Search This Blog

Wednesday 24 September 2014

Disabling Data Protector encrypted control

By default, communications between a cell manager and all cell clients is not encrypted. It's just plain text, and you can intercept the network traffic and even modify it with something like netsed.

So, obviously some sites need to enable encryption. This is nicely documented in the Installation guide, and isn't that hard to figure out anyway (right click on the client and select "Enable encrypted communication").

But there is no documentation on how to disable this.

On the cell manager, there is a file /etc/opt/omni/server/config (which is usually equivalent to C:\ProgramData\OmniBack\config\server\config on Windows).

cellmgr.ifost.org.au={
encryption={
enabled=1;
certificate_chain_file='/etc/opt/omni/client/certificates/cacert.pem';
private_key_file='/etc/opt/omni/client/certificates/cacert.pem';
trusted_certificates_file='/etc/opt/omni/client/certificates/cacert.pem';
pkcs12_keystore_filename='/etc/opt/omni/client/certificates/hpdpcert.p12';
pkcs12_keystore_password='hpdpcert';
pkcs12_ca_certificate_filename='/etc/opt/omni/client/certificates/hpdpcert.p12';
pkcs12_ca_certificate_password='hpdpcert';
pkcs12_private_key_filename='/etc/opt/omni/client/certificates/hpdpcert.p12';
pkcs12_private_key_password='hpdpcert';
};
};
client.ifost.org.au={
encryption={
exception=1;
};
};

The first stanza (for cellmgr.ifost.org.au) has encryption enabled. The one client in the cell (client.ifost.org.au) does not.

In order to undo this, simply remove the content of the encryption clause.

cellmgr.ifost.org.au={
encryption={
};
};
If you restart Data Protector now (omnisv stop ; omnisv start), what will happen now is that you won't be able to connect to the cell manager using the GUI or the command line. This is the kind of error you will get:

Connection to CRS failed.
To start the Data Protector daemons on the Cell Manager host use the command
omnisv -start on the Cell Manager
or check if the communication between the Cell Manager and client is encrypted with the command
omnicc -encryption -status -all on the Cell Manager.
This is because the client-side programs think they are supposed to be encrypting their connections to the cell manager (even if we're running on the cell manager itself), and the cell manager isn't responding with a valid SSL response.

There's another file /etc/opt/omni/client/config ( C:\ProgramData\Omniback\config\client\config ) which looks somewhat similar to the server-side one:

encryption={
        enabled=1;
        certificate_chain_file='/etc/opt/omni/client/certificates/cacert.pem';
        private_key_file='/etc/opt/omni/client/certificates/cacert.pem';
        trusted_certificates_file='/etc/opt/omni/client/certificates/cacert.pem';
        pkcs12_keystore_filename='/etc/opt/omni/client/certificates/hpdpcert.p12';
        pkcs12_keystore_password='hpdpcert';
        pkcs12_ca_certificate_filename='/etc/opt/omni/client/certificates/hpdpcert.p12';
        pkcs12_ca_certificate_password='hpdpcert';
        pkcs12_private_key_filename='/etc/opt/omni/client/certificates/hpdpcert.p12';
        pkcs12_private_key_password='hpdpcert';
};

The plaintext version should look like this:

encryption={
        exception=1;
};

If you were turning off encrypted control for a client, then you will need to update the cell info file (/etc/opt/omni/cell/cell_info or C:\programdata\omniback\config\server\cell\cell_info ) and remove the reference to encryption there too.

-host "client.ifost.org.au" -os "gpl x86_64 linux-2.6.32-279.el6.x86_64" -encryption 1 -core A.09.01 -da A.09.01 -ma A.09.01  -cc A.09.01  -vepa A.09.01  -autodr A.09.01  -StoreOnceSoftware A.09.01 -ts_core A.09.01 

Greg Baker is an independent consultant who happens to do a lot of work on HP DataProtector. He is the author of the only published books on HP Data Protector (http://x.ifost.org.au/dp-book). He works with HP and HP partner companies to solve the hardest big-data problems (especially around backup). See more at IFOST's DataProtector pages at http://www.ifost.org.au/dataprotector

2 comments:

  1. Hi Greg,

    What's the downside with running Encrypted control? we currently reviewing it as it seems to be the only way to workaround some exploits available in DP.

    I'm hoping I don't need to use this blog as the trial of Encrypted control so far has been a success.

    Kind regards,

    Steve

    ReplyDelete
  2. The only think I can think of is cross-version compatibility. If you have some legacy clients that you can't upgrade (e.g. they are on very ancient hardware) then they wouldn't be able to interact using encrypted control.

    But other than that, no I can't think of anything that would be a problem. Let me know if you do run into anything.

    ReplyDelete