8 Replies Latest reply: May 24, 2012 11:45 PM by ivyyang RSS

Navisphere Secure CLI: Certificate Verification Error

ivyyang

hi, I am a newbie of VNX storages. I installed Navisphere Secure CLI NaviCLI-Linux-64-x86-en_US-7.31.32.0.42-1.x86_64.rpm on a linux system so as to access EMC VNX 7500 and got the following messages.       [root@lx0034nbumast bin]# ./naviseccli -User iyang -Password XXX  -Scope 0 -Address 10.119.9.121
Error occurred while trying to connect: '10.119.9.122'.
Message : Certificate Verification Error: validation of the certificate chain found an expired certificate.                                                                                         
anybody who can help?thanks in adance!

  • 1. Re: Navisphere Secure CLI: Certificate Verification Error
    ivyyang

    anybody who can help?

  • 2. Re: Navisphere Secure CLI: Certificate Verification Error
    Christopher Imes

    You have configured your installation to use medium certificate verification which is the default on HP-UX (for comparison sake, on Windows low is the default).  Apparently the certificate on the array being validated is expired and you should work with support to review (and possibly regenerate) the certificate if you want to maintain that level of security.  You can confirm the verifying level by running:

     

         /opt/Navisphere/bin/naviseccli security -certificate -getlevel

     

     

    If you want to get up and running, at least for now, another option you could consider is to forgo the certificate verification by uninstalling and reinstalling but pass the following parameter upon installation (there isn't a way to change an existing installation):

     

         -x ask=true \*

     

     

    When prompted for "verifying level", select: low or l.

     

         Please enter the verifying level(low|medium|l|m) to set?

     

     

    Review the Unisphere Host Agent /CLI and Utilities Release Notes document available on Powerlink via the following breadcrumb trail:

     

         Home > Support > Technical Documentation and Advisories > Software ~ T-Z ~ Documentation > Unisphere > Release Notes

  • 3. Re: Navisphere Secure CLI: Certificate Verification Error
    Christopher Imes

    Ooops, was thinking HP-UX but you noted Linux.  Steps are also in the same release notes and you'd want to skip to the section for Linux instead:

     

    [...]

    Linux
    a. Run command

    rpm -ivh <full path to SecureCLI .rpm package>

     

    b. Run command
    /opt/emc/uemcli-<VERSION>/bin/setlevel.sh
    low|medium|l|m to set the security level before you proceed.

     

    c. In case of any failure while setting security level, error log will be stored at
    /opt/emc/uemcli-VERSION/bin/setlevel.log

    [...]

     

    You will have to uninstall and then reinstall as noted above as you need to run the setlevel.sh command immediately after the install.  Again, this is assuming this level of verification is acceptable for you.  If you need to maintain the medium verifying level, then review with support as mentioned in my previous post.

  • 4. Re: Navisphere Secure CLI: Certificate Verification Error
    ivyyang

    hi, Christopher

    thanks for your reply. it's helpful

    but i have a question.

    "reinstalling but pass the following parameter upon installation " ==========>here you mean reinstall "Navisphere agent" or Navisphere Secure CLI RPM package? I suppose you mean the former since I didn't see any interactive question during the installation of Navisphere Secure CLI RPM package  when I ran "rpm -ivh NaviCLI-Linux-64-x86-en_US-7.31.32.0.42-1.x86_64.rpm".

     

    [root@lx0034nbumast bin]# /opt/Navisphere/bin/naviseccli security -certificate -getlevel
    low

    [root@lx0034nbumast bin]#  ./naviseccli -User XX -Password XXX -Scope 0 -Address 10.119.9.121
    Error occurred during HTTP request/response from the target: '10.119.9.121'.
    Message : End of data stream

    after I changed the security level from medium to low, I came across new error...still can;t login via CLI......

  • 5. Re: Navisphere Secure CLI: Certificate Verification Error
    Christopher Imes

    The portion about passing at the command line during (re)installation was for HP-UX when I mistakenly was thinking of and not Linux.

     

    For Linux, it is uninstall -> reinstall -> and then immediately run the command as noted above (also mentioned in the release notes).

     

     

    Sorry for asking, but I'd like to rule it out, is 10.119.9.121 by chance your control station IP (and not SP A or SP B)?  Otherwise, at this point it seems to be a network connectivity related error.  By default, it uses -port 443 for communication.

     

    Could you try but with a simple command as follows:

     

    naviseccli -h <SPA or SPB and not CS> -User xxx -Password xxx -Scope 0 getagent

     

     

    Also, if you want to store (encrypted) the credentials so you don't have to keep typing -User, -Password, and -Scope, you may want to look into the command

     

    -AddUserSecurity

  • 6. Re: Navisphere Secure CLI: Certificate Verification Error
    ivyyang

    10.119.9.121  is the IP of SPA.  thanks very much for your help ,Christopher !

    I will try "AddUserSecurity" later.

  • 7. Re: Navisphere Secure CLI: Certificate Verification Error
    Christopher Imes

    Since it is one of your SP's, my only thought then is a network connectivity issue using default port 443, but the previous error (made progress lowering verifying level) suggests this is not the issue.

     

    Another thought may be to grab the Windows version of the utility, install it on a Windows server, and try the same.  I'm not expecting different results, but might help troubleshoot by comparing.

     

    I'd open up a ticket for support to review, but in the meantime let's see if anyone else has any thoughts.

  • 8. Re: Navisphere Secure CLI: Certificate Verification Error
    ivyyang

    ok I will download CLI for windows and try again!thanks!!