Comprehensive data protection for all workloads
Post Reply
MPlesnerJ
Veeam Software
Posts: 153
Liked: 44 times
Joined: Apr 01, 2014 12:30 pm
Full Name: Martin Plesner-Jacobsen
Contact:

HP VSA security update - Patch 45008-00

Post by MPlesnerJ » 3 people like this post

Re-post from http://billigpc.dk/2015/04/01/veeam-bac ... tchupdate/ credit: Dan Hansen https://twitter.com/danevald

"Yesterday I applied a security update (Patch 45008-00) to 1 of our HP Storevirtual VSA 2014 installations. As usual this went smoothly and nothing seemed bad.

This was until Veeam Backup kicked in some hours later and tried to do a backup with the Storage snapshot functionality of the HP VSA. This failed with the following error:

Error: Unable to connect to a server because its SSH key fingerprint has changed

It turned out that the patch resulted in a new SSH key fingerprint and therefore it was needed to go into Veeam and edit the updated storage and just do a “Next, Next, Next” this tells you that the fingerprint has changed and asks you to accept it. After this little trick, just re-run the backup job."

Thanks DAN!
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: HP VSA security update - Patch 45008-00

Post by Gostev » 1 person likes this post

Yes, indeed we have added SSH fingerprint validation in version 8.0 or 8.0P1 (don't remember exactly). This was based on a feedback from some customers with super-secure environments who were concerned about possible MITM attacks even on their internal networks. Thanks for sharing!
dellock6
Veeam Software
Posts: 6137
Liked: 1928 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: HP VSA security update - Patch 45008-00

Post by dellock6 »

Just as a note, it's the same beheviour you can see in a Veeam linux repository if you update the SSH key, or in general in any ssh connection using fingerprinting, it's like editing the "known_hosts" file and remove the old fingerprint.

Luca
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
JC62200
Lurker
Posts: 1
Liked: never
Joined: Jun 05, 2015 9:53 am
Full Name: julien
Contact:

Re: HP VSA security update - Patch 45008-00

Post by JC62200 »

Hello,
i have the same issue on each change of vsa active node.
is it possible to have 2 fingerprints for the same management group?
thanks
jrippon
Lurker
Posts: 2
Liked: never
Joined: Apr 16, 2013 4:09 pm
Full Name: Josh Rippon
Contact:

Re: HP VSA security update - Patch 45008-00

Post by jrippon »

We have this same problem. Any time our 2-node clusters reboot there is a 50/50 chance the next backup will fail. Veeam should accept the fingerprint of any VSA in the cluster since the management IP can move between nodes.
emachabert
Veeam Vanguard
Posts: 388
Liked: 168 times
Joined: Nov 17, 2010 11:42 am
Full Name: Eric Machabert
Location: France
Contact:

Re: HP VSA security update - Patch 45008-00

Post by emachabert »

Having the same issue here.
Every time you change the active node in the management group, the backups are failing !

Do you have any workarround ?
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: HP VSA security update - Patch 45008-00

Post by Vitaliy S. »

I guess the workaround is to perform this action:
MPlesnerJ wrote:It turned out that the patch resulted in a new SSH key fingerprint and therefore it was needed to go into Veeam and edit the updated storage and just do a “Next, Next, Next” this tells you that the fingerprint has changed and asks you to accept it. After this little trick, just re-run the backup job."
emachabert
Veeam Vanguard
Posts: 388
Liked: 168 times
Joined: Nov 17, 2010 11:42 am
Full Name: Eric Machabert
Location: France
Contact:

Re: HP VSA security update - Patch 45008-00

Post by emachabert »

I mean a workarround that Is not a manual action :-)
This is a big issue for my customers running hyperconverged system using storevirtual vsa....
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
blokey
Novice
Posts: 6
Liked: 1 time
Joined: Dec 22, 2013 4:25 pm
Full Name: Edward
Contact:

Re: HP VSA security update - Patch 45008-00

Post by blokey »

Any update on this, we currently have a 5 node cluster.

