PowerProtect : Échec de la découverte Data Domain avec ADS0005 indiquant des erreurs d’établissement de liaison SSL

L’interface PowerProtect affiche le certificat Data Domain manquant sous « Administration ->Certificates ».  L’utilitaire de ligne de commande de PowerProtect Data Manager Tool peut également être utilisé pour valider les certificats disponibles : ppdmtool -listcert

La commande /var/log/brs/discovery-service/discovery-service.log montre le ADS0005 Alerte :

2025-08-21T16:56:55.995Z ERROR [] [b8675052-a49e-4ff4-9463-5f1028e3a96a-akka.actor.default-dispatcher-12] [][ALERT:ADS0005][][][] [c.e.d.e.c.s.m.DefaultMessageResourceModifier.printAlertLog(143)] - Date: Aug 22, 2025 00:56:55 AM; Summary: Unable to discover protection storage PowerProtect DD System with address 192.0.0.1 because of com.emc.brs.common.exceptions.DiscoveryActorException: Unauthorized: Unable to process the authentication request for PowerProtect DD Management Console DD-3. Error: Received fatal alert: handshake_failure..; Details: Discovery of the protection storage system was unsuccessful.; Recommended Action: Check the connection between PowerProtect Data Manager and the protection storage system. Verify that the provided credentials are valid. Start a manual discovery to discover the protection storage system, or wait for PowerProtect Data Manager to perform the next scheduled discovery. If the issue persists, contact Dell Customer Support.; Detail Summaries: null; Status: UNACKNOWLEDGED

La commande /var/log/brs/secretsmgr/secret-mgr.log affiche une « Exceptions SSL » :

025-08-20T08:15:37.263Z ERROR [] [https-jsse-nio-9092-exec-2] [][][][TRACE_ID:85d2bd7ff466e267][] [c.e.b.s.u.CertificateUtils.handshakeWithException(272)] - SSLException: SSL handshake failed Received fatal alert: handshake_failure

La connexion OpenSSL au système Data Domain affiche un SSL handshake correspondante :

admin@my-ppdm:/> openssl s_client -connect my-datadomain.my-domain.com:3009 -showcerts
CONNECTED(00000003)
...
---
SSL handshake has read 2408 bytes and written 463 bytes
Verification error: self signed certificate in certificate chain
---
...

Le Data Domain adminaccess L’utilitaire de ligne de commande indique que les certificats sont toujours valides :

sysadmin@DataDomain# adminaccess cert show
Subject                Type   Application   Valid From                 Valid Until                Fingerprint
--------------------   ----   -----------   ------------------------   ------------------------   -----------------------------------------------------------
DataDomain.domain.com   host   https         Sat Aug 30 13:10:39 2025   Wed Sep 30 13:10:39 2026   69:68:64:72:E3:87:6B:87:CD:DF:85:DE:A4:A2:DF:58:80:6A:A3:DB
DataDomain.domain.com   ca     trusted-ca    Mon Sep 30 13:10:38 2024   Sun Sep 29 13:10:38 2030   4C:E4:C2:2C:FD:2A:BE:2B:FC:CE:8B:E5:BF:6A:CC:24:8F:1B:62:CF
--------------------   ----   -----------   ------------------------   ------------------------   -----------------------------------------------------------

Le Data Domain /ddr/var/log/debug/sm/sms.info log indique "no shared cipher" Erreurs:

09/04 10:42:13.454844 [14bafa20] _sms_soap_handle_new_connection: soap_ssl_accept failed on connection ::ffff:172.16.10.94:40598. Error: 30, msg_buf: SSL_ERROR_SSL error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

Data Domain et PowerProtect Appliance ne disposent pas d’un chiffrement partagé pour terminer l' SSL handshake Réussi. 
 
La commande adminaccess L’utilitaire de ligne de commande peut être utilisé pour valider les chiffrements Data Domain :

sysadmin@datadomain# adminaccess option show cipher-list
Adminaccess option "cipher-list" set to "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256".

La commande /usr/local/brs/lib/secretsmgr/config/application.yml peut être utilisé pour valider les chiffrements PowerProtect :

admin@ppdm:~> cat /usr/local/brs/lib/secretsmgr/config/application.yml
myserver:
  ssl:
    enabled-protocols: TLSv1.2,TLSv1.3
    ciphers: |
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    key-alias: secretsmgr
    key-store: "${sm.ssl.keystore-path}/secretsmgr.keystore"
    key-store-provider: SUN
    key-store-type: JKS
    protocol: TLS
    trust-store: "${sm.ssl.keystore-path}/secretsmgr.truststore"
    trust-store-provider: SUN
    trust-store-type: JKS
    client-auth: want
    enabled: true

Ajoutez les suites DHE à la liste de chiffrement Data Domain. Exemple :

adminaccess option set cipher-list DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256