Netapp_ontap fails to connect - com.netapp.nmsdk.client.ApiProtocolException: Connection error to Storage System
search cancel

Netapp_ontap fails to connect - com.netapp.nmsdk.client.ApiProtocolException: Connection error to Storage System

book

Article ID: 8191

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

Seeing the following error when trying to connect to a netapp appliance:

[attach_socket, netapp_ontap] netapp_ontapNetAppSessionValidating connection for host 

[attach_socket, netapp_ontap] cbVerifyCtdResource failed 

[attach_socket, netapp_ontap] com.netapp.nmsdk.client.ApiProtocolException: Connection error to Storage System <systemname>: Remote host closed connection during handshake

Environment

Version: UIM 8.5.1 or higher
Component: netapp v1.40 or higher, netapp ONTAP (8.2.2P2)

Cause

  • cluster security / protocol parameters

Resolution

1. Via Raw Configuration on the probe please change the options line under startup to:

options = -Xms32m -Xmx1024m -Dfile.encoding=UTF-8 -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1,SSLv3


2. If that doesn't resolve the error/issue consider the following in netapp:

...The connection to a different cluster may be working because SSLv3 protocol is DISABLED, AND ONLY TLSv1 is ENABLED

Working cluster connection... (cluster mode configuration showing SSL/TLS configuration) 

<cluster_hostname>::> system services web show 
External Web Services: true 
Status: online 
HTTP Protocol Port: 80 
HTTPs Protocol Port: 443 
TLSv1 Enabled: true 
SSLv3 Enabled: false 
SSLv2 Enabled: false 
SSL FIPS 140-2 Enabled: false 

Both clusters were running the same version of ONTAP (8.2.2P2).

Customer was NOT getting the same connection error when trying to add a profile to the netapp_ontap probe

The other cluster, was getting the connection error:

Profile failed verification due to error com.netapp.nmsdk.client.ApiProtocolException: Connection error to Storage Systemmhss-<cluster_hostname>: Remote host closed connection during handshake

And this is how it is configured, showing the ONLY difference being that both SSLv3 is ENABLED and so is TLSv1

<cluster_hostname>::> system services web show 
External Web Services: true 
Status: online 
HTTP Protocol Port: 80 
HTTPs Protocol Port: 443 
TLSv1 Enabled: true 
SSLv3 Enabled: true 
SSLv2 Enabled: false 
SSL FIPS 140-2 Enabled: false 

====================================== 

TLSv1 is more secure than SSLv3 in any case. 

https://library.netapp.com/ecmdocs/ECMP1368862/html/GUID-3E07D3F8-6A05-49C0-BF92-9C88BA252E1F.html 

There is helpful information on managing the web protocol engine/SSL for Clustered Data ONTAP 8.2. 

In the pdf check out "Managing the web protocol engine" 


Additional Information

You may need to discuss with the customer whether or not its feasible to disable SSLv3 on the non-working cluster.