3PAR & Primera authentication failures in SSMC

StoreServ Management Console

Recently I came accross an issue where the team mailbox was being flooded by alerts from SSMC concerning authentication failures. Authentication failures are Security events of the HPE Primera / 3PAR / Alletra array that are triggered when a authentication failure occurrs.

These authentication failures may occur due to different reasons:

  • An (LDAP) account being locked
  • An (LDAP) account missing permissions
  • An open session where the password is no longer correct
  • Different sessions hanging in CLI / SSMC or the old 3PAR Management Console

The alert in SSMC looks like this:

Recommended Action
Description: An instance of the CLI client unsuccessfully attempted multiple logins within a short period of time. This may be due to an application trying to access the storage system with incorrect login credentials. Resolution: Ensure that attempts to login are using the correct credentials.
General
System STORARRAY01
Serial number CZ10251XXX
Type Authentication failure
ID 497
Message code 0x0150006
Origin System
Component
Detected by node 3
Component CLI
Spare Part Number
Frequency
Repeat count 3
Last time May 11, 2023 1:54:42 PM CEST
First time Nov 11, 2022 3:33:28 AM CET

 

The easiest way to determine the culprit is by using CLI.

  • Open a CLI session with your superuser
  • Using the following command look up the logs for any authentication failures
    showeventlog -startt "2023-05-11 13:00" -endt "2023-05-11 14:41"
  • You can further adapt your search query with the following:
    showeventlog -startt "2023-05-11 13:00" -endt "2023-05-11 14:41" -msg "Authentication failure"
  • The command from step 2 will give you a view on what’s happening on your 3PAR / Primera array


Time : 2023-05-11 13:53:51.13 CEST
Node : 3
Seq : 247534823
Class : Notification
Severity : Minor
Type : Command error permission denied
Component : sw_cli
Tier : Security
Message : {storcom_admin super {{0 8}} -1 10.12.123.123:60083 4840} getportfcoe: Permission denied".

Time : 2023-05-11 13:54:42.21 CEST
Node : 3
Seq : 247535633
Class : Alert
Severity : Major
Type : Authentication failure
Component : sw_cli
Tier : Security
Message : 12 authentication failures in 120 secs.
  • The source of the issue can be traced by performing a ping to the IP address mentioned above
    ping -a 10.12.123.123 will give you the alias of the source system.
  • From the screenshot above we see that the 12 authentication failures are coming from user storcom_admin due to a Permission denied.

In my case the user storcom_admin is an LDAP/AD user which was locked out leading to authentication errors on the Primera array.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

Share Article on:

Facebook
Twitter
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *