Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Dell EMC Unity: Unable to use Unity as VASA storage provider due to certificate error (User Correctable)

Summary: This KB explains the steps needed to remove the certificate error which is preventing Unity from being used as VASA storage provider.

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content


Symptoms

Changing IP address of Unity already registered as VASA storage provider.

Changing vCenter in Unity for which Unity acts as VASA storage provider.

Following the certificate renewal on vCenter, when trying to setup the VASA storage provider once again, the following error is reported on the Storage side:     
Failed: The imported certificate cannot be save. (Error Code:0x600944)
Rollback Result: Task was rolled back and marked as failed. This is because some tasks failed or SP rebooted during task execution. (Error Code:0x100a)

When trying to register Unity as VASA storage provider, the following error is received:     
The "Register new storage provider" operation failed for the entity with the following error message.
The provider certificate is invalid. It is either empty, malformed, expired, not yet valid, revoked, or fails host name verification.

Cause

The certificate is registered for an old Unity/vCenter.

The certificate is expired.

The location of the certificate on the storage may be present under the wrong structure, causing the system to fail to update the certificate.

Resolution

Below is the procedure to get new certificates generated from Unity so that it can be added as VASA storage provider from vSphere:      
  1.  Log in to Unity CLI (use service account).
  2. View existing certificates on Unity for VASA using below command:      
uemcli -u local/admin -p <password of Unity admin account> /sys/cert show -detail
service@Unity spa:~/user# uemcli -u admin -securepassword /sys/cert show -detail

1:    ID                       = vasa_http-vc1-cacert-1
      Type                     = CA
      Service                  = VASA_HTTP
      Scope                    = 
      Certificate ID           = vasa_http-vc1-cacert-1
      Trust anchor             = Yes
      Version                  = 3
      Serial number            = XX:XX:XX:XX:XX:XX:XX:XX
      Signature algorithm      = SHA256WithRSAEncryption
      Issuer name              = OU=VMware Engineering,O=photon-machine,ST=California,C=US,DC=local,DC=vsphere,CN=CA
      Valid from               = 2019-09-23 12:15:08
      Valid to                 = 2029-09-20 12:15:08
      Subject name             = OU=VMware Engineering,O=photon-machine,ST=California,C=US,DC=local,DC=vsphere,CN=CA
      Subject alternative name = email:example@vmware.com, IP Address:127.0.0.1
      Public key algorithm     = RSA
      Key length               = 2048
      Thumbprint algorithm     = SHA1
      Thumbprint               = XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
      Private key available    = No

2:    ID                       = vasa_http-vc1-servercert-1
      Type                     = Server
      Service                  = VASA_HTTP
      Scope                    = 
      Certificate ID           = vasa_http-vc1-servercert-1
      Trust anchor             = Yes
      Version                  = 3
      Serial number            =XX:XX:XX:XX:XX:XX:XX:XX
      Signature algorithm      = SHA256WithRSAEncryption
      Issuer name              = OU=VMware Engineering,O=photon-machine,ST=California,C=US,DC=local,DC=vsphere,CN=CA
      Valid from               = 2021-02-24 08:59:13
      Valid to                 = 2022-02-25 08:59:13
      Subject name             = CN=EMC VASA Vendor Provider
      Subject alternative name = IP Address:10.xx.xx.xx <<<<< Unity Management IP will be present here.
      Public key algorithm     = RSA
      Key length               = 2048
      Thumbprint algorithm     = SHA1
      Thumbprint               = XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
      Private key available    = Yes
  1. Delete all the present certificates one by one using below command:      
 uemcli  -u local/admin -p <password of Unity admin account> /sys/cert -id <value> delete
service@Unity spa:~/user# uemcli -u admin -securepassword /sys/cert -id vasa_http-vc1-servercert-1 delete

Operation completed successfully.

Note: There should be one default cert on the Unity that cannot be deleted. When trying to delete it,  you would encounter the below error. This error can be safely ignored:      
service@Unity spa:~/user# uemcli -u admin -securepassword /sys/cert -id vasa_http-vc1-servercert-1 delete

Operation failed. Error code: 0x6000940
The certificate does not exist. (Error Code:0x6000940)
  1. Add Unity as VASA storage provider on vSphere.

Additional Notes:      
There is an exception that when the certificate is expired, and after you delete the vasa_http-vc1-servercert-1 on Unity, the default certificate "valid to" will go back to 1970-01-01.This may prevent from re-registering the storage provider by returning certificate error.

In some instances, when trying to renew the connection after renewing the certificate on the Unity and vCenter, and confirming that valid certificates are valid and present on both services, the system may still fail to update the VASA connectivity. vCenter may indicate that it is unable to import the certificate from the Unity array.

If you experience one of these issues, contact Dell Technical Support or your Service Provider and quote this Knowledgebase article as reference.

Additional Information

Example of above procedure:     
 
log in as: service

View existing certificates
uemcli -d 10.xx.xxx.xx -u local/admin -p XXX /sys/cert -service VASA_HTTP show -detail
Storage system address: 10.xx.xxx.xx
Storage system port: 443
HTTPS connection

1: Type = CA
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-cacert-2
Trust anchor = Yes
Version = 3
Serial number = XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm = SHA256WithRSAEncryption
Issuer name = XXXXX
Valid from = 2016-09-19 12:04:02
Valid to = 2026-09-17 12:04:02
Subject name = XXXX
Subject alternative name = XXXX, IP Address:120.x.x.x
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Private key available = No

2: Type = Server
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-servercert-1
Trust anchor = No
Version = 3
Serial number = XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm = SHA256WithRSAEncryption
Issuer name = XXXX
Valid from = 2016-09-21 13:13:35
Valid to = 1970-01-01 00:00:00 >>>>>>>>>>>>>> this might prevent from adding storage provider from vsphere because the certificate is invalid
Subject name =
Subject alternative name =
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint =
Private key available = Yes
  1. Delete first certificate:     
uemcli -d 10.xx.xxx.xx -u local/admin -p XXX /sys/cert -id vasa_http-vc1-cacert-2 delete
  1. Register Unity as VASA Storage provider from vSphere:     
    1. In the vSphere Web Client home screen, click vCenter 
    2. In the  Inventory Lists, click vCenter Servers 
    3. Select the vCenter Server in the left pane.
    4. Click the Manage tab in the right pane.
    5. Click Storage Provider in the right pane.
    6. Click on the green plus.

Article Properties


Affected Product

Dell EMC Unity Family

Product

Dell EMC Unity Family, UnityVSA

Last Published Date

17 Mar 2021

Version

5

Article Type

Solution