Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-2064868.1
Update Date:2017-09-28
Keywords:
Solution Type  Technical Instruction Sure

Solution  2064868.1 :   ASR (Auto Service Request) Disk Storage SSL Network Traffic Testing and Diagnostics  

Related Items 
    

  • Integrated Software for ZFS ZS3-x Arrays
    •  
  • Sun Storage Common Array Manager (CAM)
    •  
  • Integrated Software for ZFS ZS4-x Arrays
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>Connected Services>SN-DK: ASR Configuration
    •  




Diagnostic commands and validation to make sure that the ASR Connection is live and if there is any issues on how to address them.

In this Document
Goal
Solution
  Common Errors seen:
 ZFS Appliance
 CAM (Common Array Manager)
 SSL and Port Validation
  DNS and Proxy Determination
 ZFS Appliance
 CAM (Common Array Manager)

Applies to:

Integrated Software for ZFS ZS4-x Arrays - Version All Versions to All Versions [Release All Releases]
Sun Storage Common Array Manager (CAM) - Version 6.0 to 6.10 [Release 6.0]
Integrated Software for ZFS ZS3-x Arrays - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.
Commands and tools used in this article are for example only and are not a strict usage of data to send and receive information with Oracle Services.

Goal

 Provide a method for testing the connection from your phone home service on a device to Oracle ASR Infrastructure to allow your ASR connection to work correctly. This can be done prior to setup of the phone home configuration for ASR, or if any SSL/TLS/network connection errors are seen in the log files

Solution

 Common Errors seen:

ZFS Appliance

BUI -> Maintenance -> LOGS -> PHONE HOME

  • Failed (unable to connect)
  • Failed (unauthorized)

BUI -> Configuration -> Services -> Phone Home -> On Screen Pop-Up

  • Invalid Reg ID
  • Failed to connect to target server/proxy
  • Invalid SOA

CLI -> maintenance logs select scrk show

  • Daily heartbeat, Failed (unable to connect)
  • Daily heartbeat, Failed (transfer rate too slow, connection aborted)
  • Registered new client public key for SOA myuser@myplace.com, Failed (unauthorized)

CLI -> confirm shell aklog scrk

  • SSL read: error:00000000:lib(0):func(0):reason(0), errno 131
  • SSL certificate verify result: unable to get local issuer certificate (20)
  •  Trying x.x.x.x... * Failed to connect to x.x.x.x: Network is unreachable

CAM (Common Array Manager)

BUI -> General Configuration -> ASR -> On Screen Notification

  • Unable to connect to Server
  • Proxy Returned Error 407

CLI -> Cam install location -> /SUNWsefms/log -> fms.0

  • SEVERE: Message transfer attempt failed: The target server failed to respond
  • Java Exception : Unknown Host name
  • Java Exception : Peer Verification failure
  • Java Exception : Proxy returned error

SSL and Port Validation

For the phone home configuration, please run the following steps to help confirm network and ports are open to Oracle through your firewall or proxy:

Please note that Self-Signed Certificates are not accepted due to Oracle Security Policy. The Root SSL/TLS Certificate is the only certificate that the devices use to communicate, and allow for the communication to occur.

 DNS and Proxy Determination

To check on DNS is being used, run the following to see if a name server is returned

  • From ZFS Applaince -> CLI -> configuration services dns show
    BUI -> Configuration -> Services -> DNS
    • if a value is returned that is not localhost, then a DNS entry is being used
    • else, if localhost value is returned, not using DNS
  • CAM Server -> grep 'nameserver' /etc/resolv.conf
    • if a value is returned, then a DNS entry is being used
    • else, if no value is returned, not using DNS

To check for Proxy configuration, run the following to check for proxy is needed

  • From ZFS Applaince -> CLI -> configuration services dns show
    • if a value is returned, then a DNS entry is being used
    • else, if no value is returned, not using DNS
  • CAM Server -> grep 'nameserver' /etc/resolv.conf
    • if a value is returned, then a DNS entry is being used
    • else, if no value is returned, not using DNS

ZFS Appliance

Testing for the ZFS will be done through CLI, preferably through 2 working Terminal Sessions.

