My company and I recently (2 days ago) setup two PS6000's. Through the Group Manager java applet, I altered the administration settings to only allow secure connections to be established, and this was going fine for about a day or so.
As of today however, I'm unable to establish an encrypted connection to either of the PS6000's and I'm unsure as to why. The only error display is "Connection to the server could not be established".
One of the PS6000's I haven't configured to only allow secure connections, and can still access it just fine. However the second PS6000 for which I did mark secure connections only I'm unable to connect to.
I can however connect to the iSCSI volume hosted on the problem PS6000 from my ubuntu server, and write to the volume just fine. The only issue is that I can't establish a secure connection.
We have a Cisco 2960s 24port switch to which our PS6000s are connected to, and I'm wondering if that could somehow be causing part of the problem.
edit 1: I consoled into the PS6000, and enabled insecure web access, and I can access the group manager console. While looking through the logs I couldn't find anything indicating a secure connection failure. Very strange.....
edit 2: Not sure what help this will be for diagnosing the issue, but ssh access works so I would assume that means cryptographic based operations are functional.
Solved! Go to Solution.
Hello all,
I have found the issue. In the change list for Java 8 build 201 is the following:
Java 8 release changes
** Edited the how to fix this issue to be easier to follow.
To resolve this issue, you have to edit the 'Java.Security' file and re-enable the TLS anonymous feature Do this for both the 32bit and 64bit Java.Security file(s) if they have both java runtimes installed. The location is installation dependent by typically the file(s) are found at: C:\Program Files (x86)\Java\jre1.8.0_201\lib\security\Java.Security C:\Program Files\Java\jre1.8.0_201\lib\security\Java.Security<c:\program files=""></c:\program> Use notepad++ or any other text editor that allows proper formatting Edit the Java.Security file The line to be edited starts with: jdk.tls.disabledAlgorithms You have to remove the keyword 'anon' from the line. jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL The line should then look like this: jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, NULL |
Regards,
Don
Hello,
My guess would be there is a firewall on the host blocking the ports the Java app is using. It does not use the SSH port.
Network ports used by the Dell EqualLogic (EQL) PS Series Group
Web-Based Management Protocols: To use the Web-based management feature of the group, you must allow the following protocols. Depending on your security needs, note that you can disable Web access to the group.
Web-Based Management Protocols:
Regards, Don |
Hello,
Also the 2960 is a pretty entry level GbE switch for iSCSI use. With only two arrays and likely not too many servers attached it will likely do the job. The 2960 has limited port buffering compared to newer more SAN focused switches.
You need to make sure flowcontrol is enabled, set to "desired" vs. "on" Enable Jumbo frames and enable portfast on all the server and array ports. Also if you have two 2960s make sure you have at least FOUR ports configured as a trunk between the switches. Five or six would be better, especially if the switches are dedicated for iSCSI use. Which hopefully they are not shared with LAN traffic.
This is the closet guide I could find. The basic IOS commands haven't changed. I'm not sure the 2960 supports some of the QoS commands it uses to better support Jumbo Frames.
Regards,
Don
Ok i'll do some testing and report back. As I use Linux for day-to-day activities I've been accomplishing administering of iDRAC and the EQL Group Manager using a Windows VM. Yesterday I didn't have this issue so I wasn't expecting firewall to play into this however I'll do some further investigation.
As another side note, would upgrading the java version have anything to do with this? Before I attempted accessing the GUI based admin app today I did a java update.
edit: Okay definitely not a firewall issue. I attempted telnet from the windows VM to port 3003, and was able to do it successfully.
Hello,
What version of Java are you using? Oracle added additional security for self-signed Java Applets over time. But you can modify the Java settings to allow that. However, the MOST current version of Java isn't compatible with older EQL firmware. It requires the most current versions of EQL firmware v9.1.x and v10.0.x.
Regards,
Don
I'm using Java Version 8 Update 201 (build 1.8.0_201-b09)
Ok I'll poke around with the switch settings now to see if that might help
Hello,
You will most likely have to set an exception in Java to make that work. Especially if you are using old EQL firmware.
re: Switches. Those changes won't affect the Java issue but possibly
Regards,
Don
Thanks for all the help so far, based on our conversation, it would seem like the problem is the java version I updated to. Any idea what kind of exception I would need to set?
Hello,
Yes, it sounds like Java issue, definitely not a network issue.
https://www.java.com/en/download/help/jcp_security.xml
What is the FW revision on the EQL array?
Regards,
Don
We can confirm the issue.
With the latest Java 8 version, that is update 201, we cannot connect with encryption to our group running firmware version 9.1.8 anymore.
The previous Java 8 version, that is update 191, works fine.
Does anyone have a workaround?
Is Dell working on a firmware update?
Thanks.