Error when trying to encrypt clients on both 9.06 and 9.07

HI when we try to encrypt clients via the gui (right click client, Enable Encrypted Communication) we get the following error:- "Failed to enable/disable encrypted control communication for this client. Make sure that encryption is first enabled on the Cell Manager."

Encryption on the cell manager is enabled.

To enable encryption we have had to manually edit the 'cell_info' 'config' files on the cell manager server as well as the 'config' file on each client (with the text line 'encryption enabled=1).

Why aren't we able to encrypt each client via the gui??? This error remains after we upgraded from 9.06 to v9.07.

Parents
  • Hi

    Did you try enabling encryption via omnicc command? for example -

    omnicc -encryption -enable <client_hostname>

    If yes, then what is status? does it give same error?

    "omnicc -encryption -status -all" will show the status of encryption on all clients.

    Regards

    Ashok Goyat

  • HI running the command doesn't bring up any error. Accepts the command fine but doesn't come up with any message. Running the status command afterwards however showed no difference:-

     vsvr-geotestsrv.lcc.local                       false           false           n/a

    Running the status -all command has also highlighted several clients that are showing as not encrypted. However all these clients are showing as encrypted in the gui - with a tick in the 'enabled control communication' box. However when i clicked on the 'verify' button it changed the status of 'Enabled on Client' from 'unknown' to 'No'.  This is all under the 'Connection' tab for clients.  

    Regards

    Rikki

  • Hi

    Make sure the name resolution between cell server and client is ok.

    Successful command should complete with message similar to -

    =============

    C:\Users\administrator.DP>omnicc -encryption -enable gceblrvm.dp.local
    OK: gceblrvm.dp.local
    -----
    Encryption is enabled for the following hosts:
    gceblrvm.dp.local

    =========

    I would suggest to open a support case and provide debug of command -

    omnicc -encryption -enable <client_hostname> -debug 1-300 ecc.txt

    Regards

    Ashok Goyat

  • Hi name resolution is fine. I ran the command using the FQDN of the client. Also I have also tried to put the client into the hosts file. The command still doesn't come back with the 'OK' message. I did log a support call a few months ago with regards to the error we get when trying to encrypt via the gui. That was when they advised us of amending the config and cell_info files to enable encryption instead.

    I will log a new call with the debug logs from the cli command.

    Regards

     

    Rikki

     

Reply
  • Hi name resolution is fine. I ran the command using the FQDN of the client. Also I have also tried to put the client into the hosts file. The command still doesn't come back with the 'OK' message. I did log a support call a few months ago with regards to the error we get when trying to encrypt via the gui. That was when they advised us of amending the config and cell_info files to enable encryption instead.

    I will log a new call with the debug logs from the cli command.

    Regards

     

    Rikki

     

Children
  • I would suggest cleaning up your ECC environment for one client first:

    1)  Remove client/config file on the client.

    2)  Then remove client entry from server/config on Cell Manager.

    3) Additionally remove "-encryption 1" for this client in cell_info file (on Cell Manager)

    Run omnicc -encryption -status <client hostanme> to confirm ECC is not enabled

    Then enable ECC again:

    omnicc -encryption -enable <client hostname>

     

    Regarding:

    "Running the status -all command has also highlighted several clients that are showing as not encrypted. However all these clients are showing as encrypted in the gui - with a tick in the 'enabled control communication' box"

    GUI reads information from cell_info file ("-encryption 1"), nothing more. It seems this flag is set to 1, although ECC is not working.

     

     

  • I have removed the config file from the client side and also removed the client entries from server config file and cell_info. Was still unable to encrypt using both command and gui. Have logged a call with the relevant debug logs

    Regards

     

    Rikki

  • Verified Answer

    Got the following solution from HP:-

       It appears you may had ECC enabled in a version earlier than 9.04.  If you did not disable ECC and then re-enable ECC, the new encrypted control communication with Data Protector automatically generated certificates cannot be used.  See "Considerations" in "Managing encrypted control communication" of the updated Installation Guide. If you do not disable and re-enable ECC, you have to manually generate certificates.

      It is very important to remember that all the clients currently enabled with ECC must be updated before ECC can be disabled.  If not, when disabling ECC, the clients which have not been updated will not be disabled as the code for disabling ECC was not available until 9.04.  This will result in the client still being enabled but the Cell Manager thinks it has been disabled.  If this condition occurs, the client will need to be disabled manually."

    I disabled all clients using

    Omnicc –encryption –disable –all

    And then was able to enable encryption on the clients using the gui.