PowerFlex 簡報伺服器的 Web UI 無法載入

Summary: 由於憑證中有多個主旨替代名稱 (SAN) 延伸,簡報伺服器的 Web UI 無法載入。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

受影響的版本

  • PowerFlex 3.5.x
  • PowerFlex 3.6.0.x

簡報伺服器服務隨即啟動,但網頁無法載入初始登入畫面。 
[root@host1 .config]# systemctl status mgmt-server.service
● mgmt-server.service - Scaleio MGMT Server
   Loaded: loaded (/etc/systemd/system/mgmt-server.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2023-1-09 05:30:03 EST; 11s ago
Main PID: 29700 (java)
   CGroup: /system.slice/mgmt-server.service
    
        └─29700 /bin/java -Xmx4g -Dlog4j2.formatMsgNoLookups=true -Djna.tmpdir=/opt/emc/scaleio/mgmt-server/tmp -Djava.io.tmpdir=/opt/emc/scaleio/mg...
Dec 09 05:30:08 host1 java[29700]: at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
...
Dec 09 05:30:08 host1  java[29700]: at java.lang.Thread.run(Thread.java:750)


簡報伺服器 /opt/emc/scaleio/mgmt-server/logs/scaleio.log 顯示下列錯誤:

Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: HttpdService [FAILED]
Caused by: java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
    at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1288)
    at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1270)
    at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:372)
    at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
    at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
    at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
    at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
    at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
    at org.eclipse.jetty.server.Server.doStart(Server.java:401)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
    at com.emc.vxflexos.webui.backend.httpd.HttpdService.startUp(HttpdService.java:31)
    at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62)
    at com.google.common.util.concurrent.Callables$4.run(Callables.java:119)
    at java.lang.Thread.run(Thread.java:750)


執行下列命令,以確認簡報伺服器是否使用多個 SAN 專案。您可以依據客戶續約或更換有多個 SAN 擴充專案之憑證執行此作業。

[root@host1 /]# openssl x509 -noout -text -in  | grep -A1 -i 'Subject Alternative Name'
            X509v3 Subject Alternative Name:
                DNS:host1, DNS:host1.cn

 

Cause

簡報伺服器 (又稱為 mgmt-server) 不支援處理多個主旨替代名稱 (SAN) 延伸專案。當包含數個 SAN 延伸專案之 mgmt-server 的憑證在受影響的版本上更新或更換時,可能會出現此問題。
 

影響
無法載入管理伺服器的 Web UI,導致無法透過使用者介面 (UI) 管理 PowerFlex 叢集。這會使 PowerFlex 系統難以管理。 

 

根源
當 Jetty 架構、base class org.apollo.jetty.util.ssl.SslCoNtextFactory嘗試在 KeyStore 中處理多個憑證時,就會發生此問題。這是非設計用來處理的作業。
受影響的簡報伺服器版本無法管理包含多個主旨替代名稱 (SAN) 延伸專案之憑證。
這會導致在遇到此類憑證時失敗。 

Resolution

    此行為已在 PowerFlex 3.6.1 及更新版本中修正。


    因應措施

    1. 使用包含單一主旨替代名稱 (SAN) 延伸專案之憑證。這符合 mgmt-server 目前的限制。應允許正常運作。
    2. 將 mgmt-server 升級至 3.6.1 版。此版本包含改善對多個 SAN 延伸專案的支援,不需要調整憑證。
    Article Properties
    Article Number: 000215758
    Article Type: Solution
    Last Modified: 14 Sep 2023
    Version:  4
    Find answers to your questions from other Dell users
    Support Services
    Check if your device is covered by Support Services.