Sun StorageTek [TM] Common Array Manager Reports a "Fault Management Service authentication communication error"

Asset ID:	1-72-1002778.1
Update Date:	2009-12-02
Keywords:

Solution Type Problem Resolution Sure

Solution 1002778.1 : Sun StorageTek [TM] Common Array Manager Reports a "Fault Management Service authentication communication error"

Related Items


Sun Storage 6540 Array
 Sun Storage Flexline 280 Array
 Sun Storage 2510 Array
 Exadata Database Machine X2-2 Hardware
 Sun Blade 6000 Disk Module
 Sun Storage 2530 Array
 Sun Storage 2540 Array
 Sun Storage J4200 Array
 Sun Storage J4650 Array
 Sun Flash F5100 Array
 Sun Storage 6130 Array
 Sun Storage 6140 Array
 Sun Storage Flexline 240 Array
 Sun Storage Common Array Manager (CAM)
 Sun Storage Flexline 380 Array
 Oracle Solaris Express
 Sun Storage J4500 Array

Related Categories


GCS>Sun Microsystems>Storage Software>Modular Disk Device Software

PreviouslyPublishedAs
203796

Symptoms
If there is a problem with array registration in Solaris CAM, where it fails at Step 5 with the following error :

"A Fault Management Service authentication communication error occurred. For further information, refer to the Sun StorageTek[tm] Common Array Manager Release Notes."

and/or CAM is unable to display Alarms, reporting the error :

An Internal Error occurred. The CAM FMS engine may be in an invalid state.

Check the log files in the /var/log/webconsole/ directory, to see if 401 errors are reported when attempting to connect to the FMS webserver, http://localhost:8654/ e.g. :

java.io.IOException: Server returned HTTP response code: 401 for URL: http://localhost:8654/rashttp?GO=Client::Config::getRenv&GO2=Client::Alarm::summary

or :

com.sun.netstorage.fm.storade.service.StoradeException: Error communicating with FMS. Details:java.io.IOException: Server returned HTTP response code: 401
for URL: http://localhost:8654/rascgi?GO=Client::Device::Insert&class=storage.6130&ip=se6130-ctlr-a&iplist=10.4.143.59&...

Resolution
The Fault Management Service (FMS) is a separate part of CAM, and the control mechanism for FMS is via it's own webserver, running on port 8654. By default, for security reasons, the FMS webserver will only respond to local requests that contain a security token. The security token is only available on the local machine. If authentication fails, then an HTTP unauthorized 401 response code is returned.

To authenticate, FMS and Java Web Console (Lockhart) both need to be able to access the file :

/var/opt/SUNWsefms/IPC_Access

FMS accesses this file through a symlink :

/opt/SUNWsefms/var/IPC_Access

The file IPC_Access should contain :

peer:peer<generated-password>

The permissions and ownership for IPC_Access should be :

-rw-------   1 noaccess noaccess      49 Sep  1 16:33 IPC_Access

The ownership is "noaccess" because Java Web Console runs as the user "noaccess" by default.

A common cause of the 401 errors is that Java Web Console has been modified to run as a different user than "noaccess". This can be determined from the Java Web Console configuration file :

/etc/opt/webconsole/webconsole

Look for the line :

com.sun.web.console.user=noaccess

If this reports a different user than "noaccess", then the ownership of the IPC_Access file should be modified to match. This can be done with the "chown" and "chgrp" commands. For example, if the user has been changed to "nobody", then run the following commands :

chown nobody /var/opt/SUNWsefms/IPC_Access
chgrp nobody /var/opt/SUNWsefms/IPC_Access

To activate this change, both Java Web Console and FMS will need to be restarted.

To restart Java Web Console, run :

/usr/sadm/bin/smcwebserver restart

To restart FMS run,

Solaris 8/9 :

/opt/SUNWsefms/sbin/fmservice.sh restart

Solaris 10 :

/usr/sbin/svcadm restart fmservice

Product
Sun StorageTek 6540 Array
Sun StorageTek 6140 Array
Sun StorageTek 6130 Array
Sun StorageTek 2540 Array
Sun StorageTek 2530 Array
Sun StorageTek Common Array Manager Software 6.0
Sun StorageTek Common Array Manager Software 5.1
Sun StorageTek Common Array Manager Software 5.0

Internal Comments
FMS security can be completely disabled, by removing the file /opt/SUNWsefms/var/IPC_Access and then restarting Java Web Console and FMS. After doing this, no authentication is required by FMS.

Warning : If FMS security is disabled, then it's possible for any user to access all of the FMS cli commands, without administrator privileges. This can be considered a security risk.
CAM, common, array, manager, FMS, fault, management, service, authentication, 401, reponse, code, invalid, state
Previously Published As
88467

Change History
Date: 2007-02-11
User Name: 31620
Action: Add Comment
Comment: Forgot to say that I had to add appropriate [TM] to this article
Date: 2007-02-11
User Name: 31620
Action: Approved
Comment: Verified Metadata - ok
Verified Keywords - ok
Verified still correct for audience - currently set to contract
Audience left at contract as per FvF at
http://kmo.central/howto/content/voyager-contributor-standards.html
Checked review date - currently set to 2008-02-07
Checked for TM - ok as presented
Publishing under the current publication rules of 18 Apr 2005:
Version: 3

Date: 2009-12-01
User: DeCotis
Comment: currency review. Added products to product list. Changed title slightly

Attachments

This solution has no attachment