-
- Veeam Software
- Posts: 164
- Liked: 44 times
- Joined: Apr 01, 2014 12:30 pm
- Full Name: Martin Plesner-Jacobsen
- Contact:
HP VSA security update - Patch 45008-00
Re-post from http://billigpc.dk/2015/04/01/veeam-bac ... tchupdate/ credit: Dan Hansen https://twitter.com/danevald
"Yesterday I applied a security update (Patch 45008-00) to 1 of our HP Storevirtual VSA 2014 installations. As usual this went smoothly and nothing seemed bad.
This was until Veeam Backup kicked in some hours later and tried to do a backup with the Storage snapshot functionality of the HP VSA. This failed with the following error:
Error: Unable to connect to a server because its SSH key fingerprint has changed
It turned out that the patch resulted in a new SSH key fingerprint and therefore it was needed to go into Veeam and edit the updated storage and just do a “Next, Next, Next” this tells you that the fingerprint has changed and asks you to accept it. After this little trick, just re-run the backup job."
Thanks DAN!
"Yesterday I applied a security update (Patch 45008-00) to 1 of our HP Storevirtual VSA 2014 installations. As usual this went smoothly and nothing seemed bad.
This was until Veeam Backup kicked in some hours later and tried to do a backup with the Storage snapshot functionality of the HP VSA. This failed with the following error:
Error: Unable to connect to a server because its SSH key fingerprint has changed
It turned out that the patch resulted in a new SSH key fingerprint and therefore it was needed to go into Veeam and edit the updated storage and just do a “Next, Next, Next” this tells you that the fingerprint has changed and asks you to accept it. After this little trick, just re-run the backup job."
Thanks DAN!
-
- Chief Product Officer
- Posts: 31815
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: HP VSA security update - Patch 45008-00
Yes, indeed we have added SSH fingerprint validation in version 8.0 or 8.0P1 (don't remember exactly). This was based on a feedback from some customers with super-secure environments who were concerned about possible MITM attacks even on their internal networks. Thanks for sharing!
-
- VeeaMVP
- Posts: 6166
- Liked: 1971 times
- Joined: Jul 26, 2009 3:39 pm
- Full Name: Luca Dell'Oca
- Location: Varese, Italy
- Contact:
Re: HP VSA security update - Patch 45008-00
Just as a note, it's the same beheviour you can see in a Veeam linux repository if you update the SSH key, or in general in any ssh connection using fingerprinting, it's like editing the "known_hosts" file and remove the old fingerprint.
Luca
Luca
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software
@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
Principal EMEA Cloud Architect @ Veeam Software
@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Jun 05, 2015 9:53 am
- Full Name: julien
- Contact:
Re: HP VSA security update - Patch 45008-00
Hello,
i have the same issue on each change of vsa active node.
is it possible to have 2 fingerprints for the same management group?
thanks
i have the same issue on each change of vsa active node.
is it possible to have 2 fingerprints for the same management group?
thanks
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Apr 16, 2013 4:09 pm
- Full Name: Josh Rippon
- Contact:
Re: HP VSA security update - Patch 45008-00
We have this same problem. Any time our 2-node clusters reboot there is a 50/50 chance the next backup will fail. Veeam should accept the fingerprint of any VSA in the cluster since the management IP can move between nodes.
-
- Veeam Vanguard
- Posts: 395
- Liked: 169 times
- Joined: Nov 17, 2010 11:42 am
- Full Name: Eric Machabert
- Location: France
- Contact:
Re: HP VSA security update - Patch 45008-00
Having the same issue here.
Every time you change the active node in the management group, the backups are failing !
Do you have any workarround ?
Every time you change the active node in the management group, the backups are failing !
Do you have any workarround ?
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
-
- VP, Product Management
- Posts: 27377
- Liked: 2800 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: HP VSA security update - Patch 45008-00
I guess the workaround is to perform this action:
MPlesnerJ wrote:It turned out that the patch resulted in a new SSH key fingerprint and therefore it was needed to go into Veeam and edit the updated storage and just do a “Next, Next, Next” this tells you that the fingerprint has changed and asks you to accept it. After this little trick, just re-run the backup job."
-
- Veeam Vanguard
- Posts: 395
- Liked: 169 times
- Joined: Nov 17, 2010 11:42 am
- Full Name: Eric Machabert
- Location: France
- Contact:
Re: HP VSA security update - Patch 45008-00
I mean a workarround that Is not a manual action
This is a big issue for my customers running hyperconverged system using storevirtual vsa....
