Netapp_ontap fails to connect - com.netapp.nmsdk.client.ApiProtocolException: Connection error to Storage System
search cancel

Netapp_ontap fails to connect - com.netapp.nmsdk.client.ApiProtocolException: Connection error to Storage System

book

Article ID: 8191

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Seeing the following error when trying to connect to a netapp appliance:

[attach_socket, netapp_ontap] netapp_ontapNetAppSessionValidating connection for host 

[attach_socket, netapp_ontap] cbVerifyCtdResource failed 

[attach_socket, netapp_ontap] com.netapp.nmsdk.client.ApiProtocolException: Connection error to Storage System <systemname>: Remote host closed connection during handshake

Environment

Version: UIM 8.5.1
Companent: netapp v1.40 or higher, netapp ONTAP (8.2.2P2)

Cause

cluster security / protocol parameters

Resolution

1. Via Raw Configuration on the probe please change the options line under startup to:

options = -Xms32m -Xmx1024m -Dfile.encoding=UTF-8 -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1,SSLv3

2. If that doesn't resolve the error/issue consider the following in netapp:

...The connection to a different cluster may be working because SSLv3 protocol is DISABLED, AND ONLY TLSv1 is ENABLED

Working cluster connection... (cluster mode configuration showing SSL/TLS configuration) 

<cluster_hostname>::> system services web show 
External Web Services: true 
Status: online 
HTTP Protocol Port: 80 
HTTPs Protocol Port: 443 
TLSv1 Enabled: true 
SSLv3 Enabled: false 
SSLv2 Enabled: false 
SSL FIPS 140-2 Enabled: false 

Both clusters were running the same version of ONTAP (8.2.2P2).

Customer was NOT getting the same connection error when trying to add a profile to the netapp_ontap probe

The other cluster, was getting the connection error:

Profile failed verification due to error com.netapp.nmsdk.client.ApiProtocolException: Connection error to Storage Systemmhss-<cluster_hostname>: Remote host closed connection during handshake

And this is how it is configured, showing the ONLY difference being that both SSLv3 is ENABLED and so is TLSv1

<cluster_hostname>::> system services web show 
External Web Services: true 
Status: online 
HTTP Protocol Port: 80 
HTTPs Protocol Port: 443 
TLSv1 Enabled: true 
SSLv3 Enabled: true 
SSLv2 Enabled: false 
SSL FIPS 140-2 Enabled: false 

====================================== 

TLSv1 is more secure than SSLv3 in any case. 

https://library.netapp.com/ecmdocs/ECMP1368862/html/GUID-3E07D3F8-6A05-49C0-BF92-9C88BA252E1F.html 

There is helpful information here on managing the web protocol engine/SSL for Clustered Data ONTAP 8.2. 

https://library.netapp.com/ecm/ecm_download_file/ECMP1636068 

In the pdf check out "Managing the web protocol engine" 

You may need to discuss with the customer whether or not its feasible to disable SSLv3 on the non-working cluster.

Powered by Wolken Software