HPe StoreOnce Gen4 credential issues

[millardjk]

Hi,

I'm playing around with the new(ish) StoreOnce Gen4 VSA, which appears to be a complete rewrite of the old kit (at least from the GUI perspective, but likely in much of the internals as well). I've discovered that enabling client login for Catalyst (eg, leaving "public access" disabled) and setting up an explicit user ID for VBR to utilize results in permissions errors when trying to actually use the Catalyst store; switching it to "public access" eliminates the problem.

I've gone through and changed passwords several times (iterating from my normal, "very long & complex" through to "short & simple") and nothing works. Unfortunately, I don't have a way to debug/troubleshoot whether the problem is on the Veeam side (improperly sending the credentials through the API) or the HPe side (defect in code makes all client access useless); however, I'm leaning towards the HPe side being at fault: the same VBR code is working fine with the 3.x StoreOnce I have in my environment.

This is more of an FYI; I'm going to let HPe know there's an issue as well...

[foggy]

Hi Jim, thanks for sharing, we will look into this as well.

[foggy]

Works in our lab. I'd check with HPE if you're configuring everything correctly.

[millardjk]

Thanks for the quick update; will do.

[millardjk]

tl;dr - VBR requires the Client Password Policy set to "SHA-1" whether you'd prefer to use the newer, more secure SHA-265 hash instead.

So the root cause of my issue is setting the "Client Password Policy" (when creating the store) to SHA-256 instead of leaving it at SHA-1 (default). The warning to leave it at SHA-1 "unless required by the StoreOnce supported backup application" is there in the documentation, and the only hint for the setting is a link to the documentation. If you've ever managed TLS certificates, you've been migrating everything away from SHA-1, so setting SHA-256 might seem like a natural choice (documentation or not). In practice, however, it is not.

The change in security can be made during creation of the store, and can be modified once it has been created. The policy affects all clients for the store, but each store can have a different setting.

[Gostev]

Great, thanks Jim for sharing the solution.

[vmun]

tl;dr - VBR requires the Client Password Policy set to "SHA-1" whether you'd prefer to use the newer, more secure SHA-265 hash instead.

So the root cause of my issue is setting the "Client Password Policy" (when creating the store) to SHA-256 instead of leaving it at SHA-1 (default). The warning to leave it at SHA-1 "unless required by the StoreOnce supported backup application" is there in the documentation, and the only hint for the setting is a link to the documentation. If you've ever managed TLS certificates, you've been migrating everything away from SHA-1, so setting SHA-256 might seem like a natural choice (documentation or not). In practice, however, it is not.

The change in security can be made during creation of the store, and can be modified once it has been created. The policy affects all clients for the store, but each store can have a different setting.

Million thanks, you saved my day!