AutoSupport messages might fail to reach NetApp from your storage systems after NetApp AutoSupport server X.509 certificate renewal in 2016

Content

Issue Description
SHA-256 is now the industry-standard signature hash algorithm for SSL certificates. SHA-256 provides stronger security and has replaced SHA-1 as the recommended algorithm. SHA-256 is supported by all current browsers.
 
SHA-1 is being deprecated as part of the SHA-256 migration plan. After December 31, 2015, Certificate Authorities (CA) will stop issuing SHA-1 certificates entirely. After December 31, 2016, modern browsers will display security warnings when connecting to sites that use SHA-1.
 
On December 1 2016, IBM's AutoSupport servers are renewing their X.509 SSL certificates that will be signed using SHA-256.  Once renewed, storage systems running Data ONTAP version 8.1.x might not be able to send AutoSupport messages to NetApp using the HTTPS transport protocol.
Symptom
The symptom for this failure is a TLS handshake failure. In EMS event logs or /etc/message files, possible messages indicating this issue include the following:
Mon Nov 23 01:12:54 CET [node1:asup.post.drop:error]: AutoSupport message (HA Group Notification from csc-baccon-02 (PERFORMANCE DATA) INFO) for host (0) was not posted to NetApp. The system will drop the message.

Additional information to confirm the issue is available in AutoSupport’s notifyd.log log file:

• Data ONTAP 7-Mode: /etc/log/mlog/notifyd.log
• Clustered Data ONTAP: /mroot/etc/log/mlog/notifyd.log

00000be6.00096819 101fbd68 Mon Nov 23 2015 01:01:31 +09:30 [kern_notifyd:info:777] (category: 777:2746:deliver) (emittime: 11/23/2015 01:01:31) (message: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm)
Workaround
If necessary, implement one of the two available workaround options – they are supported by NetApp; however, they are not recommended. One of the Data ONTAP upgrade solution options should be chosen, instead.
 
Option 1: Disable SSL certificate validation for AutoSupport HTTPS transport
Choosing this option will retain encrypted AutoSupport transmission; however, it is not protected against man-in-the-middle attacks.
 
Data ONTAP 7-Mode:
node1> options autosupport.validate_digital_certificate off
 
Clustered Data ONTAP:
cluster1::> system node autosupport modify –node <node> -validate-digital-certificate false
 
Option 2: Change the AutoSupport transport protocol to HTTP
Choosing this option will result in AutoSupport transmissions being sent unencrypted and authenticated.
 
Data ONTAP 7-Mode:
node1> options autosupport.support.transport http
 
Clustered Data ONTAP:
cluster1::> system node autosupport modify –node <node> -transport http
Solution
There are two solution options, where Data ONTAP’s HTTPS library is updated to support SHA-256 signed certificates.
Option 1 is recommended. If Option 1 is not possible because of platform or business restrictions, choose Option 2.
 
Option 1: Upgrade the storage system to the recommended release for Data ONTAP 8.2 or later.
 
Data ONTAP 7-Mode:
See the Planning your upgrade section in the Data ONTAP® 8.2 Upgrade and Revert/Downgrade Guide for 7-Mode 
 
Clustered Data ONTAP:
See the Upgrading Data ONTAP clusters section in the Clustered Data ONTAP 8.2 Upgrade and Revert/Downgrade Guide 
 
Option 2: Upgrade the storage system to Data ONTAP 8.1.4P10.
For storage systems that cannot upgrade beyond Data ONTAP, patch release 8.1.4P10 is available with the fix for BUG 983591
 
Data ONTAP 7-Mode:
See the Planning your upgrade section in the Data ONTAP 8.1 Upgrade and Revert/Downgrade Guide for 7-Mode