Storage Essentials Practitioners Forum
cancel

HP Storage Essentials discovery Problem

Highlighted
Ayman Tony
Super Contributor.

HP Storage Essentials discovery Problem

Hello Gents,

 

We have HP SE6.3.0 installed in windows environment. We are trying to discover EMC Symmetrics thru the EMC solution enabler. When we started the discovery test we got the below error. Our EMC Solution enabler version is 7.1,

==========================================================================

FAILED as EmcProvider for:

   Can't connect

   SymInitialize() failed with error code 512 (The remote client/server handshake failed.

Please consult symapi and storsrvd log files)

=========================================================================

 

Points will be awarded,,,

 

Thanks,

Ayman Tony

1 REPLY
WileyThrasher
Super Contributor.

Re: HP Storage Essentials discovery Problem

Note that SE 6.3.0 was EOS on 5/31/2012. SE 9.5.1 is the current release.

 

This error message and resolution is detailed in the SE User Guide, pg. 109-112. be sure to use the documentation published as web release to the HP SSO portal.

 

Latest documentation is posted to selfsolve (http://support.openview.hp.com/selfsolve/manuals)

 

User Guide:

http://support.openview.hp.com/selfsolve/document/KM1354083

 

 

EMC Symmetrix SSL Certificate Verification

EMC Solutions Enabler APIs began enforcing SSL (Secure Sockets Layer) certificate verification

starting with version 6.4. Previous versions of HP Storage Essentials used a pre-6.4 version of the

EMC Symmetrix client APIs that was not subject to SSL certificate verification by the Solutions

Enabler server (not even with newer versions of Solutions Enabler, for example, 7.0). HP Storage

Essentials has updated its EMC Symmetrix client APIs to version 7.1 to enable new features such

as thin provisioning and disk tiering. This version of the APIs is subject to SSL certificate

verification by the Solutions Enabler server. HP Storage Essentials and EMC administrators need

to be aware of the new security features and how to update the default configuration if necessary so

that secure communication between HP Storage Essentials and the EMC Solutions Enabler server

can be successfully established.

 

By default, EMC Solutions Enabler 7.0 (and newer) enforces SSL certificate verification during an

SSL handshake between the Solutions Enabler server and a Solutions Enabler client (HP Storage

Essentials). For HP Storage Essentials (the client) to successfully communicate with an EMC

Solutions Enabler server (the server), an SSL handshake must be successfully completed. See the

"Client/server Security" section of the EMC Solutions Enabler Installation Guide for information on

configuring SSL and resolving common issues.

 

EMC SSL Certificates

EMC SSL certificates are required on both the Solutions Enabler server and the HP Storage

Essentialsclient machines. The EMC Solutions Enabler server automatically creates its SSL

certificates during installation. HP Storage Essentials automatically creates the required client side

EMC SSL certificates during installation. On both the Solutions Enabler and HP Storage Essentials

machines, these EMC SSL certificates are located in the following directory:

l

Windows:

\Program Files\EMC\SYMAPI\config\cert

l

Linux:

/var/symapi/config/cert

This location is a requirement of the EMC APIs and is not configurable on the HP Storage

Essentialsmachine. For HP Storage Essentials installed on a 64-bit Windows OS, a directory link is

created from

\Program Files (x86)\EMC\SYMAPI\config\cert to \Program

Files\EMC\SYMAPI\config\cert

.

By default, the SSL certificates contain the fully qualified host name of the machine they were

created on. The EMC certificate verification process is sensitive to DNS name resolution. The

most common reason for SSL handshake errors between HP Storage Essentials and Solutions

Enabler is due to DNS lookup errors on the host name and corresponding IP address of the host

name stored in the certificate; for example:

 

The EMC SSL certificate of the HP Storage Essentials host contains

mgmtsvrHouston01.datacenterAbc.hp.com

. The IP address is 192.168.0.20.

 

The EMC SSL certificate of the Solutions Enabler host contains

EmcHouston09.datatcenterAbc.hp.com

. The IP address is 192.168.0.130.

 

During the SSL handshake between the HP Storage Essentials client and the Solutions Enabler

server, the Solutions Enabler server receives the HP Storage Essentials SSL client certificate,

pulls out the host name, and then tries to verify the certificate by:

 

nslookup mgmtsvrHouston01.datacenterAbc.hp.com, which returns 192.168.0.20 as expected

 

nslookup 192.168.0.20, which returns internalHost.datacenterAbc.hp.com, which does

not match what was in the certificate (mgmtsvrHouston01.datacenterAbc.hp.com)

The handshake, therefore, fails because nslookup on 192.168.0.20 fails to return the host name

specified in the certificate.

