Comprehensive data protection for all workloads
Post Reply
millardjk
Veeam Vanguard
Posts: 109
Liked: 22 times
Joined: Dec 09, 2012 3:50 am
Full Name: Jim Millard
Contact:

HPe StoreOnce Gen4 credential issues

Post by millardjk » Feb 08, 2019 2:42 pm

Hi,

I'm playing around with the new(ish) StoreOnce Gen4 VSA, which appears to be a complete rewrite of the old kit (at least from the GUI perspective, but likely in much of the internals as well). I've discovered that enabling client login for Catalyst (eg, leaving "public access" disabled) and setting up an explicit user ID for VBR to utilize results in permissions errors when trying to actually use the Catalyst store; switching it to "public access" eliminates the problem.

I've gone through and changed passwords several times (iterating from my normal, "very long & complex" through to "short & simple") and nothing works. Unfortunately, I don't have a way to debug/troubleshoot whether the problem is on the Veeam side (improperly sending the credentials through the API) or the HPe side (defect in code makes all client access useless); however, I'm leaning towards the HPe side being at fault: the same VBR code is working fine with the 3.x StoreOnce I have in my environment.

This is more of an FYI; I'm going to let HPe know there's an issue as well...

foggy
Veeam Software
Posts: 18021
Liked: 1530 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: HPe StoreOnce Gen4 credential issues

Post by foggy » Feb 08, 2019 3:56 pm

Hi Jim, thanks for sharing, we will look into this as well.

foggy
Veeam Software
Posts: 18021
Liked: 1530 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: HPe StoreOnce Gen4 credential issues

Post by foggy » Feb 08, 2019 5:01 pm

Works in our lab. I'd check with HPE if you're configuring everything correctly.

millardjk
Veeam Vanguard
Posts: 109
Liked: 22 times
Joined: Dec 09, 2012 3:50 am
Full Name: Jim Millard
Contact:

Re: HPe StoreOnce Gen4 credential issues

Post by millardjk » Feb 08, 2019 5:27 pm

Thanks for the quick update; will do.

millardjk
Veeam Vanguard
Posts: 109
Liked: 22 times
Joined: Dec 09, 2012 3:50 am
Full Name: Jim Millard
Contact:

Re: HPe StoreOnce Gen4 credential issues

Post by millardjk » Feb 09, 2019 10:02 pm 1 person likes this post

tl;dr - VBR requires the Client Password Policy set to "SHA-1" whether you'd prefer to use the newer, more secure SHA-265 hash instead.

So the root cause of my issue is setting the "Client Password Policy" (when creating the store) to SHA-256 instead of leaving it at SHA-1 (default). The warning to leave it at SHA-1 "unless required by the StoreOnce supported backup application" is there in the documentation, and the only hint for the setting is a link to the documentation. If you've ever managed TLS certificates, you've been migrating everything away from SHA-1, so setting SHA-256 might seem like a natural choice (documentation or not). In practice, however, it is not.

The change in security can be made during creation of the store, and can be modified once it has been created. The policy affects all clients for the store, but each store can have a different setting.

Gostev
SVP, Product Management
Posts: 24416
Liked: 3402 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: HPe StoreOnce Gen4 credential issues

Post by Gostev » Feb 09, 2019 10:29 pm

Great, thanks Jim for sharing the solution.

Post Reply

Who is online

Users browsing this forum: Dima P. and 21 guests