-
- Expert
- Posts: 114
- Liked: 25 times
- Joined: Dec 09, 2012 3:50 am
- Full Name: Jim Millard
- Contact:
HPe StoreOnce Gen4 credential issues
Hi,
I'm playing around with the new(ish) StoreOnce Gen4 VSA, which appears to be a complete rewrite of the old kit (at least from the GUI perspective, but likely in much of the internals as well). I've discovered that enabling client login for Catalyst (eg, leaving "public access" disabled) and setting up an explicit user ID for VBR to utilize results in permissions errors when trying to actually use the Catalyst store; switching it to "public access" eliminates the problem.
I've gone through and changed passwords several times (iterating from my normal, "very long & complex" through to "short & simple") and nothing works. Unfortunately, I don't have a way to debug/troubleshoot whether the problem is on the Veeam side (improperly sending the credentials through the API) or the HPe side (defect in code makes all client access useless); however, I'm leaning towards the HPe side being at fault: the same VBR code is working fine with the 3.x StoreOnce I have in my environment.
This is more of an FYI; I'm going to let HPe know there's an issue as well...
I'm playing around with the new(ish) StoreOnce Gen4 VSA, which appears to be a complete rewrite of the old kit (at least from the GUI perspective, but likely in much of the internals as well). I've discovered that enabling client login for Catalyst (eg, leaving "public access" disabled) and setting up an explicit user ID for VBR to utilize results in permissions errors when trying to actually use the Catalyst store; switching it to "public access" eliminates the problem.
I've gone through and changed passwords several times (iterating from my normal, "very long & complex" through to "short & simple") and nothing works. Unfortunately, I don't have a way to debug/troubleshoot whether the problem is on the Veeam side (improperly sending the credentials through the API) or the HPe side (defect in code makes all client access useless); however, I'm leaning towards the HPe side being at fault: the same VBR code is working fine with the 3.x StoreOnce I have in my environment.
This is more of an FYI; I'm going to let HPe know there's an issue as well...
-
- Veeam Software
- Posts: 21138
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: HPe StoreOnce Gen4 credential issues
Hi Jim, thanks for sharing, we will look into this as well.
-
- Veeam Software
- Posts: 21138
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: HPe StoreOnce Gen4 credential issues
Works in our lab. I'd check with HPE if you're configuring everything correctly.
-
- Expert
- Posts: 114
- Liked: 25 times
- Joined: Dec 09, 2012 3:50 am
- Full Name: Jim Millard
- Contact:
Re: HPe StoreOnce Gen4 credential issues
Thanks for the quick update; will do.
-
- Expert
- Posts: 114
- Liked: 25 times
- Joined: Dec 09, 2012 3:50 am
- Full Name: Jim Millard
- Contact:
Re: HPe StoreOnce Gen4 credential issues
tl;dr - VBR requires the Client Password Policy set to "SHA-1" whether you'd prefer to use the newer, more secure SHA-265 hash instead.
So the root cause of my issue is setting the "Client Password Policy" (when creating the store) to SHA-256 instead of leaving it at SHA-1 (default). The warning to leave it at SHA-1 "unless required by the StoreOnce supported backup application" is there in the documentation, and the only hint for the setting is a link to the documentation. If you've ever managed TLS certificates, you've been migrating everything away from SHA-1, so setting SHA-256 might seem like a natural choice (documentation or not). In practice, however, it is not.
The change in security can be made during creation of the store, and can be modified once it has been created. The policy affects all clients for the store, but each store can have a different setting.
So the root cause of my issue is setting the "Client Password Policy" (when creating the store) to SHA-256 instead of leaving it at SHA-1 (default). The warning to leave it at SHA-1 "unless required by the StoreOnce supported backup application" is there in the documentation, and the only hint for the setting is a link to the documentation. If you've ever managed TLS certificates, you've been migrating everything away from SHA-1, so setting SHA-256 might seem like a natural choice (documentation or not). In practice, however, it is not.
The change in security can be made during creation of the store, and can be modified once it has been created. The policy affects all clients for the store, but each store can have a different setting.
-
- Chief Product Officer
- Posts: 31803
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: HPe StoreOnce Gen4 credential issues
Great, thanks Jim for sharing the solution.
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Sep 30, 2021 7:05 pm
- Full Name: Vadim
- Contact:
Re: HPe StoreOnce Gen4 credential issues
Million thanks, you saved my day!millardjk wrote: ↑Feb 09, 2019 10:02 pm tl;dr - VBR requires the Client Password Policy set to "SHA-1" whether you'd prefer to use the newer, more secure SHA-265 hash instead.
So the root cause of my issue is setting the "Client Password Policy" (when creating the store) to SHA-256 instead of leaving it at SHA-1 (default). The warning to leave it at SHA-1 "unless required by the StoreOnce supported backup application" is there in the documentation, and the only hint for the setting is a link to the documentation. If you've ever managed TLS certificates, you've been migrating everything away from SHA-1, so setting SHA-256 might seem like a natural choice (documentation or not). In practice, however, it is not.
The change in security can be made during creation of the store, and can be modified once it has been created. The policy affects all clients for the store, but each store can have a different setting.
Who is online
Users browsing this forum: bigbruise, Bing [Bot], jsprinkleisg and 105 guests