Comprehensive data protection for all workloads
Post Reply
millardjk
Expert
Posts: 114
Liked: 25 times
Joined: Dec 09, 2012 3:50 am
Full Name: Jim Millard
Contact:

HPe StoreOnce Gen4 credential issues

Post by millardjk »

Hi,

I'm playing around with the new(ish) StoreOnce Gen4 VSA, which appears to be a complete rewrite of the old kit (at least from the GUI perspective, but likely in much of the internals as well). I've discovered that enabling client login for Catalyst (eg, leaving "public access" disabled) and setting up an explicit user ID for VBR to utilize results in permissions errors when trying to actually use the Catalyst store; switching it to "public access" eliminates the problem.

I've gone through and changed passwords several times (iterating from my normal, "very long & complex" through to "short & simple") and nothing works. Unfortunately, I don't have a way to debug/troubleshoot whether the problem is on the Veeam side (improperly sending the credentials through the API) or the HPe side (defect in code makes all client access useless); however, I'm leaning towards the HPe side being at fault: the same VBR code is working fine with the 3.x StoreOnce I have in my environment.

This is more of an FYI; I'm going to let HPe know there's an issue as well...
foggy
Veeam Software
Posts: 21138
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: HPe StoreOnce Gen4 credential issues

Post by foggy »

Hi Jim, thanks for sharing, we will look into this as well.
foggy
Veeam Software
Posts: 21138
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: HPe StoreOnce Gen4 credential issues

Post by foggy »

Works in our lab. I'd check with HPE if you're configuring everything correctly.
millardjk
Expert
Posts: 114
Liked: 25 times
Joined: Dec 09, 2012 3:50 am
Full Name: Jim Millard
Contact:

Re: HPe StoreOnce Gen4 credential issues

Post by millardjk »

Thanks for the quick update; will do.
millardjk
Expert
Posts: 114
Liked: 25 times
Joined: Dec 09, 2012 3:50 am
Full Name: Jim Millard
Contact:

Re: HPe StoreOnce Gen4 credential issues

Post by millardjk » 4 people like this post

tl;dr - VBR requires the Client Password Policy set to "SHA-1" whether you'd prefer to use the newer, more secure SHA-265 hash instead.

So the root cause of my issue is setting the "Client Password Policy" (when creating the store) to SHA-256 instead of leaving it at SHA-1 (default). The warning to leave it at SHA-1 "unless required by the StoreOnce supported backup application" is there in the documentation, and the only hint for the setting is a link to the documentation. If you've ever managed TLS certificates, you've been migrating everything away from SHA-1, so setting SHA-256 might seem like a natural choice (documentation or not). In practice, however, it is not.

The change in security can be made during creation of the store, and can be modified once it has been created. The policy affects all clients for the store, but each store can have a different setting.
Gostev
Chief Product Officer
Posts: 31803
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: HPe StoreOnce Gen4 credential issues

Post by Gostev »

Great, thanks Jim for sharing the solution.
vmun
Lurker
Posts: 2
Liked: never
Joined: Sep 30, 2021 7:05 pm
Full Name: Vadim
Contact:

Re: HPe StoreOnce Gen4 credential issues

Post by vmun »

millardjk wrote: Feb 09, 2019 10:02 pm tl;dr - VBR requires the Client Password Policy set to "SHA-1" whether you'd prefer to use the newer, more secure SHA-265 hash instead.

So the root cause of my issue is setting the "Client Password Policy" (when creating the store) to SHA-256 instead of leaving it at SHA-1 (default). The warning to leave it at SHA-1 "unless required by the StoreOnce supported backup application" is there in the documentation, and the only hint for the setting is a link to the documentation. If you've ever managed TLS certificates, you've been migrating everything away from SHA-1, so setting SHA-256 might seem like a natural choice (documentation or not). In practice, however, it is not.

The change in security can be made during creation of the store, and can be modified once it has been created. The policy affects all clients for the store, but each store can have a different setting.
Million thanks, you saved my day!
Post Reply

Who is online

Users browsing this forum: bigbruise, Bing [Bot], jsprinkleisg and 105 guests