Summary
When trying to restore files from a SnapVault backup, the instance cannot be expanded or IA mapping fails with an error rc= 20014 and/or SSLHandshakeException in the Java Debug Console. All Agentless jobs to NetApp 7-mode storage fail with an IO exception or SSLHandshakeException error.
Symptoms
- Error Displays When Expanding Backup for Restore or IA Mapping drive
- An IA map may produce the following error: RC=20014.Cannot find. $
- Failed to browse from node " on node "xxxxx". rc=20014 Cannot find: "xxxxxxx" Node name
- Agentless Job reports show messages similar to the following:
or
x.x.x.x 6/2/2014 7:58:17 pm SNBSVH_941E Other error, caused by Failed to get the Job Definition Selection from Catalogic DPX Catalog, caused by
There has been a problem in obtaining vmware connection for addr (x.x.x.x) with user name (aaa\bbb), reason (com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints)
Resolution
Different NetApp ONTAP versions may have different SSL keySizes. Java, which is used by DPX, also depends on the SSL keySize, and it must match the SSL keySize used by NetApp.
SSL uses public key cryptography to provide authentication. The size of the key and encryption algorithm characterizes strength of protection against unauthorized access. A larger key size is more resistant to decryption and considered more secure. Starting with Java 7 update 40, use of x.509 certificates with RSA keys less than 1024-bits in length is restricted. (https://www.java.com/en/download/faq/release_changes.xml)
There are two possible solutions to resolve this issue:
- Modify keySize on NetApp to match DPX/Java Client
- Modify keySize on DPX/Java Client to match NetApp
Normally, you must adjust SSL keySize to the highest volume to strengthen the security.
Modify the keySize to use 2048-bit SSL on the NetApp
On the NetApp OnCommand System Manager, navigate to Configuration > Security > SSH/SSL > SSL certificate > Generate SSL certificate. Change the Key length in bits to 2048, then click Setup.
Change the keySize minimum limit to 512-bit SSL in DPX/Java
If using the client system Java (Java Webstart method using http://MasterServerName:6122/dpx.jnlp), locate the following file on the client machine used to launch the GUI: <java-home>/lib/security/java.security.
- Locate the line:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
- Edit it to:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 512
- Remove the 3DES_EDE_CBC entry on the jdk.tls.disabledAlgorithms line. (This is required on 7-mode systems as the Triple DES cipher is deprecated by Java/OpenJDK 8).
- Save the file.
- On the master server and the client node that is involved in the IA mapping or backup, edit ssprodir\tools\jre\lib\security\java.security on Windows and ssprodir/misc/jre/lib/security/java.security on Linux and perform steps 1-4
- Ensure no jobs are running.
- Restart CMAGENT on the Master Server or reboot it and restart the management console GUI.
Steps:
options tls.enable on
Use on to enable TLS.
For TLS to take effect on HTTPS, ensure that the httpd.admin.ssl.enable option is also set to on.
For more information about these options, see the na_options(1) man page.
For more information about FTPS and LDAP, see the Data ONTAP File Access and Protocols Management Guide for 7-Mode.
Use off (the default) to disable TLS.
When TLS is disabled, SSL is used for communication if SSL has previously been set up and enabled.