Yesterday while working on one of the customers’ NetApp array I hit an issue which looked like an SSL misconfiguration at first.
I needed to run Network Configuration Checker to check for any inconsistencies between the active and persistent network configuration settings in the /etc/rc file. I used NetApp OnCommand System Manager 3.1.2 with Java 8. When I tried to run a network configuration check I got this error:
‘netapp.domain.local’ is not configured for secure management with TLS
When browsing to controllers management I also got this:
‘netapp.domain.local’ is not configured for secure management with TLS. Sensitive information you supply including passwords will be visible to other computers on the network.
Do you want to continue with non-secure connection ?
The second issue you can ignore by just skipping the warning, but the Network Configuration Checker error you can’t.
Potential Resolution
I googled it up and NetApp KB article 2021507 “OnCommand System Manager Java Compatibility issues” came up, which suggested that all you need to do is enable TLS on the 7-Mode controller (on Cluster Mode it is enabled by default):
options tls.enable on
This did not work for me, though.
Alternative Solution
The reason why System Manager no longer works with SSL and requires TLS instead, is because Java 7u75 (and later) implemented a change that disabled SSLv3 due to the POODLE security vulnerability.
So you either have to enable TLS for Java 7u75 and later (which didn’t work in my case) or downgrade to Java 7u72, which is the previous release from 7u75.
Once that done you should no longer get the error neither in Network Configuration Checker, nor when logging in to controllers in System Manager.
Tags: java, NetApp, Network Configuration Checker, OnCommand, POODLE, security, ssl, SSLv3, System Manager, TLS
April 19, 2016 at 3:13 pm |
Thanks for the post, ran in to the same issue.
April 19, 2016 at 10:50 pm |
Thanks for stopping by, Peter.
September 27, 2017 at 11:12 am |
Suddenly ran into the same problem. What fixed it for me was:
secureadmin disable ssl
secureadmin setup ssl
yes if asked
Take all the defaults but not for the keylength, there fill in 2048. With the default 512 the problem persists.
After this ssl should get enabled automatically. Check with
secureadmin status
If ssl is not enabled do
secureadmin enable ssl
October 31, 2017 at 4:04 am |
Hi, Christoph. Lots must have changed since I posted this. So thanks for an updated fix to this issue.
February 12, 2018 at 8:18 am |
Nikitp and Chris,
Love you both from the core, buds. I was facing the same issue as Nikitp explained in the blog. Gone through each and every NetApp KB and nothing worked for me. Finally, Chris idea was on point. One point though, I had already created a SSL with keylength as 2048 will and all the settings were perfect on NetApp side.
This is what I have done on my side,
> Removed all the existing Java and NetApp packages
> Downloaded the Data OnTap 3.1.2
> Downloaded and installed Java SE Development Kit 7 Update (Ver 1.7.0.710)
>>>>>> Dowload link http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html
> On the NetApp side, below are my current NetApp options
>>>>>> options ssl
ssl.enable on
ssl.v2.enable off
ssl.v3.enable
options tls
tls.enable on
httpd.access legacy
httpd.admin.access legacy
httpd.admin.enable on
httpd.admin.hostsequiv.enable off
> As Chris suggested, I did the exact same on by both NetApp controllers, and viola, it worked !!! [as said earlier, I already had a SSl, still overwritten it with newest one on both controllers]
>>>>>> secureadmin status
ssh2 – active
ssh1 – inactive
ssl – active
> In addition, I made the java control panel settings like below. (saw this somewhere in NetApp community not sure whether it was effective or not)
>>>>>> Java Control Panel, select Advanced -> Security -> General and uncheck TLS 1.0
Cheers,
Sabi
June 29, 2018 at 9:25 am |
Hi Sabi, thanks for confirming it worked for you. Kudos to Chris.
June 20, 2018 at 10:29 pm |
tried the 2048 thing.. didn’t work for me
June 29, 2018 at 9:12 am |
Hi Kent, sorry to hear that. I can suggest NetApp forums or alternatively submit a service ticket with NetApp technical support.
July 2, 2018 at 11:16 pm |
What worked for me was uninstalling java newer than 7u72 and reinstalling java 7u72
November 17, 2018 at 5:08 am |
Thanks for sharing your solution! Hope it will help others who run into the same problem.
January 9, 2019 at 7:40 pm |
+1 on uninstalling new Java version and going back to 7u72. Tried all the other settings changes to no avail, and once Java was replaced, it lit up. Running system manager 3.1.3
April 21, 2019 at 1:44 am |
Looks like 7u72 us the answer.