Symptoms

Customer configure ldaps for Unisphere login on VNX array.Csutomer configured LDAPS for Unisphere login on VNX array, after that, customer can login to Unispehrer via LDAPS, the LDAPS server is Windows AD. but there is a Error message in Unispere alarm page.[nasadmin@XXX-VNX5400-CS0 log]$ nas_logviewer sys_log|grep -i 748fAug 18 10:31:39 2016:CS_PLATFORM:NaviEventMonitor:ERROR:3:::::VNX Storage Array event number 0x748f Host XXX-VNX5400-SPA Storage Array N/A SP N/A SoftwareRev 7.33.8 (3.7) BaseRev 05.33.008.5.119 Description The LDAP settings were not successfully installed on the File side of the VNX.we cannot decode the certificates via openssl.[root@5700CS139 ldap]# openssl x509 -in /nas/http/domain/ldap/apacheDomain.primary_ldap_certificate.crt -textunable to load certificate2550:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:756:[root@5700CS139 ldap]# openssl x509 -in /nas/http/domain/ldap/apacheDomain.backup_ldap_certificate.crt -textunable to load certificate2668:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:756:

Cause

After customer configure 2 ldaps servers on VNX array, 2 certificates will be pushed from SP to control station./nas/http/domain/ldap/apacheDomain.backup_ldap_certificate.crt/nas/http/domain/ldap/apacheDomain.primary_ldap_certificate.crtOn control station, we cannot use openssl to decode it, the certificate is not a valid Base-64 encode X.509 certificate.

Resolution

To resolve this issue: 1) Confirm the certificate is valid.1. User need to verify the certificate (or certificate chain) for the LDAP Server.2. Easy way to verify is, open the certificate file in text editor. If it display texts with "--BEGIN CERTIFICATE--- and ---END CERTIFICATE---- that is correct format. If the certificate is binary characters, the certificate is compressed and encrypted, which is why control station could not get this properly.3. User can open the the certificate chain (usually in .p7b format) on Windows by copying to a Windows folder, then right click and Open. Under the "Details" tab -> "Copy to File" can be used to export the certificate to "Base-64 encoded X.509 (.CER)" format, which is valid format.4. If the certificate contains many certificate inside, each certificate need to be exported using above step, for example, cert1.cer, cert2.cer, etc.5. Login to Unisphere and re-import these certificates to Unisphere. Login to Unisphere using any global administrator (like sysadmin/global scope) Go to Domain -> Manage LDAP settings page > Primary > Modify > Change certificate -> "Copy as Text" Open previously converted certificates in notepad and copy/paste everything including the BEGIN and END Certificate lines. You need to copy/paste every certificates in a chain one below another's END CERTIFICATE. Press OK after all copy/pastes and if we got a complete chain, Unisphere will accept without error. If not, ensure the conversion and all certificate in the chain is obtained. Involve your Windows/Certificate Admins if required. Repeat same for Backup LDAP server if configured.2) Verify from Control Station:1. Run "/nas/http/webui/bin/update_domain_directory.pl" to refresh again2. Run "openssl x509 -in /nas/http/domain/ldap/apacheDomain.primary_ldap_certificate.crt -text" & "openssl x509 -in /nas/http/domain/ldap/apacheDomain.backup_ldap_certificate.crt -text" to make sure the cerfiticate can be decoded by openssl.Certificate: Data: Version: 3 (0x2) Serial Number: 1c:03:b6:a7:e9:3f:9e:ac:4e:88:39:91:b9:f8:4e:2d Signature Algorithm: sha256WithRSAEncryption Issuer: DC=com, DC=vnx, CN=vnx-DC0-CA3. Run "/nas/sbin/cstadmin validate-config LDAP 'LDAP PRIMARY' -cstdir=/nas/site/cst -passphrase=$(/nas/sbin/cst_setup -getKey cst)" and ensure no errors.4. If no error on the above command, the LDAP login should work successfully on Unisphere7. If error like "LDAP Server is down" is reported, ensure that the "server name" is matching with what is in the certificate. If we define IP address but certificate got "name", then we need to update the LDAP Setting to hostname, not IP address, this also means that, DNS need to be configured via "nas_cs -set" to resolve the hostname correctly.8. Also ensure the domain user is direct member of the group that is defined in Role Mapping.

Support Cases