Veeam fails 4 out of 5 times if a coordinating manager role moves (which it does by itself) because of the SSH key check.

HOW DO I TURN IT OFF!
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: HP VSA security update - Patch 45008-00

Post by Vitaliy S. »

I'm not aware of any automatic ways to turn it off. Maybe our support team will be able to assist with this.
blokey
Novice
Posts: 6
Liked: 1 time
Joined: Dec 22, 2013 4:25 pm
Full Name: Edward
Contact:

Re: HP VSA security update - Patch 45008-00

Post by blokey »

Vitaliy S. wrote:I'm not aware of any automatic ways to turn it off. Maybe our support team will be able to assist with this.
Can you raise a bug with them about this? Because it does NOT even fail back to using non-storage-snapshot methods of backup, the whole job just fails.
Which kinda defeats the purpose of automated backups.

We either need:
a. A way to register all the SSH keys that are expected
b. A way to turn off the SSH key check
c. A way to fail back to non storage-snapshots and complete the backup instead of failing

Any help would be gratefully received.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: HP VSA security update - Patch 45008-00

Post by Vitaliy S. »

Yes, I can definitely do that, once our dev team has a support ticket to work with. Please keep in mind that all bugs/fixes are prioritized by our support team. Thanks!
blokey
Novice
Posts: 6
Liked: 1 time
Joined: Dec 22, 2013 4:25 pm
Full Name: Edward
Contact:

Re: HP VSA security update - Patch 45008-00

Post by blokey »

Thank you.

Our contract is managed by IBM GS on our parent companies behalf. I've logged the issue with IBMGS and hopefully (after they suggested moving to TSM) they will log it with you.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: HP VSA security update - Patch 45008-00

Post by Vitaliy S. »

Ok, we have agreed with the dev team to implement a reg key to disable this check. Should be available in next updates upon the request to a support team.
blokey
Novice
Posts: 6
Liked: 1 time
Joined: Dec 22, 2013 4:25 pm
Full Name: Edward
Contact:

Re: HP VSA security update - Patch 45008-00

Post by blokey » 1 person likes this post

Vitaliy S. wrote:Ok, we have agreed with the dev team to implement a reg key to disable this check. Should be available in next updates upon the request to a support team.
Really?! You guys rock, I haven't even had a response from IBM to acknowledge that we have an issue to escalate and you guys are looking for a potential solution already ;-)
Well, thank you. That is customer service in a nut-shell.
emachabert
Veeam Vanguard
Posts: 388
Liked: 168 times
Joined: Nov 17, 2010 11:42 am
Full Name: Eric Machabert
Location: France
Contact:

Re: HP VSA security update - Patch 45008-00

Post by emachabert »

Good news !
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: HP VSA security update - Patch 45008-00

Post by Vitaliy S. » 1 person likes this post

The plan now is to include this reg key to update 1. Thanks for the heads up guys.
emachabert
Veeam Vanguard
Posts: 388
Liked: 168 times
Joined: Nov 17, 2010 11:42 am
Full Name: Eric Machabert
Location: France
Contact:

Re: HP VSA security update - Patch 45008-00

Post by emachabert »

Any news on this regkey ?
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: HP VSA security update - Patch 45008-00

Post by Gostev »

Check out the release notes ;)
emachabert
Veeam Vanguard
Posts: 388
Liked: 168 times
Joined: Nov 17, 2010 11:42 am
Full Name: Eric Machabert
Location: France
Contact:

Re: HP VSA security update - Patch 45008-00

Post by emachabert »

:D :D
Ok, I didn't see it first :

Storage fingerprint check can now be disabled using SshFingerprintCheck (DWORD) registry value under HKLM\SOFTWARE\Veeam\Veeam Backup and Replication key.
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
Post Reply

Who is online

Users browsing this forum: Brian.Knoblauch, Semrush [Bot] and 151 guests