NetApp System Manager TLS Issue

lova_javaYesterday while working on one of the customers’ NetApp array I hit an issue which looked like an SSL misconfiguration at first.

I needed to run Network Configuration Checker to check for any inconsistencies between the active and persistent network configuration settings in the /etc/rc file. I used NetApp OnCommand System Manager 3.1.2 with Java 8. When I tried to run a network configuration check I got this error:

‘netapp.domain.local’ is not configured for secure management with TLS

net_checker

When browsing to controllers management I also got this:

‘netapp.domain.local’ is not configured for secure management with TLS. Sensitive information you supply including passwords will be visible to other computers on the network.

Do you want to continue with non-secure connection ?

The second issue you can ignore by just skipping the warning, but the Network Configuration Checker error you can’t.

Potential Resolution

I googled it up and NetApp KB article 2021507 “OnCommand System Manager Java Compatibility issues” came up, which suggested that all you need to do is enable TLS on the 7-Mode controller (on Cluster Mode it is enabled by default):

options tls.enable on

This did not work for me, though.

Alternative Solution

The reason why System Manager no longer works with SSL and requires TLS instead, is because Java 7u75 (and later) implemented a change that disabled SSLv3 due to the POODLE security vulnerability.

So you either have to enable TLS for Java 7u75 and later (which didn’t work in my case) or downgrade to Java 7u72, which is the previous release from 7u75.

Once that done you should no longer get the error neither in Network Configuration Checker, nor when logging in to controllers in System Manager.

Tags: , , , , , , , , ,

12 Responses to “NetApp System Manager TLS Issue”

  1. Peter Wood Says:

    Thanks for the post, ran in to the same issue.

  2. Christoph Says:

    Suddenly ran into the same problem. What fixed it for me was:
    secureadmin disable ssl
    secureadmin setup ssl
    yes if asked
    Take all the defaults but not for the keylength, there fill in 2048. With the default 512 the problem persists.
    After this ssl should get enabled automatically. Check with
    secureadmin status
    If ssl is not enabled do
    secureadmin enable ssl

  3. Sabi Says:

    Nikitp and Chris,

    Love you both from the core, buds. I was facing the same issue as Nikitp explained in the blog. Gone through each and every NetApp KB and nothing worked for me. Finally, Chris idea was on point. One point though, I had already created a SSL with keylength as 2048 will and all the settings were perfect on NetApp side.

    This is what I have done on my side,

    > Removed all the existing Java and NetApp packages
    > Downloaded the Data OnTap 3.1.2
    > Downloaded and installed Java SE Development Kit 7 Update (Ver 1.7.0.710)
    >>>>>> Dowload link http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html
    > On the NetApp side, below are my current NetApp options
    >>>>>> options ssl
    ssl.enable on
    ssl.v2.enable off
    ssl.v3.enable

    options tls
    tls.enable on

    httpd.access legacy
    httpd.admin.access legacy
    httpd.admin.enable on
    httpd.admin.hostsequiv.enable off

    > As Chris suggested, I did the exact same on by both NetApp controllers, and viola, it worked !!! [as said earlier, I already had a SSl, still overwritten it with newest one on both controllers]

    >>>>>> secureadmin status
    ssh2 – active
    ssh1 – inactive
    ssl – active

    > In addition, I made the java control panel settings like below. (saw this somewhere in NetApp community not sure whether it was effective or not)

    >>>>>> Java Control Panel, select Advanced -> Security -> General and uncheck TLS 1.0

    Cheers,
    Sabi

  4. Kent Dannehl Says:

    tried the 2048 thing.. didn’t work for me

  5. Kent Dannehl Says:

    What worked for me was uninstalling java newer than 7u72 and reinstalling java 7u72

  6. Dustin B Says:

    +1 on uninstalling new Java version and going back to 7u72. Tried all the other settings changes to no avail, and once Java was replaced, it lit up. Running system manager 3.1.3

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: