5 Posts
1
46622
PS6000 Encrypted Connection Could Not Be Established
My company and I recently (2 days ago) setup two PS6000's. Through the Group Manager java applet, I altered the administration settings to only allow secure connections to be established, and this was going fine for about a day or so.
As of today however, I'm unable to establish an encrypted connection to either of the PS6000's and I'm unsure as to why. The only error display is "Connection to the server could not be established".
One of the PS6000's I haven't configured to only allow secure connections, and can still access it just fine. However the second PS6000 for which I did mark secure connections only I'm unable to connect to.
I can however connect to the iSCSI volume hosted on the problem PS6000 from my ubuntu server, and write to the volume just fine. The only issue is that I can't establish a secure connection.
We have a Cisco 2960s 24port switch to which our PS6000s are connected to, and I'm wondering if that could somehow be causing part of the problem.
edit 1: I consoled into the PS6000, and enabled insecure web access, and I can access the group manager console. While looking through the logs I couldn't find anything indicating a secure connection failure. Very strange.....
edit 2: Not sure what help this will be for diagnosing the issue, but ssh access works so I would assume that means cryptographic based operations are functional.
dwilliam62
1 Rookie
1 Rookie
•
1.5K Posts
10
January 18th, 2019 05:00
Hello all,
I have found the issue. In the change list for Java 8 build 201 is the following:
Java 8 release changes
The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms security property and are now disabled by default.
** Edited the how to fix this issue to be easier to follow.
Do this for both the 32bit and 64bit Java.Security file(s) if they have both java runtimes installed.
The location is installation dependent by typically the file(s) are found at:
C:\Program Files (x86)\Java\jre1.8.0_201\lib\security\Java.Security
C:\Program Files\Java\jre1.8.0_201\lib\security\Java.Security
Use notepad++ or any other text editor that allows proper formatting
Edit the Java.Security file
The line to be edited starts with: jdk.tls.disabledAlgorithms
You have to remove the keyword 'anon' from the line.
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL
The line should then look like this:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, NULL
Regards,
Don
dwilliam62
1 Rookie
1 Rookie
•
1.5K Posts
0
January 16th, 2019 22:00
Hello,
Also the 2960 is a pretty entry level GbE switch for iSCSI use. With only two arrays and likely not too many servers attached it will likely do the job. The 2960 has limited port buffering compared to newer more SAN focused switches.
You need to make sure flowcontrol is enabled, set to "desired" vs. "on" Enable Jumbo frames and enable portfast on all the server and array ports. Also if you have two 2960s make sure you have at least FOUR ports configured as a trunk between the switches. Five or six would be better, especially if the switches are dedicated for iSCSI use. Which hopefully they are not shared with LAN traffic.
https://downloads.dell.com/solutions/storage-solution-resources/Cisco-3850-SCG-Dell-SC-Series-(SCG3300).pdf
This is the closet guide I could find. The basic IOS commands haven't changed. I'm not sure the 2960 supports some of the QoS commands it uses to better support Jumbo Frames.
Regards,
Don
dwilliam62
1 Rookie
1 Rookie
•
1.5K Posts
1
January 16th, 2019 22:00
Hello,
My guess would be there is a firewall on the host blocking the ports the Java app is using. It does not use the SSH port.
Network ports used by the Dell EqualLogic (EQL) PS Series Group
Web-Based Management Protocols: To use the Web-based management feature of the group, you must allow the following protocols. Depending on your security needs, note that you can disable Web access to the group.
Web-Based Management Protocols:
Regards,
Don
postables
5 Posts
0
January 16th, 2019 22:00
Ok i'll do some testing and report back. As I use Linux for day-to-day activities I've been accomplishing administering of iDRAC and the EQL Group Manager using a Windows VM. Yesterday I didn't have this issue so I wasn't expecting firewall to play into this however I'll do some further investigation.
As another side note, would upgrading the java version have anything to do with this? Before I attempted accessing the GUI based admin app today I did a java update.
edit: Okay definitely not a firewall issue. I attempted telnet from the windows VM to port 3003, and was able to do it successfully.
dwilliam62
1 Rookie
1 Rookie
•
1.5K Posts
0
January 17th, 2019 07:00
Hello,
What version of Java are you using? Oracle added additional security for self-signed Java Applets over time. But you can modify the Java settings to allow that. However, the MOST current version of Java isn't compatible with older EQL firmware. It requires the most current versions of EQL firmware v9.1.x and v10.0.x.
Regards,
Don
postables
5 Posts
0
January 17th, 2019 15:00
I'm using Java Version 8 Update 201 (build 1.8.0_201-b09)
Ok I'll poke around with the switch settings now to see if that might help
dwilliam62
1 Rookie
1 Rookie
•
1.5K Posts
0
January 17th, 2019 18:00
Hello,
You will most likely have to set an exception in Java to make that work. Especially if you are using old EQL firmware.
re: Switches. Those changes won't affect the Java issue but possibly
Regards,
Don
postables
5 Posts
0
January 18th, 2019 00:00
Thanks for all the help so far, based on our conversation, it would seem like the problem is the java version I updated to. Any idea what kind of exception I would need to set?
dwilliam62
1 Rookie
1 Rookie
•
1.5K Posts
0
January 18th, 2019 01:00
Hello,
Yes, it sounds like Java issue, definitely not a network issue.
https://www.java.com/en/download/help/jcp_security.xml
What is the FW revision on the EQL array?
Regards,
Don
pzero
108 Posts
0
January 18th, 2019 02:00
We can confirm the issue.
With the latest Java 8 version, that is update 201, we cannot connect with encryption to our group running firmware version 9.1.8 anymore.
The previous Java 8 version, that is update 191, works fine.
Does anyone have a workaround?
Is Dell working on a firmware update?
Thanks.
dwilliam62
1 Rookie
1 Rookie
•
1.5K Posts
0
January 18th, 2019 04:00
Hello,
Do you have a support contract still in place for your arrays? If so, please open a support case on this issue.
This way it can be properly tracked, logs gathered and hopefully a resolution found.
Regards,
Don
dwilliam62
1 Rookie
1 Rookie
•
1.5K Posts
0
January 18th, 2019 05:00
Hello,
Also, those that can. might want to upgrade to EQL FW v10.0.2. There were some changes to support Java 9 and 10 that also might resolve this issue.
Or downgrade to build 191 for the time being.
Regards,
Don
postables
5 Posts
0
January 21st, 2019 16:00
V10.0.2
I will try altering the settings before reporting back.
update: re-enabling the ANON cipher worked, thank you very much!
dwilliam62
1 Rookie
1 Rookie
•
1.5K Posts
0
January 21st, 2019 20:00
Hello,
Thanks for the confirmation!
Regards,
Don
MattyB27
1 Message
0
January 28th, 2019 11:00
I have a customer with 4 members in a group and was not able to sign in. I called Dell support and they were not aware. During the call, I found this thread and you saved me a bunch of time. Thanks everyone!