All Apps and Add-ons

certificate mismatch error when configuring Dell EMC VMAX Add-on for Splunk

att35
Builder

Hi,

We are starting to integrated VMAX logs into Splunk and installed the TA on the indexer. https://splunkbase.splunk.com/app/3416/

Certificate was successfully downloaded directly from VMAX using the following command:

openssl s_client -showcerts -connect <VMAX IP>:8443 </dev/null 2>/dev/null|openssl x509 -outform PEM ><VMAX IP>.pem

After configuring the input with credentials and the path to the above cert, we get the following in splunk logs.

2018-05-25 05:50:58,052 INFO pid=62924 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-05-25 05:50:58,880 INFO pid=62924 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-05-25 05:51:00,185 INFO pid=62924 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2018-05-25 05:51:00,209 ERROR pid=62924 tid=MainThread file=connection.py:_match_hostname:353 | Certificate did not match expected hostname: . Certificate: {'notBefore': u'Aug 18 19:07:19 2015 GMT', 'serialNumber': u'xxxxxxx', 'ex_flags': xxxx, 'notAfter': 'Aug 15 19:07:19 2025 GMT', 'extendedKeyUsage': 0, 'subject': ((('countryName', u'xx'),), (('stateOrProvinceName', u'xx'),), (('localityName', u'xxxxxxxxx'),), (('organizationName', u'EMC'),), (('organizationalUnitName', u'xxx'),), (('commonName', u'VMAX HOSTNAME'),)), 'issuer': ((('countryName', u'xx'),), (('stateOrProvinceName', u'xx'),), (('localityName', u'xxxxxxxx'),), (('organizationName', u'EMC'),), (('organizationalUnitName', u'xxx'),), (('commonName', u'VMAX HOSTNAME'),)), 'version': 3L, 'basicConstraints': -1}
2018-05-25 05:51:00,210 ERROR pid=62924 tid=MainThread file=base_modinput.py:log_error:307 | Array: xxxxxxxxxxxxx - The GET request to URL https://VMAX IP:8443/univmax/restapi/84/system/version encountered an SSL issue. Please check your SSL cert specified in the data input configuration and try again.
2018-05-25 05:51:00,210 ERROR pid=62924 tid=MainThread file=base_modinput.py:log_error:307 | Array: xxxxxxxxxxxxx - REST request failed.

Has anyone encountered this before? Is there anything that needs to be done on VMAX side as well?

Thanks,

~Abhi

0 Karma

MichaelMcAleer
Path Finder

Hi Abhi,

Thanks for posting the above question regarding SSL certs! It can be a tricky area but thankfully there are a few things that we can do to check for cert validity.

First up is checking the command itself:

$ openssl s_client -showcerts -connect <VMAX IP>:8443 </dev/null 2>/dev/null|openssl x509 -outform PEM ><VMAX IP>.pem

Can you ensure that the IP address you are entering here is for the instance of Unisphere in your environment used for performance metrics collection? Also, instead of using the IP address try the hostname value instead, occassionally there can be issues with hostname resolution which can cause the error you are seeing 'Certificate did not match expected hostname'.

$ openssl s_client -showcerts -connect {unisphere_host}:8443 </dev/null 2> \  
/dev/null|openssl x509 -outform PEM >{unisphere_host}.pem

When the cert has been pulled from Unisphere onto your Splunk instance, you can confirm that the cert is valid by running the command:

$ openssl s_client -connect {unisphere_host}:8443 -CAfile {cert_name}.pem -verify 9

I think at this point if you are getting cert validation returning 'ok/valid' you should be able to get past the cert error you mentioned in your query, but if not let me know and ill help where I can.

Thanks!
Michael McAleer - VMAX for Splunk Developer

0 Karma

att35
Builder

Thanks Michael.

Verified the cert and the response was "OK". Verify return code: 0 (ok) . Team confirmed that performance metrics collection is enabled on the VMAX. But in the logs we are still getting the exact same errors as mentioned above. Also tried updating the input again but no change.

I also found that the VMAX we are trying to connect is not version 8.4. Could that be the reason because your release notes do specify 8.4 or newer as requirement.

Thanks,

~ Abhi

0 Karma

MichaelMcAleer
Path Finder

Yes we do require version 8.4 for VMAX for Splunk add-on 2.0 as we make use of new endpoints and performance metrics not available in 8.3. However, this will not explain the errors you are seeing as any requests to Unisphere to determine the version are failing due to the SSL certificate error so we don't even hit the version check.

Do you want to get in contact with support directly at vmax.splunk.support@emc.com after you upgrade to 8.4 and we can assist you with a call if necessary? There are a few excerpts from your log snippet that warrant a closer look but outside of the scope of a public question board.

0 Karma

att35
Builder

Thanks Michael. You are correct. We did try with another VMAX(Version 8.4+) and ran into the exact same error.

I'll drop an email to support with all the details.

~ Abhi

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...