PowerProtect: El descubrimiento de Data Domain falla con ADS0005 que indica errores de protocolo de enlace SSL

La interfaz de PowerProtect muestra que falta el certificado de Data Domain en "Administración ->Certificados".  La utilidad de línea de comandos de la herramienta PowerProtect Data Manager también se puede utilizar para validar los certificados disponibles: ppdmtool -listcert

La variable /var/log/brs/discovery-service/discovery-service.log muestra el ADS0005 Alerta:

2025-08-21T16:56:55.995Z ERROR [] [b8675052-a49e-4ff4-9463-5f1028e3a96a-akka.actor.default-dispatcher-12] [][ALERT:ADS0005][][][] [c.e.d.e.c.s.m.DefaultMessageResourceModifier.printAlertLog(143)] - Date: Aug 22, 2025 00:56:55 AM; Summary: Unable to discover protection storage PowerProtect DD System with address 192.0.0.1 because of com.emc.brs.common.exceptions.DiscoveryActorException: Unauthorized: Unable to process the authentication request for PowerProtect DD Management Console DD-3. Error: Received fatal alert: handshake_failure..; Details: Discovery of the protection storage system was unsuccessful.; Recommended Action: Check the connection between PowerProtect Data Manager and the protection storage system. Verify that the provided credentials are valid. Start a manual discovery to discover the protection storage system, or wait for PowerProtect Data Manager to perform the next scheduled discovery. If the issue persists, contact Dell Customer Support.; Detail Summaries: null; Status: UNACKNOWLEDGED

La variable /var/log/brs/secretsmgr/secret-mgr.log muestra una 'Excepciones SSL':

025-08-20T08:15:37.263Z ERROR [] [https-jsse-nio-9092-exec-2] [][][][TRACE_ID:85d2bd7ff466e267][] [c.e.b.s.u.CertificateUtils.handshakeWithException(272)] - SSLException: SSL handshake failed Received fatal alert: handshake_failure

La conexión OpenSSL a Data Domain muestra un SSL handshake correspondiente:

admin@my-ppdm:/> openssl s_client -connect my-datadomain.my-domain.com:3009 -showcerts
CONNECTED(00000003)
...
---
SSL handshake has read 2408 bytes and written 463 bytes
Verification error: self signed certificate in certificate chain
---
...

The Data Domain adminaccess La utilidad de línea de comandos muestra que los certificados siguen siendo válidos:

sysadmin@DataDomain# adminaccess cert show
Subject                Type   Application   Valid From                 Valid Until                Fingerprint
--------------------   ----   -----------   ------------------------   ------------------------   -----------------------------------------------------------
DataDomain.domain.com   host   https         Sat Aug 30 13:10:39 2025   Wed Sep 30 13:10:39 2026   69:68:64:72:E3:87:6B:87:CD:DF:85:DE:A4:A2:DF:58:80:6A:A3:DB
DataDomain.domain.com   ca     trusted-ca    Mon Sep 30 13:10:38 2024   Sun Sep 29 13:10:38 2030   4C:E4:C2:2C:FD:2A:BE:2B:FC:CE:8B:E5:BF:6A:CC:24:8F:1B:62:CF
--------------------   ----   -----------   ------------------------   ------------------------   -----------------------------------------------------------

The Data Domain /ddr/var/log/debug/sm/sms.info log muestra "no shared cipher" Errores:

09/04 10:42:13.454844 [14bafa20] _sms_soap_handle_new_connection: soap_ssl_accept failed on connection ::ffff:172.16.10.94:40598. Error: 30, msg_buf: SSL_ERROR_SSL error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

Data Domain y el dispositivo PowerProtect no tienen un cifrado compartido para completar la SSL handshake con éxito. 
 
La variable adminaccess La utilidad de línea de comandos se puede utilizar para validar los cifrados de Data Domain:

sysadmin@datadomain# adminaccess option show cipher-list
Adminaccess option "cipher-list" set to "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256".

La variable /usr/local/brs/lib/secretsmgr/config/application.yml se puede utilizar para validar los cifrados de PowerProtect:

admin@ppdm:~> cat /usr/local/brs/lib/secretsmgr/config/application.yml
myserver:
  ssl:
    enabled-protocols: TLSv1.2,TLSv1.3
    ciphers: |
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    key-alias: secretsmgr
    key-store: "${sm.ssl.keystore-path}/secretsmgr.keystore"
    key-store-provider: SUN
    key-store-type: JKS
    protocol: TLS
    trust-store: "${sm.ssl.keystore-path}/secretsmgr.truststore"
    trust-store-provider: SUN
    trust-store-type: JKS
    client-auth: want
    enabled: true

Agregue los conjuntos de DHE a la lista de cifrados de Data Domain. Ejemplo:

adminaccess option set cipher-list DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256