Start a Conversation

Solved!

Go to Solution

1 Rookie

 • 

63 Posts

4952

March 2nd, 2021 05:00

Virtual Storage Integrator (VSI) v8.6 Install "VSI services are not all up and running yet..."

I am trying to deploy a fresh VSI v8.6 installation and I cannot get past the login screen as the "VSI services are not all up and running yet".

VSI 8.6 Login.JPG

I have tried several installations and waited 20+ minutes for each to boot, but they never come ready to login.

The OVA download is good; SHA256 checksum matches.

Any pointers?

Thanks,

M

123 Posts

March 12th, 2021 03:00

They are considering it a bug. I expect it will addressed in an upcoming VSI release.

1 Rookie

 • 

63 Posts

March 2nd, 2021 07:00

@DELL-Cares Please can you advise why the image I attached to my post has been rejected? It was a screen snip of the logon prompt with the error message I am getting.

Thanks.

M

1 Rookie

 • 

63 Posts

March 3rd, 2021 01:00

@itzikr I just found and left a comment on your blog ref VSI 8.6. Could you give any pointers on getting Enterprise TLS/SSL certificates working with it? Thx. M

1 Rookie

 • 

63 Posts

March 3rd, 2021 01:00

Any update for anyone who stumbles across this post:

I left the freshly deployed v8.6 VM running for over 1 hour after it's first boot and I was then able to access the webpage to install the plugin into vCenter. No idea what it was doing in all that time, but it is working now.

I tried a v8.5 install too, which was 'ready' much faster than the v8.6 install. I noticed that v8.5 asks for the vCenter settings at the OVA deployment stage.

I also tried updating the v8.5 install to v8.6 - what a nightmare! You need to untar the update file - except the tar package is NOT included in the base OS, so you need to install it with tdnf. The upgrade did not work and the plug-in was failed in vCenter - bad URL or similar. The upgrade instructions are poorly written IMHO. 

Overall, I am quite impressed with VSI now it is working. I cannot yet get my Enterprise root & intermediate and/or vCenter VMCA CA certificates properly recognised by VSI for secure SSL/TLS access yet; but that is next on my list.

M

25 Posts

March 4th, 2021 07:00

Hi @mc1903,

If you haven't done so already, can you please check out chapter 10 of the VSI 8.6 Product Guide? This section covers SSL configuration.  

1 Rookie

 • 

63 Posts

March 4th, 2021 14:00

Hello @0VE2580jrt1238375603846 

Thank you, I have seen that section of the Product Guide and I have tried, with no luck. Here are some screenshots of the initial configuration wizard and the error.

https://github.com/mc1903/zz_filerepo/raw/635476ae6894e33251f6738bf0b2943ce5d05490/Dell%20Virtual%20Storage%20Integrator%20(VSI)%20v8.6%20Initial%20Setup%20with%20TLS-SSL%20Certificate%20Import%20Fails.pdf 

Have you got v8.6 working using TLS/SSL with a vCenter Server v7.0U1 that has had it's self-signed certificate replaced by one issued from the the inbuilt VMCA which is subordinate to an Enterprise CA hierarchy (Offline Root, Online Enterprise Intermediate)?

Cheers

M

 

1 Rookie

 • 

63 Posts

March 6th, 2021 07:00

Hi @WorldPolice 

Thank you. I would love to open an SR, but I don't think I have any entitlement to do so.

I work for a Dell Partner and I am just testing/evaluating VSI at the moment, to understand it's value and whether to recommend its use to clients in the future.

I don't have a support contract or even any physical Dell Storage kit with support/etc.

If you think there is a way for me to open an SR, then I would be grateful to know how. Feel free to private message me on here if you don't want the details/process made public

Cheers

M

 

123 Posts

March 6th, 2021 07:00

I recommend opening an SR for your certificate issue so it can be routed to the correct development group.

123 Posts

March 6th, 2021 08:00

Hmm not sure that is possible but I'll check next week.

1 Rookie

 • 

63 Posts

March 7th, 2021 13:00

Hi @WorldPolice 

I have done a bit more investigating into the certificate import issues I am seeing and I am reasonably convinced it is NOT specific to my environment.

I am also unable to import CA certificates from Amazon or even some EMC CA certificates that exist within the VSI IAPI container's own file system (the /etc/pki/trust/anchors/ directory), via the VSI GUI (Plugin Management web site).

