PowerProtect：Data Domain 探索失敗，ADS0005表示 SSL 交握錯誤

PowerProtect 介面顯示「管理 ->憑證」下的 Data Domain 憑證遺失。  PowerProtect Data Manager 工具命令列公用程式也可用來驗證可用的憑證： ppdmtool -listcert

可使用 /var/log/brs/discovery-service/discovery-service.log 顯示 ADS0005 警示：

2025-08-21T16:56:55.995Z ERROR [] [b8675052-a49e-4ff4-9463-5f1028e3a96a-akka.actor.default-dispatcher-12] [][ALERT:ADS0005][][][] [c.e.d.e.c.s.m.DefaultMessageResourceModifier.printAlertLog(143)] - Date: Aug 22, 2025 00:56:55 AM; Summary: Unable to discover protection storage PowerProtect DD System with address 192.0.0.1 because of com.emc.brs.common.exceptions.DiscoveryActorException: Unauthorized: Unable to process the authentication request for PowerProtect DD Management Console DD-3. Error: Received fatal alert: handshake_failure..; Details: Discovery of the protection storage system was unsuccessful.; Recommended Action: Check the connection between PowerProtect Data Manager and the protection storage system. Verify that the provided credentials are valid. Start a manual discovery to discover the protection storage system, or wait for PowerProtect Data Manager to perform the next scheduled discovery. If the issue persists, contact Dell Customer Support.; Detail Summaries: null; Status: UNACKNOWLEDGED

可使用 /var/log/brs/secretsmgr/secret-mgr.log 顯示 「SSL 例外」：

025-08-20T08:15:37.263Z ERROR [] [https-jsse-nio-9092-exec-2] [][][][TRACE_ID:85d2bd7ff466e267][] [c.e.b.s.u.CertificateUtils.handshakeWithException(272)] - SSLException: SSL handshake failed Received fatal alert: handshake_failure

與 Data Domain 的 OpenSSL 連線會顯示 SSL handshake 錯誤：

admin@my-ppdm:/> openssl s_client -connect my-datadomain.my-domain.com:3009 -showcerts
CONNECTED(00000003)
...
---
SSL handshake has read 2408 bytes and written 463 bytes
Verification error: self signed certificate in certificate chain
---
...

The Data Domain adminaccess 命令列公用程式顯示憑證仍然有效：

sysadmin@DataDomain# adminaccess cert show
Subject                Type   Application   Valid From                 Valid Until                Fingerprint
--------------------   ----   -----------   ------------------------   ------------------------   -----------------------------------------------------------
DataDomain.domain.com   host   https         Sat Aug 30 13:10:39 2025   Wed Sep 30 13:10:39 2026   69:68:64:72:E3:87:6B:87:CD:DF:85:DE:A4:A2:DF:58:80:6A:A3:DB
DataDomain.domain.com   ca     trusted-ca    Mon Sep 30 13:10:38 2024   Sun Sep 29 13:10:38 2030   4C:E4:C2:2C:FD:2A:BE:2B:FC:CE:8B:E5:BF:6A:CC:24:8F:1B:62:CF
--------------------   ----   -----------   ------------------------   ------------------------   -----------------------------------------------------------

The Data Domain /ddr/var/log/debug/sm/sms.info log 顯示 "no shared cipher" 錯誤：

09/04 10:42:13.454844 [14bafa20] _sms_soap_handle_new_connection: soap_ssl_accept failed on connection ::ffff:172.16.10.94:40598. Error: 30, msg_buf: SSL_ERROR_SSL error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

Data Domain 和 PowerProtect 裝置沒有共用密碼，無法完成 SSL handshake 成功。 
 
可使用 adminaccess 命令列公用程式可用來驗證 Data Domain 加密：

sysadmin@datadomain# adminaccess option show cipher-list
Adminaccess option "cipher-list" set to "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256".

可使用 /usr/local/brs/lib/secretsmgr/config/application.yml 檔案可用於驗證 PowerProtect 加密：

admin@ppdm:~> cat /usr/local/brs/lib/secretsmgr/config/application.yml
myserver:
  ssl:
    enabled-protocols: TLSv1.2,TLSv1.3
    ciphers: |
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    key-alias: secretsmgr
    key-store: "${sm.ssl.keystore-path}/secretsmgr.keystore"
    key-store-provider: SUN
    key-store-type: JKS
    protocol: TLS
    trust-store: "${sm.ssl.keystore-path}/secretsmgr.truststore"
    trust-store-provider: SUN
    trust-store-type: JKS
    client-auth: want
    enabled: true

將 DHE 套件新增至 Data Domain 密碼清單。範例：

adminaccess option set cipher-list DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256