ESRS VE Provisioning - Unable to login to emc support

During the initial configuration of ESRS VE I am able to proceed from Registration to Provisioning.  We do not use a proxy server, the Network Check passes for all sites, however when I go to the next step, Provision I am unable to login using my support credentials.  I receive an immediate "User Login Process Failed" error.

SnipImage.JPG.jpg

What I would like to do is login to the console and examine the logs so I can confirm communications and/or work with my networking team to get any missing destinations allowed.  Anyone have any idea where these logs are kept?

 

Checkout https://support.emc.com/kb/202306 for the logfile location and a possible solution for this issue

 

I had found that article and verified the time/time zone are correct.  However I am seeing some anomalies.  In YAST time and timezone are set properly, however using ssh or winscp , if I look at the provisioning log in /var/log/esrs/provisioning the time the logged times appear to be UTC time.

 

The log shows the following errors -

Caused by: ! sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ! at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[na:1.7.0_91] ! at java.security.cert.CertPathBuilder.build(Unknown Source) ~[na:1.7.0_91] !... 68 common frames omitted ERROR [2016-02-12 13:27:42,109] com.emc.esrs.provisioning.ProvisioningResource: ProvisioningServiceException :com.emc.esrs.provisioning.exception.ProvisioningServiceException: User Login Process Failed

 

Hi Rob,

 

    do you know if there are some of these checking? (as per KB 000013285)

 

no SSL checking, Certificate verification or Certificate Proxying is permitted

 

Just in case you can follow the Knowledge Base Article: 000210985 "ESRS VE: User log on process failed when provisioning ESRS VE, How to troubleshoot SSL checking / Filtering"

 

You also could issue this comand from ESRS VE SSH

 

/usr/bin/openssl s_client -showcerts -connect esrs-core.emc.com:443

 

Regards

      Marco

 

I am unable to find those KB articles, however I did issue the command via SSH and see the following error:

Verify return code: 21 (unable to verify the first certificate

So I am pretty sure I need to disable SSL checking, Certificate Verification.. however I would assume that as a virtual appliance this should already be set in the appliance?  I also have a question on this submitted to my network/firewall team.

 

Try to search the KB removing the 0 before. (13285 and 210985). With your return code 21 there is the possibility that some router or firewall in the network is doing some SSL checking certificate verification etc...As you mention before the ESRS VE is a preconfigured VM and we don't enable this kind of check because is not supported so I think that you have done well opening a ticket to your network group for a verification.

 

Regards

      Marco

 

The issue was on my side, we did indeed do ssl inspection.  The network team created some bypass rules for the ESRS destinations and everything started working normally.  Thanks for the assistance.

 

You need to import your Businesses SSL Certificate into the cacert keystore.

 

wget http://yourcompanysslcert.pem

wget http://yourcompanysslcert2.pem  (there might be more then one for unchained certs)

 

you will need to convert the certificate from pem to der format because java cert store doesn't understand pem format.

 

openssl x509 -outform der -in myCert1.pem -out myCert1.der

openssl x509 -outform der -in myCert2.pem -out myCert2.der    (there might be more then one for unchained certs)

 

/usr/java/default/bin/keytool -alias myCert1 -keystore /usr/java/jre1.8.0_74/lib/security/cacerts -file mycert1.der

password = changeit

Trust this certificate? [no]:  yes

Certificate was added to keystore

 

/usr/java/default/bin/keytool -alias myCert2 -keystore /usr/java/jre1.8.0_74/lib/security/cacerts -file mycert2.der

password = changeit

Trust this certificate? [no]:  yes

Certificate was added to keystore

 

reboot the appliance and go though the setup process though the webgui.

 

This document was generated from the following discussion: ESRS VE Provisioning - Unable to login to emc support