on 13-Jul-2011 13:35
Introduction
ARX Cloud Extender (CE) requires a proper SSL CA (Certificate Authority) from your EMC Atmos-powered cloud storage provider to ensure authenticity of the connection. For the most part, the SSL CA’s have a long life and the instructions here shouldn’t be required frequently.
This Tech Tip explains the following:
Problem Statement
When migrate or demigrate operations are attempted by ARX CE from your cloud Atmos-powered storage provider, a network connection is made to the service providers endpoint. This is an SSL connection and it requires the service provider to have a valid SSL CA.
If ARX CE does not have the correct CA, data cannot be migrated or demigrated from your cloud storage provider to your ARX CE system because ARX CE will refuse to complete the connection setup until the certificate is in order.
How to Recognize the Problem
For migrate operations (copying data from your ARX CE system to your cloud storage service provider), you will see immediate failures from the ARX CE control panel, an excerpt is below:
Click on the job’s log file, in this case, the “RUN migrate-att log” link and look at the errors. The one circled in red is the indication the SSL CA is out of date:
Note: Other errors may be indicative of a different problem.
The “console.log” file will also show this error. “console.log” can be found in your ARX CE agent directory, which is typically “C:\Program Files\F5 ARX CE agent”
Problem Solution
Obtaining a new SSL CA can be done with Internet Explorer using the following steps. The screen shots below are from IE 8. We’ll also use AT&T’s Synaptic StaaS for our example, which is Atmos-powered.
Firefox and Google Chrome have similar methods for viewing and extracting SSL certificates.
Summary
When migrate jobs fail due to the ERR_SSLTRUSTSTORE_VERIFYCONNECTION_FAILED error in your ARX task log, the SSL CA is not in order. This Tech Tip illustrates how to obtain an update certificate, store it on your ARX CE agent host, and restart the service to enable use of the new certificate.
Supplementary data
Related Links
http://askf5.f5.com – F5’s repository of product information, manuals, and much more. You can find the ARX CE Administrator’s Guide here, which also explains this procedure.
http://en.wikipedia.org/wiki/Transport_Layer_Security - TLS/SSL overview, including the function of the SSL certificate.
http://en.wikipedia.org/wiki/Certificate_authority - explanation and information on Certificate Authorities.
Author bio
JC Ferguson has been working in the storage domain for over 9 years and was instrumental in the invention and delivery of the ARX storage virtualization switch at Acopia Networks. F5 acquired Acopia Networks in 2007, and since then JC has continued his role as ARX product architect and project leader. Recently, JC focused on cloud storage and was instrumental in bringing the ARX CE product to market in February 2011.