Huawei OceanStor Dorado Storage is unable to connect to the Vault KMIP Secrets Engine. – HashiCorp Help Center

Introduction

Problem

After specifying the "CA Certificate File" using the Key Service option in the configuration page for the Huawei OceanStor Dorado Storage, the storage was unable to connect to the Vault KMIP Secrets Engine.

The Vault Operational logs showed the following:

secrets.kmip.kmip_f097a3d6.kmipserver: error handshaking connection: error="remote error: tls: unknown certificate authority"

Prerequisites

Vault Enterprise with KMIP Secrets Engine Enabled
Huawei OceanStor Dorado Storage v6 version: 6.1.T704

Cause

The "CA certificate File" was retrieved using the Vault KMIP Secrets Engine as follows:

vault read kmip/ca -format=json | jq -r '.data | .ca_pem' >> vault-ca.pem && cat vault-ca.pem
-----BEGIN CERTIFICATE-----
MIIDODCCAiCgAwIBAgIUVXWKZR6UbVe6AqViXR8zaPtWAX4wDQYJKoZIhvcNAQEL
BQAwHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIyMTIyMTE3MTEy
NVoXDTMyMTIxODE3MTE1NVowKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0
LWludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK/6
qMBOmCbaScWfstwcrKSf7M7K08XyGjTTDOKfLoXj4NNud02ci7mb8z7LrTYxHFvp
SjatrHEJcyUCeJbIjW9nqaRW3jk834n0jrRGBfx51EAreLUfX1QSk7fxSkAcJ+24
RXXOt5mNv7jPhH/5XLutcurQl7HydyCYdYuaQb2kklW5br88SAp6gWZXaAbnfk/X
dpXnyj7FQBjduatzIW3SAHF/whvaOe0+VfcWwDHwZCtWaOb6JmZM0e6xNOOZar7W
vhsW3jp72jzqpWBVNc3Bo2JIE0pcHDbFax60Bnsd1bvuGy5bi9nFqSj+d8t9sq46
lLiHlq5fcYvdWADz6zcCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFDKeevYA3zgx2yY7fzTvMu2ZlXS1MB8GA1UdIwQY
MBaAFGmlWTxkUTF3Z9cPmXPp7Ax8ocZpMA0GCSqGSIb3DQEBCwUAA4IBAQB5A+nt
05djNU+mrtAoLEkIvGh1aPDt1vQIouD2gjdvZc7/fhvEXHf4tVHRpzdIVIMTzgMW
JYqalePSmwcXYasXeVJ/2mdD7t3IofohRQzkxERqLMX/4lm+7PFA6ujgJTrraJqk
288cPO04jpZhWityYThP2rqpz+mVVnvDl7Pk7ujGf72riKj2ozF6RnFSKkDPco38
2JbH8Bb6soWYFMjCqO41f28M8qggu+vIM08Fw/RfKbvEW8uM/XKkOw6gUxMcjquu
YKqRd0YY3kNkGRcqRuXXhFcidukSofW//vVog1vd0qQMTW1ue8n3uHTJS0Gw/ESv
xFYDNE90Aw4q4g7O
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIULTEX/6IN8xdHb2PRKbP/m+LLveswDQYJKoZIhvcNAQEL
BQAwHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIyMTIyMTE3MTEy
NVoXDTMyMTIxODE3MTE1NVowHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqY8vx7JXLRCz9052UkL
hkqrYY9jJ3w7lOkGO/PYuy61hOmPyuzKikUuImmWBOfTR0nzjdAw2t+ZqkSwlvZC
N5b2CoGxNGnX+d5IaczX8OMltTxGSwnVwhE5FxerNjDguXSVfdBe211v8Jzt4Ju0
k/p3err4ZH4k3YeeMSAK0oWv4rUwmKU4y+3inuxdX4q6cbIrHfuVT2bVzjnH7aT4
u6Q21KCyh1F4MDgZMNr57h0mobTyk/v2D+/ticmcOUP0PLrMBb3RCbTfAfdGPFts
wpPqhsdMT9Enqx+lBHXxQV+PqjgRFQ3JHYg6qzO5oqth3BX7nSJ+oIN34dztAdeN
fwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUaaVZPGRRMXdn1w+Zc+nsDHyhxmkwHwYDVR0jBBgwFoAUaaVZPGRRMXdn
1w+Zc+nsDHyhxmkwDQYJKoZIhvcNAQELBQADggEBAKvJoCUkkB0t6CubJMFjslfD
MQty5P5gzpXGqaSn0ZfJdWsuxmIVPEinaHQxmvWQaqbrzqC7WgIhJXlBm2LXJG+i
p/kTXkMK0KN9hMZMT9pFIQVRXXPd+qJ9JfwShuBMQgklIQx/Xv5kn9C/wOGdESXn
FCWmWz4NcYes5XuVT9H/sVW7171S2K6GbC6UQ9LGEfxPGdqynP/vzIaq1TRL5zs+
otrP0q0mLsrc8m5QmEJnC6qVMMR+6MHxxK5QavuV2Qkg+7DkK3vloMzR9cmkXBC1
rZ2+yVhW4FwNj//6/3jkMiOqIRhz0mN3puaVXfJEfSVhJ4QFNnQ5TbztlFg+M+Q=
-----END CERTIFICATE-----

Solution

The generated vault-ca.pem contains 2 CA certificates called:

CN = vault-kmip-default-intermediate
CN = vault-kmip-default

The Huawei OceanStor Dorado Storage was not able to handle pem files containing multiple certificates.

The following command can be used to extract two separate pem files from the generated vault-ca.pem file:

awk '
split_after == 1 {n++;split_after=0}
/-----END CERTIFICATE-----/ {split_after=1}
{print > "ca_cert" n ".pem"}' vault-ca.pem

The expected outcome is that two pem files are generated, containing one certificate each:

openssl x509 -noout -text -in 'ca_cert.pem' | grep -i subject:
Subject: CN = vault-kmip-default-intermediate

openssl x509 -noout -text -in 'ca_cert1.pem' | grep -i subject:
Subject: CN = vault-kmip-default

Outcome

After specifying the ca_cert1.pem file, which only contains the vault-kmip-default Root CA certificate as "CA Certificate File" using the Key Service option in the configuration page for the Huawei OceanStor Dorado Storage, the storage was able to connect successfully to the Vault KMIP secrets engine.

Additional Information