PowerProtect: Data Domain discovery fails with ADS0005 indicating SSL handshake errors

Summary: The PowerProtect Interface shows Alert ADS0005 for the Data Domain discovery.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

The PowerProtect Interface Shows the Data Domain certificate is missing under "Administration -> Certificates."  The PowerProtect Data Manager Tool command-line utility can also be used to validate the available certificates: ppdmtool -listcert

The /var/log/brs/discovery-service/discovery-service.log shows the ADS0005 Alert:

2025-08-21T16:56:55.995Z ERROR [] [b8675052-a49e-4ff4-9463-5f1028e3a96a-akka.actor.default-dispatcher-12] [][ALERT:ADS0005][][][] [c.e.d.e.c.s.m.DefaultMessageResourceModifier.printAlertLog(143)] - Date: Aug 22, 2025 00:56:55 AM; Summary: Unable to discover protection storage PowerProtect DD System with address 192.0.0.1 because of com.emc.brs.common.exceptions.DiscoveryActorException: Unauthorized: Unable to process the authentication request for PowerProtect DD Management Console DD-3. Error: Received fatal alert: handshake_failure..; Details: Discovery of the protection storage system was unsuccessful.; Recommended Action: Check the connection between PowerProtect Data Manager and the protection storage system. Verify that the provided credentials are valid. Start a manual discovery to discover the protection storage system, or wait for PowerProtect Data Manager to perform the next scheduled discovery. If the issue persists, contact Dell Customer Support.; Detail Summaries: null; Status: UNACKNOWLEDGED

The /var/log/brs/secretsmgr/secret-mgr.log shows an 'SSL Exceptions':

025-08-20T08:15:37.263Z ERROR [] [https-jsse-nio-9092-exec-2] [][][][TRACE_ID:85d2bd7ff466e267][] [c.e.b.s.u.CertificateUtils.handshakeWithException(272)] - SSLException: SSL handshake failed Received fatal alert: handshake_failure

The OpenSSL connection to the Data Domain shows an SSL handshake error:

admin@my-ppdm:/> openssl s_client -connect my-datadomain.my-domain.com:3009 -showcerts
CONNECTED(00000003)
...
---
SSL handshake has read 2408 bytes and written 463 bytes
Verification error: self signed certificate in certificate chain
---
...

The Data Domain adminaccess command-line utility shows that the certificates are still valid:

sysadmin@DataDomain# adminaccess cert show
Subject                Type   Application   Valid From                 Valid Until                Fingerprint
--------------------   ----   -----------   ------------------------   ------------------------   -----------------------------------------------------------
DataDomain.domain.com   host   https         Sat Aug 30 13:10:39 2025   Wed Sep 30 13:10:39 2026   69:68:64:72:E3:87:6B:87:CD:DF:85:DE:A4:A2:DF:58:80:6A:A3:DB
DataDomain.domain.com   ca     trusted-ca    Mon Sep 30 13:10:38 2024   Sun Sep 29 13:10:38 2030   4C:E4:C2:2C:FD:2A:BE:2B:FC:CE:8B:E5:BF:6A:CC:24:8F:1B:62:CF
--------------------   ----   -----------   ------------------------   ------------------------   -----------------------------------------------------------

The Data Domain /ddr/var/log/debug/sm/sms.info log shows "no shared cipher" errors:

09/04 10:42:13.454844 [14bafa20] _sms_soap_handle_new_connection: soap_ssl_accept failed on connection ::ffff:172.16.10.94:40598. Error: 30, msg_buf: SSL_ERROR_SSL error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

Cause

The Data Domain and PowerProtect Appliance do not have a shared cipher to complete the SSL handshake successfully. 
 
The adminaccess command-line utility can be used to validate the Data Domain ciphers:

sysadmin@datadomain# adminaccess option show cipher-list
Adminaccess option "cipher-list" set to "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256".

The /usr/local/brs/lib/secretsmgr/config/application.yml file may be used to validate the PowerProtect ciphers:

admin@ppdm:~> cat /usr/local/brs/lib/secretsmgr/config/application.yml
myserver:
  ssl:
    enabled-protocols: TLSv1.2,TLSv1.3
    ciphers: |
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    key-alias: secretsmgr
    key-store: "${sm.ssl.keystore-path}/secretsmgr.keystore"
    key-store-provider: SUN
    key-store-type: JKS
    protocol: TLS
    trust-store: "${sm.ssl.keystore-path}/secretsmgr.truststore"
    trust-store-provider: SUN
    trust-store-type: JKS
    client-auth: want
    enabled: true

Resolution

Add the DHE suites to the Data Domain cipher-list. Example:

adminaccess option set cipher-list DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
Article Properties
Article Number: 000425813
Article Type: Solution
Last Modified: 11 Feb 2026
Version:  1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.