You may or may not know that EMC’s SRA defaults to authenticating over non-SSL communication. It basically hits the RecoverPoint Appliance (RPA) on port 80 when doing anything. RPAs don’t handle a NAT, so chances are your devices are not publicly facing, at least I hope not!
It’s always a better idea to encrypt any traffic containing usernames and passwords, so why wouldn’t you do this? In RPA versions up to 4.0, they defaulted to non SSL, although they refer to it as non-https. RPA 4.1 no longer accepts port 80 and requires you to use 443, or https, or SSL encrypted, whatever you want to say.
This is great, until you try to add RPA 4.1 to a standard install of RecoverPoint’s 2.2 SRA. Why? Well, because it defaults to non-https and doesn’t give you an intuitive way to change it.
Adding RPA 4.1 to SRA 2.2 will give you this error:
“SRA command ‘discoverArrays’ failed. Failed opening session for user to site mgmt IP.
Please see server logs for further details.”
Check the vmware-dr.log and you’ll likely see something like
and what’s funny is I even found “Ouch!” in the log, lol! I love when devs throw things like that out there.
Keep reading for the fix!
Encrypt all the things
So it’s a pretty simple command to force https for the EMC SRA, simply run this command:
C:\Program Files\VMware\VMware vCenter Site Recovery Manager\storage\sra\array-type-recoverpoint>..\..\..\external\perl-5.14.4\bin\perl.exe command.pl --useHttps true
Which will give you this:
Successfully changed to HTTPS security mode
This is based of the default install location of SRM and the SRA. If perl.exe is in your path already, you don’t have to worry about calling out where it is, but for reference, it’s here: C:\Program Files\VMware\VMware vCenter Site Recovery Manager\external\perl-5.14.4\bin\perl.exe
I did try running this from the perl bin folder, but it didn’t work because of some other SRA dependencies in the command.pl file.
Great! Now what?
Setting this to true breaks RPA 4.0, so if you happen to have both RPA’s in a single vCenter, only one will work now.
There’s hope, though! In RPA 4.0, you can force it to use https so they all play happy together. In EMC’s “RecoverPoint 4.0 Security Configuration Guide”, Page 23 (unless it’s changed) has what you need to do, although the document I have was not exact.
You need to “Change web server mode” in Setup -> Advanced Options -> Security Options.
After doing that, your session will likely die, but it’s because you just closed port 80.
This is how you have both RPA 4.0 and 4.1 in the same SRM server with EMC’s 2.2 SRA.