Are you able to ask the concerned dev team some questions around the GUI import logic - specifically the alias generation ? I believe if a FQDN is not present in the certificate SANs (or if an FQDN is present, but it cannot be resolved to an IP address), the import will fail to generate an alias; which is required to store the certificate in the VSI keystore.

Some more notes: Dell Virtual Storage Integrator (VSI) v8.6 GUI Certificate Import Issues.pdf 

Cheers,

M

 

123 Posts

March 8th, 2021 03:00

Can you turn on VSI debug mode then re-try the operation and upload the logs here please as we can't use the support system.

123 Posts

March 8th, 2021 06:00

After consulting internally, here should be your resolution:

 

You need to combine your certificates into a .pem file. If there is a mulit-part certificate chain then import that 1 .pem file, instead of each certificate individually.

Based on the pdf you would do the following:

leaf Cert (first) -> intermediate Cert(s) (in order of chain) -> root cert (if self signed last root cert, if it is not self signed you do not need to do add in certificate chain).

Using values from your PDF:

Command example: cat mc-vcsa-v-201a.momusconsulting.pem mc-vcsa-v-201a-VMCA.pem MomusInterCA.pem MomusRootCA.pem > certificate-chain.pem

Then you could upload the certicate-chain.pem and that will resolve the vCenter (or any server/array certificate)

As to your questions -

  1. While technically you are correct about the Subject alternative names in question 1, the leaf or server certificate will have a valid SAN with either an IP address, an FQDN or both as part of the SSL validation that is needed (this is part of creating a certificate signing request for your server certificate).
  2. We do not support the import of the multiple individual certificates of a certificate chain (this is part of the logic on VSI side to find associated certificates by alias). This is why we support the .pem format for importing a certificate chain with multiple intermediate certificates. This .pem file format with multiple certificates is commonly used RFC: TLS RFC (search for certificate_list and you will find the corresponding info).

1 Rookie

 • 

63 Posts

March 8th, 2021 08:00

Hello @WorldPolice 

Thank you for your help with this. It is really appreciated.

I have just tried uploading the certificate-chain.pem as suggested, but it errors. Out of the 4 certificates in that chain, only the leaf certificate is saved into the java keystore. The 3 CA certificates are not.

I have included some screen shots, the exported iapi log bundle and the certificates I tested this with.

Dell Virtual Storage Integrator (VSI) v8.6 – Import certificate-chain.pem.pdf 

Dell Virtual Storage Integrator (VSI) v8.6 - iapi-log-bundle & my certs.zip 

If you can see where I am going wrong, please let me know.

Cheers,

M

123 Posts

March 8th, 2021 11:00

Development thinks there is a UI issue preventing it, so you can you try the CLI:

 

Step 1. Copy the certificates over to the VSI VM in the /opt/files directory.

 

Step 2 Use the java `keytool` cli tool to import the certificates, make sure the leaf certificate has the ip address as the alias and the user can select a different alias for the other intermediate certificate /root certificates

 

  • 1. docker exec -it iapi bash (log into the iapi docker container)
  • 2. $JAVA_HOME/bin/keytool -import -alias -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts -file /opt/files/certificate-file.cer

1 Rookie

 • 

63 Posts

March 9th, 2021 03:00

Morning @WorldPolice 

Apologies for delay in responding. 

I have now tried importing the certificates via the CLI with keytool. 

Unfortunately, I am still unable to switch SSL on for vCenter connections. It errors with the usual "HTTP transport error: javax.net.ssl.SSLException: java.lang.IllegalArgumentException: Bad certificate chain: no root CA." message.

Here are the latest screenshots & iapi-logs for this test.

Dell Virtual Storage Integrator (VSI) v8.6 – Import Certificates with Keytool.pdf 

Dell Virtual Storage Integrator (VSI) v8.6 - iapi-log-bundle - keytool test.zip 

I completely forgot to note down the times for log correlation - I will re-run if you need me to

Side question. Have the development team tested this with 3 CA's + the vCenter Server machine/leaf certificate in a chain? Specifically, with a vCenter VMCA being the last/third CA in the chain?

I will look to setup a new MS Windows PKI infrastructure with just an enterprise signing root CA and no intermediate CA, to see if a VMCA is accepted if it is the second CA in the chain.

Thank you again for your help.

M

 

No Events found!

Top