VNX: The LDAP settings were not successfully installed from the FILE side. (User Correctable)
Summary: The LDAP settings were not successfully installed on the File side of the VNX.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Customer configure ldaps for Unisphere login on VNX array.
Csutomer configured LDAPS for Unisphere login on VNX array, after that, customer can login to Unispehrer via LDAPS, the LDAPS server is Windows AD. but there is a Error message in Unispere alarm page.
[nasadmin@XXX-VNX5400-CS0 log]$ nas_logviewer sys_log|grep -i 748f
Aug 18 10:31:39 2016:CS_PLATFORM:NaviEventMonitor:ERROR:3:::::VNX Storage Array event number 0x748f Host XXX-VNX5400-SPA Storage Array N/A SP N/A SoftwareRev 7.33.8 (3.7) BaseRev 05.33.008.5.119 Description The LDAP settings were not successfully installed on the File side of the VNX.
we cannot decode the certificates via openssl.
[root@5700CS139 ldap]# openssl x509 -in /nas/http/domain/ldap/apacheDomain.primary_ldap_certificate.crt -text
unable to load certificate
2550:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:756:
[root@5700CS139 ldap]# openssl x509 -in /nas/http/domain/ldap/apacheDomain.backup_ldap_certificate.crt -text
unable to load certificate
2668:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:756:
Csutomer configured LDAPS for Unisphere login on VNX array, after that, customer can login to Unispehrer via LDAPS, the LDAPS server is Windows AD. but there is a Error message in Unispere alarm page.
[nasadmin@XXX-VNX5400-CS0 log]$ nas_logviewer sys_log|grep -i 748f
Aug 18 10:31:39 2016:CS_PLATFORM:NaviEventMonitor:ERROR:3:::::VNX Storage Array event number 0x748f Host XXX-VNX5400-SPA Storage Array N/A SP N/A SoftwareRev 7.33.8 (3.7) BaseRev 05.33.008.5.119 Description The LDAP settings were not successfully installed on the File side of the VNX.
we cannot decode the certificates via openssl.
[root@5700CS139 ldap]# openssl x509 -in /nas/http/domain/ldap/apacheDomain.primary_ldap_certificate.crt -text
unable to load certificate
2550:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:756:
[root@5700CS139 ldap]# openssl x509 -in /nas/http/domain/ldap/apacheDomain.backup_ldap_certificate.crt -text
unable to load certificate
2668:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:756:
Cause
After customer configure 2 ldaps servers on VNX array, 2 certificates will be pushed from SP to control station.
/nas/http/domain/ldap/apacheDomain.backup_ldap_certificate.crt
/nas/http/domain/ldap/apacheDomain.primary_ldap_certificate.crt
On control station, we cannot use openssl to decode it, the certificate is not a valid Base-64 encode X.509 certificate.
/nas/http/domain/ldap/apacheDomain.backup_ldap_certificate.crt
/nas/http/domain/ldap/apacheDomain.primary_ldap_certificate.crt
On control station, we cannot use openssl to decode it, the certificate is not a valid Base-64 encode X.509 certificate.
Resolution
To resolve this issue:
1) Confirm the certificate is valid.
1. User need to verify the certificate (or certificate chain) for the LDAP Server.
2. Easy way to verify is, open the certificate file in text editor. If it display texts with "--BEGIN CERTIFICATE--- and ---END CERTIFICATE---- that is correct format. If the certificate is binary characters, the certificate is compressed and encrypted, which is why control station could not get this properly.
3. User can open the the certificate chain (usually in .p7b format) on Windows by copying to a Windows folder, then right click and Open. Under the "Details" tab -> "Copy to File" can be used to export the certificate to "Base-64 encoded X.509 (.CER)" format, which is valid format.
4. If the certificate contains many certificate inside, each certificate need to be exported using above step, for example, cert1.cer, cert2.cer, etc.
5. Login to Unisphere and re-import these certificates to Unisphere.
Login to Unisphere using any global administrator (like sysadmin/global scope)
Go to Domain -> Manage LDAP settings page > Primary > Modify > Change certificate -> "Copy as Text"
Open previously converted certificates in notepad and copy/paste everything including the BEGIN and END Certificate lines. You need to copy/paste every certificates in a chain one below another's END CERTIFICATE.
Press OK after all copy/pastes and if we got a complete chain, Unisphere will accept without error. If not, ensure the conversion and all certificate in the chain is obtained. Involve your Windows/Certificate Admins if required.
Repeat same for Backup LDAP server if configured.
