Start a Conversation

Unsolved

A

1 Rookie

 • 

8 Posts

374

December 14th, 2023 21:58

3.10.2 to 4.0 migration issue (Unable to decrypt the backup file)

Running through all the steps in the migration but fails to decrypt the backup file after it being transferred to the receiving appliance. I'm using the same, valid passphrase on both sides. 
Stream Operation

Source Appliance
osl01ome.svg.openit.local

        
Start Time
2023-12-14 21:52:02.432

        
End Time
2023-12-14 21:52:06.138

        
Status
Failed

Running import process.
Pre-check completed.
Check if there are jobs in running state.
No jobs were found in running state or previous running jobs have been stopped.
Completed the validation of running jobs.
Initiated streaming the backup file from the source OME.
Successfully completed streaming the backup file from the source OME.
Backup file extraction started.
Unable to decrypt the backup file. Please check the provided encryption passphrase.
Failed to perform import task.

Task Failed. Completed with errors.

1 Rookie

 • 

8 Posts

December 14th, 2023 23:22

I enabled debug logging and afaict the backup file encryption produced by 3.10.2 is incompatible with 4.0, possibly due to differences in OpenSSL versions used on both sides.

[DEBUG] 2023-12-14 22:08:13.648 [pool-3-thread-1] IssueCommands - ++++++++ Got the output stream +++++++++
[DEBUG] 2023-12-14 22:08:14.117 [BackupRestore-Task-Pool-2] IssueCommands - Reading from Process completed.
[ERROR] 2023-12-14 22:08:14.117 [BackupRestore-Task-Pool-2] CommandUtil - executeBashScriptCommand() - Command did not run successfully, Response  : *** WARNING : deprecated key derivation used.Using -iter or -pbkdf2 would be better.error writing output file*** WARNING : deprecated key derivation used.Using -iter or -pbkdf2 would be better. 
[ERROR] 2023-12-14 22:08:14.119 [BackupRestore-Task-Pool-2] CommandUtil - decrypt: Failed to decrypt backup archive: 
[ERROR] 2023-12-14 22:08:14.222 [BackupRestore-Task-Pool-2] OmeApplianceImportWorkflow - The Import operation is failed.

(edited)

Moderator

 • 

3.5K Posts

December 15th, 2023 03:34

Hi,

 

I'm pretty sure you have already used the required for the encryption passphrase, else you won't be stating you have entered on both sides. When you have finished the steps to migrate in 3.10.2 and proceed to 4.0 appliance to start the process, was the 3.10.2 in maintenance mode?

1 Rookie

 • 

8 Posts

December 15th, 2023 08:24

@DELL-Joey C​ 

The target polls and waits until the source has completed the MAINTENANCE_PENDING state (where it compiles and encrypts the backup) and enters MAINTENANCE before it allows you to continue, so yes it would not get to the point where it streams the backup file unless the source was ready. The GUI checks that the passphrase is valid.

Allow me to speculate: 
When the restore script executes openssl to decrypt the backup file, it chokes on the unexpected warning from openssl ("deprecated key derivation used. Using -iter or -pbkdf2 would be better") and simply fails the operation.

Afaict, that warning message was added to openssl 1.1.1, https://unix.stackexchange.com/questions/507131. In the bootloader I can see that OME 4.0 is based on SUSE 15 SP4. SUSE 15 shipped with openssl 1.1.0. So maybe the OME team initially based OME 4 on SUSE 15 or 15 SP1 but later decided to upgrade to SUSE 15 SP4, which includes openssl 1.1.1, according to https://www.suse.com/support/kb/doc/?id=000019582 . At least that could explain why it may have worked during previous release testing but now fails. 

So either fix the parameters that the script passes to openssl or make it ignore the warnings. (Or even better, drop the script altogether and rewrite the encrypt/decrypt logic in java, like the rest of the backuprestore module)

HTH, Ådne

(edited)

Moderator

 • 

3.5K Posts

December 15th, 2023 09:49

Hi,

 

Understood. You know more that I do, now. I'd probably would recommend making a call to the OME support line to get case up, let the engineering investigate if that's the root cause. 

1 Rookie

 • 

1 Message

December 19th, 2023 07:28

Hi,

I'm having the same issues and errors.