 

The same type of verification occurs on the HP Storage Essentials host, where it attempts to verify

the certificate sent by the Solutions Enabler server. In the event of a SSL handshake error, an error

is logged in the HP Storage Essentials cimom log. The error message in the HP Storage Essentials

cimom log looks similar to the following:

 

SymInitialize() failed with error code 512 (The remote client/server handshake failed. Please consult symapi and storsrvd log files.

 

On the Solutions Enabler server, a log entry is made in the current storsrvd log that contains

additional details about the reason for the SSL handshake failure.

 

If HP Storage Essentials encounters an SSL handshake failure, an event is posted with text similar

to the following:

ERROR: EMC Provider SSL handshake error with EMC Solution Enabler

server at 192.168.0.130. HP Storage Essentials is not able to

communicate with the EMC Solutions Enabler server. The most common

reason for this error is DNS issues between the EMC Solutions Enabler

host and HP Storage Essentials host. Each host must be able to (A)

successfully get the IP of the other via nslookup, AND (B) be able to

get back the correct fully qualified host name via a reverse nslookup

on the IP returned from (A). Refer to the HP Storage Essentials User's

Guide for information on EMC security features, common issues, and

workarounds. More details about this SSL handshake error can be found

in the storsrvd log on the Solutions Enabler server at 192.168.0.130.

 

Other common configuration considerations can result in an SSL handshake error when using the

default certificates, such as the Solutions Enabler or HP Storage Essentials host being multihomed

or belonging to a cluster. To resolve or work around the SSL handshake issues due to DNS

errors or special configurations (multi-homed, clustered, and so forth), there are two basic

approaches.

 

Resolution/Workaround 1: Update the SSL Certificate Using the manage_server_cert Script

The manage_server_cert script resides in the same directory as the certificates on the HP Storage

Essentialshost and in the \Program Files\EMC\SYMCLI\bin directory on the Solutions Enabler

host. To use the manage_server_cert script on the Solutions Enabler host, you must be in the

certificate directory and specify the fully qualified name of the script because the script and the

certificates are different directories; for example:

C:\Program Files\EMC\SYMAPI\config\cert> "C:\Program

Files\EMC\SYMCLI\bin\manage_server_cert.bat" list

 

In the previous example where the SSL handshake failed due to na nslookup error, the issue could

be resolved by updating the SSL certificate on the HP Storage Essentials host by issuing the

following command:

manage_server_cert.bat create mgmtsvrHouston01.datacenterAbc.hp.com

*.datacenterAbc.hp.com

 

This puts two host entries in the certificate. When the Solutions Enabler server receives this

certificate from the HP Storage Essentials client, it does an nslookup on

mgmtsvrHouston01.datacenterAbc.hp.com, which returns 192.168.0.20. It then does an nslookup

on 192.168.0.20, which returns internalHost.datacenterAbc.hp.com. This matches on the second

entry in the certificate and allows the reverse lookup verification to succeed.

 

If your HP Storage Essentials host cannot successfully resolve the Solutions Enabler server IP or

host name using nslookup but can ping it, you must add the Solutions Enabler IP and hostname to

the /etc/hosts file. You might also be able to fix the name resolution by adding the Solutions Enabler

domain suffix to the /etc/resolv.conf file.

 

The Client/server Security section of the EMC Solutions Enabler Installation Guide provides details

on SSL certificates and how to use the manage_server_cert script to manage the certificates for

various configurations/scenarios.

Resolution/Workaround 2: Disable Client Certificate Verification on the Solutions Enabler Server

1. Set the storsrvd:security_clt_secure_lvl = NOVERIFY property in the

EMC\SYMAPI\config\daemon_options file.

2. Restart the storsrvd daemon by rebooting the Solutions Enabler server or executing the

following commands:

stordaemon shutdown -immediate storsrvd

stordaemon start storsrvd

 

The Solutions Enabler host will accept the HP Storage Essentials SSL certificate without executing

the verification step that attempts to verify the host name in the certificate by nslookup and reverse

lookup.

 

Wiley Thrasher
Storage Management Expert
HP Storage TCE and Quality Tiger Team
WW L3 Pre-sales Support
Hewlett-Packard Company