Hello SRM experts,
I am having trouble generating the .csv file with the dr-ip-customizer tool. The error states that the host name used for the connection does not match the subject name on the host certificate. It then asks me if I trust the server and then prompts me to enter a username and password. We are using credential based certificates, so the same username and password that was used to setup srm and establish reciprocity is the same username and password that is entered at the prompt which ultimately fails.
The executable is run from the recovery site srm server. Below is the environment and attached is the output from the executable.
ESX 3.5 U4 and VC 2.5 U4 at each site. NetApp v6080 at protected site and FAS6080 at recovery site both running ontap 7.3.1.1P3. Using SRM 1.0.1 patch 4 with NetApp SRA 1.0.1.
Looking forward to your responses. Thanks.
Anyone? A little nudge in the right direction would be greatly appreciated.
Hello,
Have you tried to add the SRM certificate to the Computer Store, Trusted Root Certification Authorities?
Luis Arnauth
That was my thought process too although, I thought the SRM cert would be located here: (C:\Documents and Settings\All Users\Application Data\VMware\VMware Site Recovery Manager) as it is with VirtualCenter, but I don't see a cert specifically for SRM. What confuses me here is that we're using credential-based authentication, so when I enter the username and password, it should authenticate me.
According to Mike Laverick's book Administering VMwareTM Site Recovery ManagerTM 1.0:
"When Pairing Sites, Use Trusted Certificates
When pairing sites and the certificates of the recovery-site VirtualCenter Server and SRM Server are not trusted by
the protection-site SRM server, yellow warning triangles, rather than green check boxes, appear to the left of the
Certificate Validation steps. The yellow warning triangles warn the user that the given certificates did not pass the
validation requirements that the certificates be signed by a trusted Certificate Authority (CA) and have a DNS value
matching the address of the server. During the pairing, the user indicated that the certificates should be accepted
based on their SHA-1 thumb-prints. It is a serious security violation to accept certificates based on their thumbprints
without verifying that the thumb-prints are correct"
Your std-out states clearly that the certificates aren't trusted.
I can't remenber where you can view, and export the certificate to the correct Computer Certificate Store, but I believe that in the pairing process you can achieve this.
Luis Arnauth
I usually use the local administrator account of the SRM server where you are running the script from that way it will get rid of any permissions issues. I usually run it from the DR site SRM server which is also my virtual center. Regarding the certs, I usually trust them since I know everything is internal. Let me know if that helps.