided credentials". The Windows event log gives this error: "ERROR com.netapp.common.flow.TaskInstanceTemplate - FLOW-11019: Failure in CredStorageSystemAddAction: ZEPHYR-10004: ZAPI call "system-get-version" to "netapp01" threw exception: Remote host closed connection during handshake". With SSL disabled on the filer, there is no problem except for a warning that SSL is not enabled.

I tried creating a new certificate (multiple times), but it did not help. Does anyone know what's happening?

1 ACCEPTED SOLUTION

avbohemen
7,404 Views

Found the answer myself: for some reason, VSC 2.1 requires SSL v2 to be enabled on the storage system. Although v2 has been deprecated since 1996 because of security issues, NetApp still requires it...

It appeared that "options ssl.v2.enable on" was set on one filer, but not on the other. After enabling this really old protocol, the filer could be added to VSC without problems. I opened a case with NetApp Global Support for this security issue. Let's see what happens.

View solution in original post

6 REPLIES 6

avbohemen
7,405 Views

Found the answer myself: for some reason, VSC 2.1 requires SSL v2 to be enabled on the storage system. Although v2 has been deprecated since 1996 because of security issues, NetApp still requires it...

It appeared that "options ssl.v2.enable on" was set on one filer, but not on the other. After enabling this really old protocol, the filer could be added to VSC without problems. I opened a case with NetApp Global Support for this security issue. Let's see what happens.

chris_hague
7,404 Views

Hi there, we are having the same issue. Did you receive an answer from Netapp global support?

avbohemen
7,404 Views

Yes, it turned out to be a bug/RFE, under this BOL id: http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=526771

I cannot view the details, it's probably NetApp internal only.

rubinsed1
7,404 Views

Is any of this fixed in VSC 2.1.2 or VSC 4.0? (i.e. is SSLv3.0/3.1/TLS1.0, etc supported now)?

mital_shah
7,404 Views

Thank you all, this post helped me resolve the following error in NetApp VSC4.1: the hostname:port# cannot be resolved , when getting controller details from Monitoring & Host Configuration -> Overview.

Strangely I did have SSL v1,2,3 all enabled too but still got the error. I ran secureadmin setup ssl just to check it out and the controller got detected immediately thereafter.

ritchi641
7,404 Views

Got the same problem with System manager 3.1 RC1. I do the secureadmin setup ssl at it regenarate the ssl certificate. It work fine after this!

Thank's Mital for your input! greatly appréciate.

Public