Migration of files to secondary storage fails with errors 28944 and 6918 due to unknown CA

book

Article ID: 100060223

calendar_today

Updated On:

Description

Error Message

The Veritas Enterprise Vault (EV) Event Viewer log will show the following: 

Source:        Enterprise Vault 
Event ID:      28944
Task Category: Storage File Watch
Level:         Error
Computer:      EVSERVER.EV.local
Description:
The 3rd party storage system application 'OST Streamer' has logged the following message: 

CStreamerObject::InternalCloseImage(): method failed
Reason = 0x80070057
Description = OST API sts_close_image() failed with error: 2060001 - 'one or more invalid arguments'. 

V-437-28944

Source:        Enterprise Vault 
Event ID:      6918
Task Category: Storage File Watch
Level:         Error
Computer:      EVSERVER.EV.local
Description:
A Collector encountered an error during migration. The Collector will abandon migration for the current run. Migration attempts will continue during future runs. 

Reason: The parameter is incorrect.  (0x80070057) 
PartitionEntryID: 557DE7F1D4C973740AB1897E7402D20D01q10000EV.Local 
Secondary Storage Location:  
Method: CCollector::ProcessFileForMigration (PFFM/M/SF) 

V-437-6918

A Dtrace of the StorageFileWatch process with logging set to Everything on the Advanced tab of the partition properties will show the following.

[22164]    (StorageFileWatch)    <18668>    EV:M    OST Streamer: [TID:9356] [Plugin] Azure: stspi_open_server: Blob Service Endpoint = [https://secondary.blob.core.windows.net]

[22164]    (StorageFileWatch)    <18668>    EV:M    OST Streamer: [TID:9356] [Plugin] Azure: stspi_open_server: CA_PATH=[D:\Program Files (x86)\Enterprise Vault\OST\x64\\cacert.pem]
[22164]    (StorageFileWatch)    <18668>    EV:M    OST Streamer: [TID:9356] [Plugin] AzureJob  == Info: [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS alert, unknown CA (560):|
[22164]    (StorageFileWatch)    <18668>    EV:M    OST Streamer: [TID:9356] [Plugin] AzureJob => Send SSL data, 0000000002 bytes (0x00000002)|
[22164]    (StorageFileWatch)    <18668>    EV:M    OST Streamer: [TID:9356] [Plugin] AzureJob  == Info: SSL certificate problem: unable to get local issuer certificate|
[22164]    (StorageFileWatch)    <18668>    EV:M    OST Streamer: [TID:9356] [Plugin] AzureJob  == Info: Closing connection 0|
 

Cause

The issue is that the CA information is not updated in the cacert.pem file so the connection cannot be completed. 

Resolution

Export the information from the cert and append it to the cacert.pem file.  

  1. Open a browser on the EV server and connect to the URL being used as the enpoint- Example: https://secondary.blob.core.windows.net
  2. Click on the lock icon > Connection is secure 
  3. In Edge click the certificate icon. In Chrome select Certificate is valid 
  4. Go to the Details tab and select the top line in the Certificate Hierarchy window  
  5. Click Export...
  6. Save as a .pem file with type Base64-encoded ASCII, single certificate (*.pem;*.crt)
  7. Copy the contents of the saved file and append them to the cacert.pem file located in the \Enterprise Vault\OST\x64 folder  
  8. Restart the Enterprise Vault Storage service and attempt to Test or migrate data

Issue/Introduction

Migration to Azure secondary storage can fail if the cert file is not updated with the current Certificate Authority (CA) information.
Powered by Wolken Software