  1. From Terminal 1, run one of the following based on your environment
    (Note:This is used for diagnostics with the firewall/proxy and network team)
    • confirm shell snoop -v -o /var/tmp/oracle_test net 129.157.65.0 (IP Subnet as of Oct 31st, 2015) -> Non-DNS Configured
    • confirm shell snoop -v -o /var/tmp/oracle_test port 443 -> DNS Configured
    • confirm shell snoop -v -o /var/tmp/oracle_test port <proxy port> -> Proxy DNS Configured

  2. From Terminal 2, run the following commands
    • asr-services -> confirm shell openssl s_client -nbio -connect asr-services.oracle.com:443 -> DNS Configuration
    • asr-services -> confirm shell openssl s_client -nbio -connect 129.157.65.13:443 -> Non-DNS Configured
    • inv-cs -> confirm shell openssl s_client -nbio -connect inv-cs.oracle.com:443-> DNS Configuration
    • inv-cs -> confirm shell openssl s_client -nbio -connect 129.157.65.14:443-> Non-DNS Configured
    • transport -> confirm shell openssl s_client -nbio -connect transport.oracle.com:443 -> DNS Configuration
    • transport -> confirm shell openssl s_client -nbio -connect 141.146.1.169:443 -> Non-DNS Configuration
    • Proxy configuration
  3. Ctrl-c on Terminal 1 and Terminal 2 after commands are ran on Terminal 2

  4. From the output from Step 2, compare with the following output for each server to make sure it matches the server certificate
    • asr-services -> Server certificate
      subject=/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/CN=*.oracle.com
      issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
    • inv-cs -> Server certificate
      subject=/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/CN=*.oracle.com
      issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

  5. From Step 4, if the certificate does not match, it will require the firewall/proxy team at your site to be involved in fixing this issue. (See above Note Box for SSL/TLS Certificates)

  6. If Step 2 fails in connection, this will require the necessary ports and transport host names to be added to the allowed SSL/TLS traffic to be past through for the connection to occur.
  7. If after all fixes have been done, and still having issues, please open up a Service Request to get additional help from ASR Support Engineers. Provide the file from Step 1 and the output of Step 2 after the final tests are completed so that the information can be seen on where the failure is happening.

 

 

CAM (Common Array Manager)

 Testing for CAM will be done through CLI, preferably through 2 working Terminal Sessions.

  1. From Terminal 1, run one of the following based on your environment
    (Note:This is used for diagnostics with the firewall/proxy and network team)
    • Solaris -> snoop -v -o /var/tmp/oracle_test net 129.157.65.0 (IP Subnet as of Oct 31st, 2015) -> Non-DNS Configured
    • Solaris -> snoop -v -o /var/tmp/oracle_test port 443 -> DNS Configured
    • Solaris -> snoop -v -o /var/tmp/oracle_test port <proxy port> -> Proxy DNS Configured

    • Linux -> tcpdump -vv net 129.157.65.0/28 -w /var/tmp/oracle_test (IP Subnet as of Oct 31st, 2015) -> Non-DNS Configured
    • Linux -> tcpdump -vv port 443 -w /var/tmp/oracle_test -> DNS Configured
    • Linux -> tcpdump -vv port <proxy port> -w /var/tmp/oracle_test -> Proxy DNS Configured

  2. From Terminal 2, run the following commands
    • asr-services -> openssl s_client -nbio -connect asr-services.oracle.com:443 -> DNS Configuration
    • asr-services -> openssl s_client -nbio -connect 129.157.65.13:443 -> Non-DNS Configured
    • inv-cs -> openssl s_client -nbio -connect inv-cs.oracle.com:443-> DNS Configuration
    • inv-cs -> openssl s_client -nbio -connect 129.157.65.14:443-> Non-DNS Configured
    • transport -> openssl s_client -nbio -connect transport.oracle.com:443 -> DNS Configuration -> CAM 6.9 + Only
    • transport -> openssl s_client -nbio -connect 141.146.1.169:443 -> Non-DNS Configuration -> CAM 6.9 + Only
    • Proxy configuration
  3. Ctrl-c on Terminal 1 and Terminal 2 after commands are ran on Terminal 2

  4. From the output from Step 2, compare with the following output for each server to make sure it matches the server certificate
    • asr-services -> Server certificate
      subject=/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/CN=*.oracle.com
      issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
    • inv-cs -> Server certificate
      subject=/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/CN=*.oracle.com
      issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

  5. From Step 4, if the certificate does not match, it will require the firewall/proxy team at your site to be involved in fixing this issue. (See above Note Box for SSL/TLS Certificates)

  6. If Step 2 fails in connection, this will require the necessary ports and transport host names to be added to the allowed SSL/TLS traffic to be past through for the connection to occur.

  7. If after all fixes have been done, and still having issues, please open up a Service Request to get additional help from ASR Support Engineers. Provide the file from Step 1 and the output of Step 2 after the final tests are completed so that the information can be seen on where the failure is happening.

 


Attachments 
This solution has no attachment
  Copyright © 2018 Oracle, Inc.  All rights reserved.
 Feedback