Loading...
Loading...
Unity OE 5.5.x enforces stricter TLS and certificate validation requirements. KMIP configurations using IP addresses or certificates without the required Subject Alternate Name (SAN) FQDN attributes fails PUHC validation. PUHC reports the following failure: check_KMIP_servers: (Fail) Example error: Platform: Check KMIP serversKMIP is enabled and that is not recommended to upgrade.Action : Since Unity 5.5 uses the newer TLS 1.3, for security safety, please disable KMIP before upgrading, then retry the upgrading.ERROR_CODE=platform::check_KMIP_servers_8|Error| Or Platform: Check KMIP serversKMIP server certificate does not have the corresponding field as "DNS:<kmip-server-fqdn>" in Subject Alternative NameAction : Replace the configured KMIP server's certificate with one which can find its corresponding FQDN in SAN extension of server certificate, then try again.ERROR_CODE=platform::check_KMIP_servers_4|Error| Sample of logs is as follows (timestamp may vary): /nas/log/.check_health.260220-015136.debug.log /nas/log/check_health.260220-015136.log
The BSAFE library which is responsible for the certificate validation was upgraded in 5.5.0. This library is using stricter validation rules. This is the reason the certificate without SAN fails on 5.5.1. RFC 6125 recommends and prefers using the SAN extension. It provides the flexibility and modern browser support. Further, our Dell certificate service has mandatory requirements of SAN in the Certificate Signing Requests (CSR) Unity OE 5.5.x and later enforce stricter TLS and certificate validation requirements for KMIP communication. The PUHC failure may occur for one or more of the following reasons: KMIP server certificates do not contain the required FQDN in the SAN extension. KMIP servers are configured using IP addresses instead of FQDNs. KMIP server certificates do not meet Unity 5.5.x TLS validation requirements. Example of a valid certificate: View the certificate: ls -al /EMC/CBE/KMIPCer Verify under openssl x509 -in <KMIPservercertificate> -text -noout contains SAN with server FQDN: X509v3 Subject Alternative Name: DNS:kmipserver.company.com Example of an invalid certificate: X509v3 extensions: Basic Constraints Netscape Cert Type (No SAN extension present) Starting with Unity OE 5.5.x: KMIP servers must be configured using FQDNs. KMIP servers configured by IP address are not supported. The configured FQDN must match the certificate identity and be present in the SAN extension.
Disable KMIP prior to upgrade Run the PUHC Reenable the KMIP configuration after the Upgrade The following requirements should be met before reenabling the KMIP: KMIP server should be specified as FQDN The server certificate should contain the FQDN in the CN and the SAN.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.