We recently converted two of our existing VNX arrays to unified systems, and I was attempting to add our newly added NAS to Control Center. I went through the normal assisted discovery using the ‘NAS Container’ option. Unfortunately, I got an error in the discovery results window. Here’s the error I saw:
SESSION_ACTION: Discover [4] MO Type = NasContainer Container_IP=10.10.10.4 | Container_Port=443 | Container_Username=root | Container_Password=****** | Container_Type=Celerra command status = finished, errors objects found = 6 agents responding = 2 completed in 231 seconds action begins at: Wed Nov 06 09:48:05 CST 2013 action ends at: Wed Nov 06 09:51:56 CST 2013 Reported objects: [1] NasContainer=10.10.10.4 Reported agent errors: [1] ADAResult: (9) Celerra@10.10.10.4 : SSH communication failed – Please verify emcplink settings Responding agent: NAS Agent @ eccagtserver.rgare.net [2] ADAResult: (9) Celerra@10.10.10.4: nas_version returned invalid response Responding agent: NAS Agent @ eccinfserver.rgare.net Responding agents: [1] NAS Agent @ eccagtserver.rgare.net [2] NAS Agent @ eccinfserver.rgare.net
It looks like there’s an ssh setting that’s incorrect. Being unfamiliar with the emcplink utility, I did a bit of research on how to configure it properly, and I will go through what needs to be done.
Before diving in to using and configuring emcplink, here are some simple troubleshooting steps you should run through first:
– Verify that the NAS agent is installed and active. You can view all of the running agents by clicking on the gear icon on the lower right hand side (in the status bar). Scroll through the agents and make sure the agent is active.
– Verify that the Java Process is running on the Control Station.
* Log in to the Control Station and type the following command:
ps -aex |grep java
* If it’s running, you will see lines similar to the following:
21927 ? S 0:15 /usr/java/bin/java -server …..
22200 ? S 0:00 /usr/java/bin/java -server …..
- Make sure that the ssh daemon is running (I’m assuing you’re using ssh for remote connectivity):
* Log in to the Control Station and type the following command:
ps -aex |grep sshd
* If it’s running, you will see a line similar to the following:
882 ? Ss 0:00 /usr/sbin/sshd
- Verify that the Celerra (or VNX) data mover is connected to an array
nas_storage -list
- Verify the user name and password youre using during the assisted discovery works. Try logging on with that ID/password directly.
Here are the troubleshooting steps I took, and some more info about emcplink:
What is emcplink? It’s a utility allows you to specify security policies for secure shell (SSH) client authentication which is required for the Storage Agent for NAS to discover NAS containers.
The highest ssh security level (full security) requires that users manually run emcplink in order to provide a username and password for ssh authentication and to manually accept an ssh key returned from emcplink to discover the NAS container. Afer it’s accepted the key is stored on the NAS Agent host. If the key changes, to rediscover the NAS container you must manually run emcplink again and accept the changed key. If your environment does not require full ssh security, use emcplink to set lower security levels that will automatically accept new or changed keys without requiring the manual entering of ssh usernames, passwords, and keys.
The emcplink command is a command line utility. To run emcplink, first open a command prompt window. Change to the <install_root>/exec/CNN610 directory on the host where Storage Agent for NAS resides, where <install_root> is the ControlCenter infrastructure install directory.
If your installation uses SSH version 2, update your agent configuration so emcplink uses SSH version 2 when handling SSH keys, the default is version 1. Note that SSH version 2 is not backward compatible with version 1. If you switch to SSH version 2, you must run emcplink again to rediscover all NAS containers that were previously discovered with SSH version 1.
If you want to update your install to version 2, follow these steps (I did this during my troubleshooting):
1. Stop Storage Agent for NAS using the ControlCenter Console.
2. Edit the following file:
<install_root>/exec/CNN610/cnn.ini
3. In cnn.ini [ssh] change version = 1 to version = 2
4. Save and exit cnn.ini.
5. Restart Storage Agent for NAS.
The next step is to enable the policy that you need for your environment. The default policy is EMC_SSH_KEY_SECURITY_FULL. You can add more than one policy. If added policies contradict one another, the most recently added policy takes effect.
Enter the following command to add or remove an SSH security policy:
emcplink -setpolicy [+|-]policy_name
Example: emcplink -setpolicy +EMC_SSH_KEY_SECURITY_FULL
In my case, I first disabled the default policy, then enabled the policy that I wanted. Here are the commands I ran:
emcplink -setpolicy -EMC_SSH_KEY_SECURITY_FULL
emcplink -setpolicy +EMC_SSH_KEY_SECURITY_ALLOW_NEW
After running it, I used the ‘getpolicy’ option to verify what the current active policy was:
emcplink -getpolicy
the output looks like this:
Policy Is: EMC_SSH_KEY_SECURITY_ALLOW_NEWHere are the policy options you can choose from:
EMC_SSH_KEY_SECURITY_FULL (default)
Do not automatically accept any new or changed NAS container keys. They must be accepted manually, using emcplink (refer to emcplink - interactive). Provides the same functionality that plink (no longer valid) provided in previous ControlCenter versions, when manual user name/password/key entry was required.
EMC_SSH_KEY_SECURITY_ALLOW_NEW
Accept new keys, but not changed keys. SSH authentication occurs automatically for initial discovery, and also for subsequent discoveries as long as the NAS Container key does not change. If a key is changed, discovery is attempted via telnet.
EMC_SSH_KEY_SECURITY_ALLOW_CHANGE
Accept changed keys, but not new keys. When a Celerra is initially discovered, SSH authentication occurs manually. If the key is changed for subsequent discoveries of that NAS Container, SSH authentication occurs automatically.
EMC_SSH_KEY_SECURITY_NONE
Accept both new and changed keys. SSH authentication occurs automatically at initial discovery and all subsequent discoveries, regardless of whether NAS container keys are changed.
After I verified the policy I wanted was running, I then manually enterted SSH security information for each array I wanted to add to accept the NAS container keys. Run the following command for each array to add the key to the server cache (the -2 optionally tells emcplink to use SSH version 2):
emcplink -ssh -interactive -2 -pw password username@Array_IP_address
Note that SSH version 2 is not backward compatible with version 1. If you switch to SSH version 2, you must run emcplink again to rediscover all NAS containers that were previously discovered with SSH version 1.
That’s it! Once I accepted all of the ssh keys and re-ran the discoveries, the new arrays were discovered just fine.