This is a big issue for my customers running hyperconverged system using storevirtual vsa....
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
-
- Novice
- Posts: 6
- Liked: 1 time
- Joined: Dec 22, 2013 4:25 pm
- Full Name: Edward
- Contact:
Re: HP VSA security update - Patch 45008-00
Any update on this, we currently have a 5 node cluster.
Veeam fails 4 out of 5 times if a coordinating manager role moves (which it does by itself) because of the SSH key check.
HOW DO I TURN IT OFF!
Veeam fails 4 out of 5 times if a coordinating manager role moves (which it does by itself) because of the SSH key check.
HOW DO I TURN IT OFF!
-
- VP, Product Management
- Posts: 27377
- Liked: 2800 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: HP VSA security update - Patch 45008-00
I'm not aware of any automatic ways to turn it off. Maybe our support team will be able to assist with this.
-
- Novice
- Posts: 6
- Liked: 1 time
- Joined: Dec 22, 2013 4:25 pm
- Full Name: Edward
- Contact:
Re: HP VSA security update - Patch 45008-00
Can you raise a bug with them about this? Because it does NOT even fail back to using non-storage-snapshot methods of backup, the whole job just fails.Vitaliy S. wrote:I'm not aware of any automatic ways to turn it off. Maybe our support team will be able to assist with this.
Which kinda defeats the purpose of automated backups.
We either need:
a. A way to register all the SSH keys that are expected
b. A way to turn off the SSH key check
c. A way to fail back to non storage-snapshots and complete the backup instead of failing
Any help would be gratefully received.
-
- VP, Product Management
- Posts: 27377
- Liked: 2800 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: HP VSA security update - Patch 45008-00
Yes, I can definitely do that, once our dev team has a support ticket to work with. Please keep in mind that all bugs/fixes are prioritized by our support team. Thanks!
-
- Novice
- Posts: 6
- Liked: 1 time
- Joined: Dec 22, 2013 4:25 pm
- Full Name: Edward
- Contact:
Re: HP VSA security update - Patch 45008-00
Thank you.
Our contract is managed by IBM GS on our parent companies behalf. I've logged the issue with IBMGS and hopefully (after they suggested moving to TSM) they will log it with you.
Our contract is managed by IBM GS on our parent companies behalf. I've logged the issue with IBMGS and hopefully (after they suggested moving to TSM) they will log it with you.
-
- VP, Product Management
- Posts: 27377
- Liked: 2800 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: HP VSA security update - Patch 45008-00
Ok, we have agreed with the dev team to implement a reg key to disable this check. Should be available in next updates upon the request to a support team.
-
- Novice
- Posts: 6
- Liked: 1 time
- Joined: Dec 22, 2013 4:25 pm
- Full Name: Edward
- Contact:
Re: HP VSA security update - Patch 45008-00
Really?! You guys rock, I haven't even had a response from IBM to acknowledge that we have an issue to escalate and you guys are looking for a potential solution alreadyVitaliy S. wrote:Ok, we have agreed with the dev team to implement a reg key to disable this check. Should be available in next updates upon the request to a support team.
Well, thank you. That is customer service in a nut-shell.
-
- Veeam Vanguard
- Posts: 395
- Liked: 169 times
- Joined: Nov 17, 2010 11:42 am
- Full Name: Eric Machabert
- Location: France
- Contact:
Re: HP VSA security update - Patch 45008-00
Good news !
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
-
- VP, Product Management
- Posts: 27377
- Liked: 2800 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: HP VSA security update - Patch 45008-00
The plan now is to include this reg key to update 1. Thanks for the heads up guys.
-
- Veeam Vanguard
- Posts: 395
- Liked: 169 times
- Joined: Nov 17, 2010 11:42 am
- Full Name: Eric Machabert
- Location: France
- Contact:
Re: HP VSA security update - Patch 45008-00
Any news on this regkey ?
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
-
- Chief Product Officer
- Posts: 31815
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: HP VSA security update - Patch 45008-00
Check out the release notes
-
- Veeam Vanguard
- Posts: 395
- Liked: 169 times
- Joined: Nov 17, 2010 11:42 am
- Full Name: Eric Machabert
- Location: France
- Contact:
Re: HP VSA security update - Patch 45008-00
Ok, I didn't see it first :
Storage fingerprint check can now be disabled using SshFingerprintCheck (DWORD) registry value under HKLM\SOFTWARE\Veeam\Veeam Backup and Replication key.
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
Who is online
Users browsing this forum: Kazz, Semrush [Bot] and 86 guests