PowerScale: Encrypted SyncIQ policies fail with "sslv3 alert unsupported certificate"

SyncIQ policies fail with sslv3 alert unsupported certificate error message. This occurs after correctly configuring SyncIQ policies to use SSL certificates, and after importing the correct signing chain of certificates on the source and target clusters.

SyncIQ encryption is using both client and server authentication. 

The end of chain certificate certificate imported in server/peer store of SyncIQ is only configured to use one type of authentication. Typically, it is server authentication only.

To confirm and check the cluster:

# isi_for_array -sQ ' grep "An SSL handshake failure occurred while establishing" /var/log/isi_migrate.log | grep coord ' | sort | tail -5

Expected error:

TTTTTTTTTTTTTTT <3.3> xxxxxxxxxx-4(id8) isi_migrate[57638]: coord[xxxxxxxxxx:TTTTTTTTTTTT]: siq_create_alert_internal: type: 22 (policy name: xxxxxxxxxx target: xxxxxxxxxx) SyncIQ policy failed to establish an encrypted connection with target. An SSL handshake failure occurred while establishing an encrypted connection to the target cluster. Please view the logs on the source and target for further details. SSL error string: error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate [ISI_TLS_ERROR_HANDSHAKE], Target: xxxxxxxxxx

From the server and peer certificate store on the cluster:

# openssl x509 -text -noout -in /ifs/.ifsvar/modules/isi_certs/synciq/peer/zone_1/certs/<ID>.crt | grep -A1 "X509v3 Extended Key Usage"

# openssl x509 -text -noout -in /ifs/.ifsvar/modules/isi_certs/synciq/server/zone_1/certs/<ID>.crt | grep -A1 "X509v3 Extended Key Usage"

The result of the above commands is to see TLS Web Server Authentication only or TLS Web Client Authentication only.

The correct output is to find both TLS Web Server Authentication and TLS Web Client Authentication.

Regenerate the end-of-chain certificate certificate imported in the server/peer store of SyncIQ to include both types of authentication.

Follow the internal process in generating the Certificate Signing Request (CSR). Ensure that the conf file used to generate the CSR contains the following:

extendedKeyUsage = serverAuth,clientAuth

Sign this CSR file as per the security requirement self-signed or CA signed.