Netapp_ontap fails to connect - com.netapp.nmsdk.client.ApiProtocolException: Connection error to Storage System

Document ID : KB000008191
Last Modified Date : 04/02/2019
Show Technical Document Details
Issue:

Seeing the following error when trying to connect to a netapp appliance:

[attach_socket, netapp_ontap] netapp_ontapNetAppSessionValidating connection for host 

[attach_socket, netapp_ontap] cbVerifyCtdResource failed 

[attach_socket, netapp_ontap] com.netapp.nmsdk.client.ApiProtocolException: Connection error to Storage System xxxxxxx: Remote host closed connection during handshake 

Environment:
- UIM 8.5.1
- netapp v1.40
- netapp ONTAP (8.2.2P2)
Cause:
- cluster security / protocol parameters
Resolution:

Via Raw Configuration on the probe and change the options line under startup to: 

options = -Xms32m -Xmx1024m -Dfile.encoding=UTF-8 -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1,SSLv3

If that doesn't resolve the error/issue consider the following:

...The connection to the other cluster may be working because SSLv3 protocol is DISABLED AND ONLY TLSv1 is ENABLED

Working cluster connection... (cluster mode configuration showing SSL/TLS configuration) 

<cluster_hostname>::> system services web show 
External Web Services: true 
Status: online 
HTTP Protocol Port: 80 
HTTPs Protocol Port: 443 
TLSv1 Enabled: true 
SSLv3 Enabled: false 
SSLv2 Enabled: false 
SSL FIPS 140-2 Enabled: false 

Both clusters are running the same version of ONTAP (8.2.2P2).

Customer was NOT getting the same connection error when trying to add a profile to the netapp_ontap probe

The other cluster, was getting the connection error: 

Profile failed verification due to error com.netapp.nmsdk.client.ApiProtocolException: Connection error to Storage Systemmhss-<cluster_hostname>: Remote host closed connection during handshake 

And this is how it is configured, showing the ONLY difference being that both SSLv3 is ENABLED and so is TLSv1

<cluster_hostname>::> system services web show 
External Web Services: true 
Status: online 
HTTP Protocol Port: 80 
HTTPs Protocol Port: 443 
TLSv1 Enabled: true 
SSLv3 Enabled: true 
SSLv2 Enabled: false 
SSL FIPS 140-2 Enabled: false 

====================================== 

TLSv1 is more secure than SSLv3 in any case. 

https://library.netapp.com/ecmdocs/ECMP1368862/html/GUID-3E07D3F8-6A05-49C0-BF92-9C88BA252E1F.html 

There is helpful information here on managing the web protocol engine/SSL for Clustered Data ONTAP 8.2. 

https://library.netapp.com/ecm/ecm_download_file/ECMP1636068 

In the pdf check out "Managing the web protocol engine" 

You may need to discuss with the customer whether or not its feasible to disable SSLv3 on the non-working cluster.