NetApp System Manager TLS Issue

Yesterday while working on one of the customers’ NetApp array I hit an issue which looked like an SSL misconfiguration at first.

I needed to run Network Configuration Checker to check for any inconsistencies between the active and persistent network configuration settings in the /etc/rc file. I used NetApp OnCommand System Manager 3.1.2 with Java 8. When I tried to run a network configuration check I got this error:

‘netapp.domain.local’ is not configured for secure management with TLS

net_checker

When browsing to controllers management I also got this:

‘netapp.domain.local’ is not configured for secure management with TLS. Sensitive information you supply including passwords will be visible to other computers on the network.

Do you want to continue with non-secure connection ?

The second issue you can ignore by just skipping the warning, but the Network Configuration Checker error you can’t.

Potential Resolution

I googled it up and NetApp KB article 2021507 “OnCommand System Manager Java Compatibility issues” came up, which suggested that all you need to do is enable TLS on the 7-Mode controller (on Cluster Mode it is enabled by default):

options tls.enable on

This did not work for me, though.

Alternative Solution

The reason why System Manager no longer works with SSL and requires TLS instead, is because Java 7u75 (and later) implemented a change that disabled SSLv3 due to the POODLE security vulnerability.

So you either have to enable TLS for Java 7u75 and later (which didn’t work in my case) or downgrade to Java 7u72, which is the previous release from 7u75.

Once that done you should no longer get the error neither in Network Configuration Checker, nor when logging in to controllers in System Manager.

Tags: java, NetApp, Network Configuration Checker, OnCommand, POODLE, security, ssl, SSLv3, System Manager, TLS

This entry was posted on February 29, 2016 at 9:35 am and is filed under Storage, Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

12 Responses to “NetApp System Manager TLS Issue”

Peter Wood Says:
April 19, 2016 at 3:13 pm | Reply
Thanks for the post, ran in to the same issue.
- niktips Says:
  April 19, 2016 at 10:50 pm | Reply
  Thanks for stopping by, Peter.
Christoph Says:
September 27, 2017 at 11:12 am | Reply
Suddenly ran into the same problem. What fixed it for me was:
secureadmin disable ssl
secureadmin setup ssl
yes if asked
Take all the defaults but not for the keylength, there fill in 2048. With the default 512 the problem persists.
After this ssl should get enabled automatically. Check with
secureadmin status
If ssl is not enabled do
secureadmin enable ssl
- niktips Says:
  October 31, 2017 at 4:04 am | Reply
  Hi, Christoph. Lots must have changed since I posted this. So thanks for an updated fix to this issue.
Sabi Says:
February 12, 2018 at 8:18 am | Reply
Nikitp and Chris,

Love you both from the core, buds. I was facing the same issue as Nikitp explained in the blog. Gone through each and every NetApp KB and nothing worked for me. Finally, Chris idea was on point. One point though, I had already created a SSL with keylength as 2048 will and all the settings were perfect on NetApp side.

This is what I have done on my side,

> Removed all the existing Java and NetApp packages
> Downloaded the Data OnTap 3.1.2
> Downloaded and installed Java SE Development Kit 7 Update (Ver 1.7.0.710)
>>>>>> Dowload link http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html
> On the NetApp side, below are my current NetApp options
>>>>>> options ssl
ssl.enable on
ssl.v2.enable off
ssl.v3.enable

options tls
tls.enable on

httpd.access legacy
httpd.admin.access legacy
httpd.admin.enable on
httpd.admin.hostsequiv.enable off

> As Chris suggested, I did the exact same on by both NetApp controllers, and viola, it worked !!! [as said earlier, I already had a SSl, still overwritten it with newest one on both controllers]

>>>>>> secureadmin status
ssh2 – active
ssh1 – inactive
ssl – active

> In addition, I made the java control panel settings like below. (saw this somewhere in NetApp community not sure whether it was effective or not)

>>>>>> Java Control Panel, select Advanced -> Security -> General and uncheck TLS 1.0

Cheers,
Sabi
- niktips Says:
  June 29, 2018 at 9:25 am | Reply
  Hi Sabi, thanks for confirming it worked for you. Kudos to Chris.
Kent Dannehl Says:
June 20, 2018 at 10:29 pm | Reply
tried the 2048 thing.. didn’t work for me
- niktips Says:
  June 29, 2018 at 9:12 am | Reply
  Hi Kent, sorry to hear that. I can suggest NetApp forums or alternatively submit a service ticket with NetApp technical support.
Kent Dannehl Says:
July 2, 2018 at 11:16 pm | Reply
What worked for me was uninstalling java newer than 7u72 and reinstalling java 7u72
- niktips Says:
  November 17, 2018 at 5:08 am | Reply
  Thanks for sharing your solution! Hope it will help others who run into the same problem.
Dustin B Says:
January 9, 2019 at 7:40 pm | Reply
+1 on uninstalling new Java version and going back to 7u72. Tried all the other settings changes to no avail, and once Java was replaced, it lit up. Running system manager 3.1.3
- niktips Says:
  April 21, 2019 at 1:44 am | Reply
  Looks like 7u72 us the answer.

Niktips's Blog