EMC UIM/P – Symmetrix VMAX Discovery (Verify SYMAPI Certificates)

During a UIM discovery of an ‘EMC VMAX’ you may encounter the following error:

UIM/P – VMAX DISCOVERY ERROR MESSAGE:
=================================================================
=================================================================
Action completed successfully…
10.X.X.X: found 1 reachable IP address out of 1 ping request
Discovering device type and communication protocols for device (10.X.X.X)
Device did not respond to authentication, please check the supplied credentials and/or port(s).
—-> Refer additional details below.
—->
—-> ADDITIONAL DETAILS
—-> SYM command ‘/opt/emc/SYMCLI/bin/symcfg list’ failed with exit status: 1 [ERRORCODE 3 (Permission Denied)]
—-> *** Verify SYMAPI client certificates are correct. ***
—-> Command output:
—-> >
—-> > The remote client/server handshake failed. Please consult symapi and storsrvd log files
—-> >
—-> ERR:Unable to get a session to Symmetrix 10.X.X.X using devicenative mechanism
!!! Could not discover credentials for device
=====================================================================
=====================================================================

If you experience the above error a common fix is to regenerate the certificate on the VMAX Agent server (SMI-S Provider) and to also regenerate the certificate on the UIM Host as per the following instructions:

Firstly before proceeding with Cert regeneration check the following:
1. Date&Time
Ensure the date and time is in sync between the UIM and VMAX Agent server.
2. Host File Entries
Ensure the VMAX Agent server host file has an entry for the UIM Server; else you will receive the following error:
UIM_VMAX8
3. Support Matrix
Search support.emc.com for:
Unified Infrastructure Manager/Provisioning Support Matrix
Ensure the SE version listed is the version installed.
4. ECOM Service
Also check that the ECOM service is running on the VMAX Agent server and the correct ECOM credentials are being used. Validate the credentials by logging into: https://localhost:5989/ecomconfig

If you have completed any of the 4 steps above then Retry the discovery of VMAX through UIM/P. At this stage if you are still failing to discover the VMAX then continue with the certificate regeneration:

Proceeding with Certificate Regeneration:
FROM THE UIM SERVER
1. Change (cd) to the /usr/emc/API/symapi/config/cert directory.
2. Run the following command from within this directory:
UIMHost:/usr/emc/API/symapi/config/cert # /opt/emc/SYMCLI/bin/manage_server_cert.sh create
The create script will read the hostname from the environment and recreate the certificate.
3. Ensure the UIM hostname used by the certificate file is correct:
UIMHost:/usr/emc/API/symapi/config/cert # /opt/emc/SYMCLI/bin/manage_server_cert.sh list

FROM THE VMAX AGENT SERVER
Regenerate the certificate on the Windows host using the Manage_Server_Cert.bat executable.
1. From the direcory \Program Files\EMC\SYMAPI\config\cert> run the create command:
D:\Program Files\EMC\SYMAPI\config\cert>”D:\Program Files\EMC\SYMCLI\bin\manage_server_cert.bat” create
Output:
The files symapisrv_cert.pem and symapisrv_key.pem were created in the directory
D:\Program Files\EMC\SYMAPI\config\cert.
1 file(s) copied.
1 file(s) copied.

2. Ensure the hostname is correct as per the certificate file:
D:\Program Files\EMC\SYMAPI\config\cert>”D:\Program Files\EMC\SYMCLI\bin\manage_server_cert.bat” list
Output:
The host names in this machine’s certificate:
storsrvd YourWindowsHostname

Now Retry the discovery of VMAX through UIM/P.

STILL FAILING – Continue:
If after completing the above steps and still the same error persists during UIM discovery, then continue with the following steps.

Open the storsrvd log file (drive letter:\Program Files\EMC\SYMAPI\log) and check for the error “sslv3 alert certificate expired”:
UIM_VMAX0

This is a known issue and details can be found on EMC Support KB190373.

Check the expiration date of the file using the storssl command from the cert directory:
D:\Program Files\EMC\SYMAPI\config\cert>storssl x509 -text -in symapisrv_trust.pem
You will notice the expired ‘Not After’ date from the output:

Validity
Not Before: AUG 23 10:40:34 2004 GMT
Not After : AUG 26 10:40:34 2014 GMT EXPIRED

FROM THE VMAX AGENT SERVER
1. Rename the existing “D:\Program Files\EMC\SYMAPI\config\cert\symapisrv_trust.pem” file to symapisrv_trust.pem.old
2. Stop the storsrvd service: Stordaemon shutdown storsrvd
3. Download the replacement symapisrv_trust.pem from KB190373 and save to the cert directory.
4. Run manage_server_cert update command from the cert directory:
UIM_VMAX6
5. Start the storsrvd service: Stordaemon start storsrvd
6. Check the certificate expiration date:
D:\Program Files\EMC\SYMAPI\config\cert>storssl x509 -text -in symapisrv_trust.pem
UIM_VMAX1
7. Verify the certificate (prints OK if good or ‘expired certificate’ if expired):
D:\Program Files\EMC\SYMAPI\config\cert>storssl verify symapisrv_trust.pem
UIM_VMAX2

FROM THE UIM SERVER
1. Rename the existing “/usr/emc/API/symapi/config/cert/symapisrv_trust.pem” file to symapisrv_trust.pem.old
2. Download the replacement symapisrv_trust.pem from KB190373 and save to the cert directory.
3. Run manage_server_cert update command from the cert directory:
vmuim01:/usr/emc/API/symapi/config/cert # /opt/emc/SYMCLI/bin/manage_server_cert.sh update
UIM_VMAX5
4. Check the certificate expiration date:
vmuim01:/usr/emc/API/symapi/config/cert # /opt/emc/SYMCLI/bin/storssl x509 -text -in symapisrv_trust.pem
UIM_VMAX3
5. Verify the certificate (prints OK if good or ‘expired certificate’ if expired):
vmuim01:/usr/emc/API/symapi/config/cert # /opt/emc/SYMCLI/bin/storssl verify symapisrv_trust.pem
UIM_VMAX4

At this stage you should be able to successfully discover the VMAX through UIM/P.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s