SSL Connection Failure
If an error is received in the Permissions Collector or Activity Monitor about an SSL connection which can’t be established:
-
The certificate key length on the NetApp should be verified. In older NetApp versions, the default certificate is created with 512bit length certificate. Use this command to create a certificate with at least 1024bit length key:
secureadmin setup ssl
-
Data ONTAP up to version 8.2.3 operating in 7-mode only supports security protocols up to TLSv1.0, with the following cipher suites supported when using TLSv1.0:
- TLS_RSA_WITH_RC4_128_MD5
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- Removing support for cipher suites using RC4 or 3DES as their block cipher (the algorithm used to encrypt the data) means that the filer has no available cipher suites to use for secure communications.
-
Any server trying to communicate securely with the filer must support one of the above cipher suites, preferably 3DES, because it has been deprecated most recently and is still allowed for use). If you have knowledge of these ciphers or TLSv1.0 being blocked in your organization, you must unblock them on the servers running Permission Collection and Activity Monitoring. If you don’t know how to unblock them, talk to your organization’s security department/team, because those settings are not set that way by default. For further information, check the links below:
-
According to a NetApp security advisory, Data ONTAP 8.2.5 operating in 7-mode has the option to turn off TLSv1.0 entirely, and it supports TLSv1.1 and TLSv1.2, plus extra cipher suites that are supported by them, so this version should not be affected by removing support for cipher suites using RC4 or 3DES. The advisory is linked here:
-
If no events are collected, See What to do if Events are not Collected.