IDPA: Deployment fails with error "Failed to enable authorization policy on Protection Storage"

Data Domain deployment fails on Protection Storage.

Following errors may be seen on the Diagnostic report:

• Failed to enable authorization policy on Protection Storage
• Failed to mark configuration setup complete flag

On the ACM CLI, /usr/local/dataprotection/var/configmgr/server_data/logs/server.log log file shows the following error message:

2021-02-19 17:00:14,819 ERROR [pool-10-thread-10]-ddadapter.DataDomainUtil: toggelAuthorizationPolicy --> Exception occcured while executing command : authorization policy set security-officer enabled Authentication failed.
2021-02-19 17:00:05,916 INFO [pool-10-thread-10]-ddadapter.ConfigDataDomainTask: Successfully executed command : reg set config_master.setup.complete=TRUE
2021-02-19 17:00:14,819 ERROR [pool-10-thread-10]-ddadapter.ConfigDataDomainTask: ApplianceException occurred while executing Datadomain config task.
2021-02-19 17:00:05,916 INFO [pool-10-thread-10]-util.SSHUtil: Successfully executed remote command using SSH.
com.emc.vcedpa.common.exception.ApplianceException: Failed to enable authorization policy on Protection Storage.

DD SO username and password criteria do not match with criteria that are imposed by ACM on fresh installation UI in Change Appliance Password Page.

Following are the additional DD SO username and password criteria that are imposed by DD and not screened by ACM in IDPA 2.6 or 2.6.1.

1. It cannot be "admin" and none of the following (Not case-sensitive):

• Administrators
• Guests
• Users

2. It cannot be same as that of built-in users (Not case-sensitive):

• root
• bin
• daemon
• adm
• lp
• sync
• mail
• operator
• nobody
• sshd
• apache
• ldap
• rpc
• vcsa
• pcap
• tcpdump
• dbus
• ntp
• rpcuser
• cifsuser
• sys-internal
• nfsnobody
• chrony
• svcuser
• sysadmin
• __security_internal__
• dd_scpuser
• password (hidden keyword)
• min-days-between-change
• max-days-between-change
• warn-days-before-expire
• disable-days-after-expire
• disable-date
• force-password-change

3. Characters that are allowed as part of username: a-zA-Z0-9_.-
4. Checking the simplicity of password:
   1. Password MUST have at-least "3" distinct characters. For example,
      • If the password being set is "aaaa11," this is rejected as Weak password with error "Weak password: Not enough different characters or classes."
      • Similarly "aaaaa" is rejected. But, "abbb11" is accepted. This is because this password has at least three distinct characters: 'a', 'b' and '1'.
5. DDOS also remembers the last "6" passwords that were set for a user. If user tries to reuse any of these "6" passwords, DDOS errors out.
6. If password and username have a common substring of length more than "4," then the common substring is removed from the password and remaining characters of password are subjected to password strength checks. The match for common substring is case-insensitive. For example,
   • If the username is "security_officer" and password being set is Security_12345, then "12345" is subject to password strength check. Since length is less than "6," password change fails with reason as "common substring" in password. 
   • If the username is "news" and password being set is "news_12345," then password succeeds. This is because, DDOS removes the common substring "news" and verifies the password strength check on remaining characters, "_12345." Since this password adheres to default password strength parameters, password change succeeds. 
7. Similarly, if the reverse of password and username has common substring of length more than "4," then common substring is removed from the password and remaining characters in password are subject to password strength check. Match for common substring is case-insensitive, for example, setting "swen_1234" password. Reverse of password has common substring of "news" and remaining password has "_1234" which does not adhere to minimum length requirement for password which is "6." This returns an error. 

 

8. Minimum length that is required is "6" and DDOS do NOT enforce password to have:

• at-least one lowercase character
• at-least one uppercase character
• at-least one digit
• at-least one special character that is, !@#$%^&*()_+-=<>?,./:";'{}[]|\ ~`
• at the most, three consecutive repeated characters.

Scenarios:

Due to these additional restrictions, if user provides DD SO Username "idpa_admin" and Password "Idpa_12345," it results in failure because common string idpa_ is removed and minimum length check happens on string "12345" and it does not satisfy the rule.

DD SO Username "idpaadmin" and Password "Idpa_12345" works as password length is evaluated on "_123456" and results in success.

Solution:
For DP4400 Appliances, contact Support or Professional Services to run RESET Utility and then choose the Data Domain > Protection Storage Security Officer username and password as per the above requirements.

For PowerProtect DP Series Appliance or IDPA models DP5800, 5900, 8300, 8400, 8800, and 8900, RESET Utility does not work as it does not clean up the DD Security Officer User. Contact Dell EMC Support referencing this article.

Important Notes:

• This issue is addressed in IDPA release 2.7 which includes appropriate restrictions on ACM input field for Data Domain and Protection Storage Security officer field.
• This issue is applicable only to IDPA versions 2.6.x.
• This KB only applies to deployment or install failure scenario.