Views:

Summary

When trying to restore files from a SnapVault backup, the instance cannot be expanded or IA mapping fails with an error rc= 20014 and/or SSLHandshakeException in the Java Debug Console. All Agentless jobs to NetApp 7-mode storage fail with an IO exception or SSLHandshakeException error.

 

Symptoms

  • Error Displays When Expanding Backup for Restore or IA Mapping drive
  • An IA map may produce the following error: RC=20014.Cannot find. $

 

  • Failed to browse from node " on node "xxxxx". rc=20014 Cannot find: "xxxxxxx" Node name

The Java console log may also contain an SSLHandshakeException error
  • Agentless Job reports show messages similar to the following:
X.X.X.X. SNBSVH_658E Task 2 encountered error. Error message There has been some problem while running VM Restore task, reason (java.lang.Exception: IO exception)
X.X.X.X SNBSVH_940W There was a problem running volume deduplication. Exception:IO exception

or

x.x.x.x 6/2/2014 7:58:17 pm SNBSVH_941E Other error, caused by Failed to get the Job Definition Selection from Catalogic DPX Catalog, caused by
There has been a problem in obtaining vmware connection for addr (x.x.x.x) with user name (aaa\bbb), reason (com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints)

 

Resolution

Different NetApp ONTAP versions may have different SSL keySizes. Java, which is used by DPX, also depends on the SSL keySize, and it must match the SSL keySize used by NetApp.

SSL uses public key cryptography to provide authentication. The size of the key and encryption algorithm characterizes strength of protection against unauthorized access. A larger key size is more resistant to decryption and considered more secure. Starting with Java 7 update 40, use of x.509 certificates with RSA keys less than 1024-bits in length is restricted. (https://www.java.com/en/download/faq/release_changes.xml)

There are two possible solutions to resolve this issue:

  • Modify keySize on NetApp to match DPX/Java Client
  • Modify keySize on DPX/Java Client to match NetApp

Normally, you must adjust SSL keySize to the highest volume to strengthen the security.

Modify the keySize to use 2048-bit SSL on the NetApp

On the NetApp OnCommand System Manager, navigate to Configuration > Security > SSH/SSL > SSL certificate > Generate SSL certificate. Change the Key length in bits to 2048, then click Setup.

Change the keySize minimum limit to 512-bit SSL in DPX/Java

If using the client system Java  (Java Webstart method using http://MasterServerName:6122/dpx.jnlp), locate the following file on the client machine used to launch the GUI: <java-home>/lib/security/java.security.

  1. Locate the line: jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
  2. Edit it to: jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 512
  3. Remove  the 3DES_EDE_CBC entry on the  jdk.tls.disabledAlgorithms line. (This is required on 7-mode systems as the Triple DES cipher is deprecated by Java/OpenJDK 8).
  4. Save the file.
  5. On the master server and the client node that is involved in the IA mapping or backup, edit  ssprodir\tools\jre\lib\security\java.security on Windows and ssprodir/misc/jre/lib/security/java.security on Linux and perform steps 1-4
  6.  Ensure no jobs are running.
  7. Restart CMAGENT on the Master Server or reboot it and restart the management console GUI.
The above steps will usually resolve the issue. If the issue still occurs, please check your Netapp configuration by performing the steps below:
 
For all DPX backup and restore operations using DPX 4.4 and later versions, TLS must be enabled on the NetApp Storage device if it is not already.
Data ONTAP supports TLSv1, SSLv3, and SSLv2. TLSv1 is a protocol version higher than SSLv3, and SSLv3 is a protocol version higher than SSLv2. A negotiation process is built into the TLS and the SSL protocols to use the highest protocol version that is supported by both the client and the server for communication. For TLS to be used for communication, both the client requesting connection and the storage system must support TLS.
Steps:
To enable or disable TLS, enter the following command:
options tls.enable on
Use on to enable TLS.
For TLS to take effect on HTTPS, ensure that the httpd.admin.ssl.enable option is also set to on.
For more information about these options, see the na_options(1) man page.
For more information about FTPS and LDAP, see the Data ONTAP File Access and Protocols Management Guide for 7-Mode.
Use off (the default) to disable TLS.
When TLS is disabled, SSL is used for communication if SSL has previously been set up and enabled.
 
Generate a new SSL certificate and enabled it. Please check the following KB from NetApp for more detail: