Multiple SRAs cause SRDF SRA bug in Photon SRM

Not the prettiest title, but hey why beat around the bush with it. One of our European customers hit a bug with our SRDF SRA when they went to add Solutions Enabler array pairs in Photon SRM (Windows SRM is not impacted). It wasn’t clear this was a bug as the error is common enough in SRM when you try to discover arrays:

There are a myriad of reasons for this error, but the most common one is a certificate issue between the Solutions Enabler client (the SRDF SRA container) on the SRM server, and the Solutions Enabler server. To diagnose, you can look at the storsrvd.log file on the SE server and you are likely to see something like:

<Error> [2062355 SESS 2432] Feb-16 11:20:36.106 : ANR0151E Common Name in client certificate not valid: expected "server.global.com", received "pac852c410ie"

In this case the SE client is sending the hostname of the Docker container rather than the hostname of the SRM server. If I saw this I would likely conclude the customer either forgot to run the enableAutoSSLCertGen.sh script, or they did not run it after installing the SRDF SRA. The latter would be understandable since we used to run it before not after. In this case, however, the customer was following my blog post on the hot fix so they had done everything correctly. So what happened?

Multiple SRAs

The big difference in this customer’s environment from the vast majority we see, is that they used multiple vendor arrays with the same SRM environment. This is perfectly fine of course, but the customer suspected that might be the heart of the issue because of the output of the enableAutoSSLCertGen.sh script.

As a reminder, the function of the script is to add one or two files to the docker volume of the SRDF SRA to ensure:

  1. The hostname of the SRM server is sent to the SE server and not the container hostname (hostname file) – mandatory and automatic
  2. If filtering is desired, we also store the vCenter credentials in another file (.emcpwddb file) – optional and manual entries

Using my environment, I’ll show you the problem.

Environment

I have three SRAs installed in my setup. VMware lists them alphabetically, but I installed the SRDF SRA last. And no I’m not blasphemous enough to actually be running HPE in my environment, but none of the SRAs check for storage during installation 🙂 Take care to see how each has a unique Docker image ID which I highlight below.

Now I run the enableAutoSSLCertGen.sh script. I do provide the vCenter credentials which is optional. I first list the containers so you can see there are three and that each one has an associated volume (/var/lib…). By comparing the Docker container image ID above, you can match it to the volume below. In order, therefore, they are Unity (red box above), SRDF SRA (blue box above), and finally HPE (green box above).

Everything completes successfully above, but looking at the output closely as our customer did, because there are three volumes how did we decide which one is the SRDF SRA? Not very logically, unfortunately. We just took the first one. Was it what we wanted? Well no, that was the Unity one. But since I am the root user running the script nothing stops it from putting it there:

The information in the files is correct but in the wrong place. If I proceed and try to add my array managers, I’m going to fail the discovery and end up with a storsrvd.log file that looks like this where the container hostname is sent:

Resolution

Fortunately, the workaround is easy enough. There are two steps:

  1. Move the two files from the Unity docker volume (or whatever wrong volume you have) to the SRDF SRA one.
  2. Reload the SRDF SRA. <—-  This is critical

So first move the files:

Next reload the SRDF SRA from within the SRM Appliance Management screen:

Return to add your management pairs and everything should be good. This fix does exactly what the script was supposed to do so it will persist through reboots.

I should add that it is possible, depending on the SRAs in the environment, that our script gets lucky and selects the SRDF SRA image, but if you are running multiple SRAs you need to check.

One scenario I did not include here is if you used the non-hot fix SRA which is version 9.2.0. If you use that version, the Repository tags is set to sradocker:latest. Unfortunately this was lazy labeling which other SRAs use also. Since SRM relies on the uniqueness of this tag, if you install our SRA and then install another SRA with the same tag (RecoverPoint uses this tag), it will overwrite our SRA. For those who know Docker, it is possible to change the tags, but we do not support that for our SRA. The proper solution is to upgrade which will allow both SRAs to co-exist.

Hot fix

*** Fixed in SRA 10.0 ***

We’ll have a hot fix for this in the coming weeks or months. It’s not a difficult fix, but between other priorities and the QA timeline, it won’t be next week. They want to be sure they have covered every scenario and fortunately the workaround is not too difficult. Many thanks to our European customer for finding the issue.

KB

I wrote a KB outlining this issue which you can find here.

Advertisement

3 thoughts on “Multiple SRAs cause SRDF SRA bug in Photon SRM

Add yours

  1. Same environment and error here, just moved the files manually to the right path, reload SRA config, taking a look into storsrvd.log it reports a slightly different error message:

    [19106 SESS 0022] May-09 16:31:29.348 : ANR0155E Subject Alternative Names in the client certificate not valid: expected “::ffff:mysrmserveripaddress”, received “mysrmserverfqdn ”

    Where:
    mysrmserveripaddress: is the correct IP address of my SRM server
    mysrmserverfqdn: is the correct FQDN of my SRM server

    I cannot understand where the issue is. BTW I’ve opened a case to investigate 141558137

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: