Solved: PS6000 Encrypted Connection Could Not Be Established

postables · ‎01-16-2019

My company and I recently (2 days ago) setup two PS6000's. Through the Group Manager java applet, I altered the administration settings to only allow secure connections to be established, and this was going fine for about a day or so.

As of today however, I'm unable to establish an encrypted connection to either of the PS6000's and I'm unsure as to why. The only error display is "Connection to the server could not be established".

One of the PS6000's I haven't configured to only allow secure connections, and can still access it just fine. However the second PS6000 for which I did mark secure connections only I'm unable to connect to.

I can however connect to the iSCSI volume hosted on the problem PS6000 from my ubuntu server, and write to the volume just fine. The only issue is that I can't establish a secure connection.

We have a Cisco 2960s 24port switch to which our PS6000s are connected to, and I'm wondering if that could somehow be causing part of the problem.

edit 1: I consoled into the PS6000, and enabled insecure web access, and I can access the group manager console. While looking through the logs I couldn't find anything indicating a secure connection failure. Very strange.....

edit 2: Not sure what help this will be for diagnosing the issue, but ssh access works so I would assume that means cryptographic based operations are functional.

dwilliam62 · ‎01-18-2019

Hello all,

I have found the issue. In the change list for Java 8 build 201 is the following:

Java 8 release changes

Change: TLS anon and NULL Cipher Suites are Disabled
The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms security property and are now disabled by default.

** Edited the how to fix this issue to be easier to follow.

To resolve this issue, you have to edit the 'Java.Security' file and re-enable the TLS anonymous feature

Do this for both the 32bit and 64bit Java.Security file(s) if they have both java runtimes installed.

The location is installation dependent by typically the file(s) are found at:

C:\Program Files (x86)\Java\jre1.8.0_201\lib\security\Java.Security

C:\Program Files\Java\jre1.8.0_201\lib\security\Java.Security<c:\program files=""></c:\program>

Use notepad++ or any other text editor that allows proper formatting

Edit the Java.Security file

The line to be edited starts with: jdk.tls.disabledAlgorithms

You have to remove the keyword 'anon' from the line.

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \

EC keySize < 224, 3DES_EDE_CBC, anon, NULL

The line should then look like this:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \

EC keySize < 224, 3DES_EDE_CBC, NULL

Regards,

Don

View solution in original post

dwilliam62 · ‎01-16-2019

Hello,

My guess would be there is a firewall on the host blocking the ports the Java app is using. It does not use the SSH port.

Network ports used by the Dell EqualLogic (EQL) PS Series Group

Web-Based Management Protocols: To use the Web-based management feature of the group, you must allow the following protocols. Depending on your security needs, note that you can disable Web access to the group.

Web-Based Management Protocols:

Protocol Type	Port	Usage
TCP	80	HTTP to Group IP address
TCP	3002	GUI communication to Group IP address
TCP	3003	GUI communication (encrypted) to Group IP address

Regards,

Don

dwilliam62 · ‎01-16-2019

Hello,

Also the 2960 is a pretty entry level GbE switch for iSCSI use. With only two arrays and likely not too many servers attached it will likely do the job. The 2960 has limited port buffering compared to newer more SAN focused switches.

You need to make sure flowcontrol is enabled, set to "desired" vs. "on" Enable Jumbo frames and enable portfast on all the server and array ports. Also if you have two 2960s make sure you have at least FOUR ports configured as a trunk between the switches. Five or six would be better, especially if the switches are dedicated for iSCSI use. Which hopefully they are not shared with LAN traffic.

https://downloads.dell.com/solutions/storage-solution-resources/Cisco-3850-SCG-Dell-SC-Series-(SCG33...

This is the closet guide I could find. The basic IOS commands haven't changed. I'm not sure the 2960 supports some of the QoS commands it uses to better support Jumbo Frames.

Regards,

Don

postables · ‎01-16-2019

Ok i'll do some testing and report back. As I use Linux for day-to-day activities I've been accomplishing administering of iDRAC and the EQL Group Manager using a Windows VM. Yesterday I didn't have this issue so I wasn't expecting firewall to play into this however I'll do some further investigation.

As another side note, would upgrading the java version have anything to do with this? Before I attempted accessing the GUI based admin app today I did a java update.

edit: Okay definitely not a firewall issue. I attempted telnet from the windows VM to port 3003, and was able to do it successfully.

dwilliam62 · ‎01-17-2019

Hello,

What version of Java are you using? Oracle added additional security for self-signed Java Applets over time. But you can modify the Java settings to allow that. However, the MOST current version of Java isn't compatible with older EQL firmware. It requires the most current versions of EQL firmware v9.1.x and v10.0.x.

Regards,

Don

postables · ‎01-17-2019

I'm using Java Version 8 Update 201 (build 1.8.0_201-b09)

Ok I'll poke around with the switch settings now to see if that might help

dwilliam62 · ‎01-17-2019

Hello,

You will most likely have to set an exception in Java to make that work. Especially if you are using old EQL firmware.

re: Switches. Those changes won't affect the Java issue but possibly

Regards,

Don

postables · ‎01-18-2019

Thanks for all the help so far, based on our conversation, it would seem like the problem is the java version I updated to. Any idea what kind of exception I would need to set?

dwilliam62 · ‎01-18-2019

Hello,

Yes, it sounds like Java issue, definitely not a network issue.

https://www.java.com/en/download/help/jcp_security.xml

What is the FW revision on the EQL array?

Regards,

Don

pzero · ‎01-18-2019

We can confirm the issue.

With the latest Java 8 version, that is update 201, we cannot connect with encryption to our group running firmware version 9.1.8 anymore.

The previous Java 8 version, that is update 191, works fine.

Does anyone have a workaround?

Is Dell working on a firmware update?

Thanks.

PS6000 Encrypted Connection Could Not Be Established

encryption

Management

PS6000

WebUI

Re: PS6000 Encrypted Connection Could Not Be Established

Re: PS6000 Encrypted Connection Could Not Be Established

Re: PS6000 Encrypted Connection Could Not Be Established

Re: PS6000 Encrypted Connection Could Not Be Established

Re: PS6000 Encrypted Connection Could Not Be Established

Re: PS6000 Encrypted Connection Could Not Be Established

Re: PS6000 Encrypted Connection Could Not Be Established

Re: PS6000 Encrypted Connection Could Not Be Established

Re: PS6000 Encrypted Connection Could Not Be Established

Re: PS6000 Encrypted Connection Could Not Be Established

Couldn't find what you're looking for? Log in / Sign up to ask a question now