2) Verify from Control Station:
1. Run "/nas/http/webui/bin/update_domain_directory.pl" to refresh again
2. Run "openssl x509 -in /nas/http/domain/ldap/apacheDomain.primary_ldap_certificate.crt -text" & "openssl x509 -in /nas/http/domain/ldap/apacheDomain.backup_ldap_certificate.crt -text" to make sure the cerfiticate can be decoded by openssl.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1c:03:b6:a7:e9:3f:9e:ac:4e:88:39:91:b9:f8:4e:2d
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=com, DC=vnx, CN=vnx-DC0-CA
3. Run "/nas/sbin/cstadmin validate-config LDAP 'LDAP PRIMARY' -cstdir=/nas/site/cst -passphrase=$(/nas/sbin/cst_setup -getKey cst)" and ensure no errors.
4. If no error on the above command, the LDAP login should work successfully on Unisphere
7. If error like "LDAP Server is down" is reported, ensure that the "server name" is matching with what is in the certificate. If we define IP address but certificate got "name", then we need to update the LDAP Setting to hostname, not IP address, this also means that, DNS need to be configured via "nas_cs -set" to resolve the hostname correctly.
8. Also ensure the domain user is direct member of the group that is defined in Role Mapping.
1) Confirm the certificate is valid.
1. User need to verify the certificate (or certificate chain) for the LDAP Server.
2. Easy way to verify is, open the certificate file in text editor. If it display texts with "--BEGIN CERTIFICATE--- and ---END CERTIFICATE---- that is correct format. If the certificate is binary characters, the certificate is compressed and encrypted, which is why control station could not get this properly.
3. User can open the the certificate chain (usually in .p7b format) on Windows by copying to a Windows folder, then right click and Open. Under the "Details" tab -> "Copy to File" can be used to export the certificate to "Base-64 encoded X.509 (.CER)" format, which is valid format.
4. If the certificate contains many certificate inside, each certificate need to be exported using above step, for example, cert1.cer, cert2.cer, etc.
5. Login to Unisphere and re-import these certificates to Unisphere.
Login to Unisphere using any global administrator (like sysadmin/global scope)
Go to Domain -> Manage LDAP settings page > Primary > Modify > Change certificate -> "Copy as Text"
Open previously converted certificates in notepad and copy/paste everything including the BEGIN and END Certificate lines. You need to copy/paste every certificates in a chain one below another's END CERTIFICATE.
Press OK after all copy/pastes and if we got a complete chain, Unisphere will accept without error. If not, ensure the conversion and all certificate in the chain is obtained. Involve your Windows/Certificate Admins if required.
Repeat same for Backup LDAP server if configured.
2) Verify from Control Station:
1. Run "/nas/http/webui/bin/update_domain_directory.pl" to refresh again
2. Run "openssl x509 -in /nas/http/domain/ldap/apacheDomain.primary_ldap_certificate.crt -text" & "openssl x509 -in /nas/http/domain/ldap/apacheDomain.backup_ldap_certificate.crt -text" to make sure the cerfiticate can be decoded by openssl.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1c:03:b6:a7:e9:3f:9e:ac:4e:88:39:91:b9:f8:4e:2d
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=com, DC=vnx, CN=vnx-DC0-CA
3. Run "/nas/sbin/cstadmin validate-config LDAP 'LDAP PRIMARY' -cstdir=/nas/site/cst -passphrase=$(/nas/sbin/cst_setup -getKey cst)" and ensure no errors.
4. If no error on the above command, the LDAP login should work successfully on Unisphere
7. If error like "LDAP Server is down" is reported, ensure that the "server name" is matching with what is in the certificate. If we define IP address but certificate got "name", then we need to update the LDAP Setting to hostname, not IP address, this also means that, DNS need to be configured via "nas_cs -set" to resolve the hostname correctly.
8. Also ensure the domain user is direct member of the group that is defined in Role Mapping.
Additional Information
To escalate this issue (if required), you need to provide the following information :
1. LDAP settings details (Bind user login name and password).
2. Certificate to be used for LDAPS.
3. A Windows user login and password details to test.
The above information is required for troubleshooting (using WebEx) by EMC Technical Support and please quote this article.
1. LDAP settings details (Bind user login name and password).
2. Certificate to be used for LDAPS.
3. A Windows user login and password details to test.
The above information is required for troubleshooting (using WebEx) by EMC Technical Support and please quote this article.
Affected Products
VNX2 SeriesProducts
VNX1 Series, VNX2 SeriesArticle Properties
Article Number: 000056595
Article Type: Solution
Last Modified: 11 Oct 2024
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.