Unable to start Data Aggregator after enabled FIPS on Data Repository database

book

Article ID: 207238

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

The DX NetOps Performance Management Data Repository cluster, running the Vertica database, is enabled for FIPS.

Attempts to start the dadaemon fail. In the Data Aggregator shutdown.log file, found in the (default path) /opt/IMDataAggregator/apache-karaf-<version> we see the following error.

Vertica VJDBC 6429 Error: The sending password for dauser, encryption algorithm NONE does not match the effective server configured encryption algorithm NONE

Cause

The Data Repository cluster was migrated from old hosts to new hosts.

The old cluster hosts were not enabled for FIPS. It's database save was loaded via restore to the new cluster hosts where FIPS was enabled.

As a result the database entry for the dauser was not configured properly to use SHA512 encryption, a requirement of FIPS. Instead it was using MD5 encryption which isn't supported by FIPS.

The error is the result of FIPS rejecting the attempt to connect to the database using a database user with MD5 encryption instead of the supported SHA512 encryption.

We can see the problem running the following command in a Vsql prompt on the Data Repository Vertica database. Note how the dauser is using MD5 encryption.

Run this command to obtain that output:

select * from password_auditor;

Environment

All supported DX NetOps Performance Management releases.

Resolution

The key problem here is transferring a DB from a cluster without FIPS enabled to a cluster with FIPS enabled. When migrating a Vertica cluster ensure the source and destination clusters are configured the same for FIPS before the migration. If the source cluster is not FIPS enabled, ensure the destination cluster is also not enabled for FIPS. After the migration the new destination cluster can then be FIPS enabled.

To resolve this take the following steps:

  1. Disable FIPS on the new cluster hosts at the OS level.
  2. Run the following command in a Vsql prompt on the Data Repository Vertica database.
    1. Replace <dapass> with the dauser password. This sample shows the successful command run when the default 'dapass' password is used.
      •  alter user dauser security_algorithm 'SHA512' identified by '<dapass>';
      • Sample output would be:
  3. If successful a new run of the command "select * from password_auditor;" should now show the dauser using SHA512 encryption instead of MD5.

After making this change the dadaemon service should start and successfully connect to the Data Repository Vertica database cluster.

Attachments