Unable to login to the PureDisk Web Console

Article:TECH67072  |  Created: 2009-01-23  |  Updated: 2012-03-12  |  Article URL http://www.symantec.com/docs/TECH67072
Article Type
Technical Solution


Environment

Issue



Unable to login to the PureDisk Web Console


Error



Error Code: ssl_error_record_too_long

OR

Error Code: SSL_ERROR_RX_RECORD_TOO_LONG

OR

client denied by server configuration: /opt/pdweb/error/
client denied by server configuration: /opt/pdweb/htdocs/

OR

Internet Explorer cannot display the web page.


Environment



PureDisk 6.2.x, 6.5.x or 6.6.x


Cause



SSL certificate for user www-data has expired.


Solution



ISSUE:
Unable to login to the PureDisk Web Console. This may be due to an expired Authentication (AT) certificate. AT certificates of principals expire 1 year after installation. This only affects the certificates of non service principals. The service principals have a certificate that is valid for 8 years.


LOG FILES:
The /Storage/log/pdweb-error.log may contain the following errors:
========================
client denied by server configuration: /opt/pdweb/error/
client denied by server configuration: /opt/pdweb/htdocs/
=====================


TROUBLSHOOTING STEPS:
1. Verify if the www-data account has any current credentials for the web server:
 
# su - www-data -c "/opt/VRTSat/bin/vssat showcred"
OR
# su - www-data -c "/opt/VRTSat/bin/vssat showcred --domain vx:PureDisk_Hosts"
 
showcred
 
----------------------
 
----------------------
 
Found: 0
 
----------------------
 
 
If none are found, it confirms the credentials have expired and need to be regenerated.


SOLUTION:
1. Make sure that the topology.ini file is not encrypted:
 
# /opt/pdinstall/enc_topology.sh -d
 
2. If the credentials are expired, create new credentials:
 
# /opt/pdconfigure/scripts/atconfig/configure_at.sh
 
3. If the credentials have not yet expired:
 
-  On versions prior to 6.2.2, run the following both as root and as www-data before the certificate has expired:
 
# /opt/VRTSat/bin/vssat renewcredential -domain vx:PureDisk_Hosts@<SPA-IP-Address> -prplname < SPA-IP-Address > --broker < SPA-IP-Address >:2821
 
-  On version 6.2.2:
 
# /opt/pdconfigure/scripts/atconfig/renew_cred.sh
 
Additionally, some upgrades of the product (e.g. to 6.2.2 or 6.5) will renew the credentials automatically.
 
     -  On versions 6.5.x and 6.6.x, the same command that creates credentials will renew credentials:
 
  # /opt/pdconfigure/scripts/atconfig/configure_at.sh
 
If the configure_at.sh command returns the following errors, follow the procedure in http://www.symantec.com/docs/TECH146821:
 
AtConfig-ERROR (/opt/pdconfigure/scripts/atconfig/lib/AtConfigure.php:816:AtConfigure::resetRbAdminPassword) Could not reset Root Broker admin password for: root@<FQDN>.
AtConfig-ERROR (/opt/pdconfigure/scripts/atconfig/lib/AtConfigure.php:886:AtConfigure::resetAbAdminPassword) Could not reset Authenticate Broker admin password for: broker@<FQDN>
 
4. Run the following command again to confirm that new credentails have been created:
 
# su - www-data -c "/opt/VRTSat/bin/vssat showcred"
OR
# su - www-data -c "/opt/VRTSat/bin/vssat showcred --domain vx:PureDisk_Hosts"
 
The new credentials should expire in one year.
 
It is a good idea to set up a reminder in a calendar program to renew credentials just before they expire next time, in order to avoid web console downtime and failed backups.
 
5. Once the new SSL certificate has been created, encrypt the topology.ini file with the command:
 
# /opt/pdinstall/enc_topology.sh -e
 
6. Restart the services:
 
In PureDisk 6.2.x or 6.5.x,
 
# /etc/init.d/puredisk stop
# /etc/init.d/vxatd stop
 
# /etc/init.d/vxatd start
# /etc/init.d/puredisk start
 
In PureDisk 6.6.x,
 
# /etc/init.d/puredisk stop 
# /etc/init.d/puredisk start

Note: The above procedure sometime umounts /Storage and vxat may not start. Following are the steps incase of this issue is encountered:

  1) Append /etc/fstab

    #/dev/vx/dsk/<Vol Group name>/Storage /Storage vxfs noatime 1 2 -- Add the mounts as per the environment
 

 2) #mount -a

 3) Reboot the server

 




Legacy ID



318006


Article URL http://www.symantec.com/docs/TECH67072


Terms of use for this information are found in Legal Notices