After working around the proxy issues and creating a local NFS repository this is the new error that blocked the migration to 4.0

2023.12.13-20:13:29 ome_backup_encryption - Decrypting the backup file
2023.12.13-20:13:29 ome_backup_encryption - Current version decrypt failed, trying lower version decrypt using md5
2023.12.13-20:13:30 ome_backup_encryption - Decryption command result -> 0
2023.12.13-20:13:30 ome_backup_encryption - Hash comparison done.
2023.12.13-20:13:30 ome_backup_encryption - error: Hash comparison failed

[ERROR] 2023-12-13 21:13:30.865 [BackupRestore-Task-Pool-2] CommandUtil - executeBashScriptCommand() - Command did not run successfully, Response  : *** WARNING : deprecated key derivation used.Using -iter or -pbkdf2 would be better.error writing output file*** WARNING : deprecated key derivation used.Using -iter or -pbkdf2 would be better. 
[ERROR] 2023-12-13 21:13:30.866 [BackupRestore-Task-Pool-2] CommandUtil - decrypt: Failed to decrypt backup archive: 
[ERROR] 2023-12-13 21:13:30.870 [BackupRestore-Task-Pool-2] OmeApplianceImportWorkflow - The Import operation is failed.

Moderator

 • 

3.6K Posts

December 19th, 2023 09:49

Hello,

as per Joey suggestion please contact the OME expert as this is a complex issue and they will support it on that.

1 Message

January 9th, 2024 09:47

Hello

How to contact the OME Support please ?

(edited)

Moderator

 • 

3.6K Posts

January 9th, 2024 15:42

You can call Dell's technical support line. The phone number varies by country, so please check the Dell website or your product documentation for the specific number for your region.

1 Rookie

 • 

15 Posts

January 25th, 2024 11:16

Same problem here...

Encryption password is correct, but job on target appliance shows error:

Backup file extraction started.
Unable to decrypt the backup file. Please check the provided encryption passphrase.
Failed to perform import task.
Task Failed. Completed with errors
Its no go for me now...

Moderator

 • 

3.6K Posts

January 25th, 2024 15:11

Here are the recommended steps:

Verify OpenSSL Versions: Check the OpenSSL versions on both the source and target appliances, as there might be differences affecting the encryption process.

Examine Scripts: Review the backup and restore scripts for any outdated encryption parameters and consider updating them.

Contact OME Support: For a detailed resolution, please contact OME support. You can find the contact number for your region on the Dell Support website under 'Contact Support'.

We appreciate your patience and are committed to resolving your issue promptly.

1 Rookie

 • 

15 Posts

January 25th, 2024 16:08

I have latest OME v3 (3.10.2.13). I downloaded latest OME v4 and I want to migrace to v4, but I ended on decryption error. I have no ssh access to OME to compare openssl version nor modify scripts...

Moderator

 • 

3.8K Posts

January 25th, 2024 19:04

Hello VlPs,

 

Could you review this short video that demonstrates how to migrate OpenManage Enterprise from 3.10.x to 4.0.

Let us know how far you get and where you encounter the issue:

https://dell.to/47Jnxes

 

 

You may try download new OME 4 and deploy new to see maybe something was corrupt in the first download.

1 Rookie

 • 

15 Posts

January 26th, 2024 08:38

I downloaded OME again and imported to Hyper-V. Run migration and migration was successfull. No more decyption error. Maybe corrupted first download...

Thank you...

1 Message

February 22nd, 2024 19:22

I saw this thread show up in a Google search, so I'll post my resolution to the problem here:

Dell has released a new version of OME v4 (4.0.1.29) that has addressed this issue.
Start by upgrading the v3 OME appliance to the latest version. To do this:
- Make an offline copy of the Dell Repository located at https://dl.dell.com/openmanage_enterprise/ . You can use any tool of your choice to mirror the site to your own server.
- Use any web server to temporarily host the content locally. (e.g. IIS) You don't need HTTPS for this to work.
- Rename the "LexingtonUpdates.xml" files with an .old extension and copy the LexingtonUpdates.xml* files from the 3.10.2 directory to the root directory.
- Point your v3 appliance at the offline repo. It should find the latest version and allow you to update.

Once you have updated your v3 appliance to 3.10.2, upgrade your v4 appliance to the latest version or replace it with a new appliance from the Dell Support website before you migrate out. Make sure that all post-migration jobs have finished on the v3 appliance before you migrate out. If the appliance is in a VM, take a snapshot first.

Once your v3 and v4 appliances are at the latest versions, you should be able to migrate out. Good luck!

No Events found!

Top