Loading ...
home » spaces » UPS Management Devices & PowerChute Software » discussion » General » Unable to access my APC Network Management Card (NMC) enabled device via HTTPS (SSL/TLS)

Unable to access my APC Network Management Card (NMC) enabled device via HTTPS (SSL/TLS)

Discussion in UPS Management Devices & PowerChute Software started by Angela , 12/19/2014 7:32 PM
Login  to follow, share, and participate in this space.
Not a member?Join now
  • ipicKedawinna
    Angela
    =S= Representative
    Angela 12/19/2014 7:32 PM

    You may have 1 of 2 issues. Please review both below. These issues are applicable to APC Network Management Cards including AP9617/18/19 and AP9630/31/35 and any devices that use an embedded version of them including Rack PDU/ATS, Cooling Units, ISX Power Distribution, Symmetra UPS, and A/V units.

    1.) Unable to access my APC Network Management Card (NMC) enabled device via HTTPS (SSL/TLS) - http://www.apc.com/support/index?page=content&country=ITB&lang=en&locale=en_US&id=FA238115

    2.) Network Management Card 1 (NMC1) Information Bulletin: Effects of Microsoft Internet Explorer and other web browsers blocking key lengths less than 1024 bitshttp://www.apc.com/support/index?page=content&country=ITB&lang=en&locale=en_US&id=FA162031

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 2/11/2015 1:57 PM (in response to Angela)

    Update - I expect AOS 6.2.1 with sumx/sy application v6.2.1 for AP9630/31 available by the end of this week, early next - around Feb 13 or 16th.

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 2/18/2015 6:14 PM (in response to Angela)

    FYI: two downloads are now available for AP9630/31 customers @ http://www.apc.com/tools/download/index.cfm to address the problem with TLS. You'll find it for Smart-UPS/Matrix UPSs and single phase Symmetra units under SFSUMX621 and SFSY621 download part numbers. 

  • chuluunbaatarj
    chuluunbaatar
    Novice
    Novice
    chuluunbaatar 3/4/2015 7:40 AM (in response to Angela)

    Thank you very mush

  • Jordan.Cabral
    Jordan
    =S= Representative
    Jordan 6/4/2015 3:34 PM (in response to chuluunbaatar)

    Hi all,

    AOS 3.9.0 for AP7XXX has officially been released! This FW update will add support for TLS 1.0 on our Generation 1 rPDU's. The release notes will be available by Wednesday of next week (6/10).

    Here's a direct link to the AOS download: http://www.apc.com/tools/download/download.cfm?sw_sku=SFRPDU374_390&software_id=DBUE-8YNR89&family=70&part_num=AP7968&swfam=&tsk=

    -JC
  • kurtr
    Kurt
    Novice
    Novice
    Kurt 7/2/2015 3:15 PM (in response to Angela)

    Is there an update planned for the 9619 or should I be looking at replacing them?

  • Terry_Kennedy
    Terry
    Apprentice
    Apprentice
    Terry 7/3/2015 5:44 AM (in response to Kurt)

    I'm on vacation, but when I get back (after the 9th) I'll post my unsupported method for updating the AP9617/8/9 cards. Note that I'm just another end user, this isn't supported by APC, etc.

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 7/6/2015 1:57 PM (in response to Kurt)

    Hi Kurt,

    Depending on how you feel about Terry's option, I do not know of a firm plan as of today to officially release the fix for AP9617/18/19 but I also don't know that it is definitely not happening. The focus has been on currently shipping, high volume platforms. If you don't feel comfortable looking at what Terry will share later this week, yes, I'd recommend looking at an AP9630/31 for the quickest resolution.

  • kurtr
    Kurt
    Novice
    Novice
    Kurt 7/20/2015 1:43 PM (in response to Terry)

    Hey Terry,

    I was hoping that you would be able to share your solution when you have some spare time.


    Thanks!

  • Terry_Kennedy
    Terry
    Apprentice
    Apprentice
    Terry 7/20/2015 10:41 PM (in response to Kurt)

    Ok. I want to write up a more detailed blog entry on this, but I don't seem to have the time for that now.

    Everyone should know that this is not supported or recommended by APC, may void your warranty, I'm not responsible if anything goes wrong, contents may settle during shipping, etc.

    Before you start, you should make sure that you have a working AP9617/8/9 NMC with 3.7.x firmware on it. If not, perform the usual APC upgrade procedure before continuing. You might want to re-flash the card with the official version, just to make sure you won't have any problems later on. Things like the Windows Firewall, anti-virus, etc. can interfere with the update process.

    You will need to download the 3.7.x APC firmware update utility from here (Smart-UPS or Matrix UPS) or here (Symmetra single-phase). The same method should work for Silcon and Symmetra 3-phase, but I don't have either of those so you're on your own.

    Now, download the RPDU 3.9.0 firmware from here.

    Run the UPS firmware executable you downloaded. Click [Next] on the first screen, then pick a directory (I called it "old") on the next screen and click next. You will get a "The folder does not exist. Would you like to create it?" and click on [Yes]. The next screen should say "Extraction Complete". Click on [Finish]. You will now get a command prompt window with the text "IP Address of target to upgrade:". Type Control-C and answer "Y" to the "Terminate batch job (Y/N)?" prompt.

    Repeat the procedure with the RPDU firmware executable, but extract it to a different directory (I used "new"). Again, cancel the batch job.

    Now, open a command window (normally Start/Run/cmd.exe). Change directory to the "old" directory and give the command:

    xcopy c:\temp\new\apc_hw02_aos_390.bin

    Changing the directory path as appropriate. Now give the command (still in the "old" directory):

    notepad config.txt

    You MUST use notepad - wordpad or other editors can corrupt the file. You should see two lines - the first one says "AOS = apc_hw02_aos_373.bin". Change it to "AOS = apc_hw02_aos_390.bin", save and exit.

    Now, give the command (still in the "old" directory):

    upgrd_util.exe

    You should now see something like this on the screen:

    C:\Temp\old>upgrd_util.exe
    NMC Upgrade Tool v1.2


    American Power Conversion               Network Management Card AOS    v3.9.0
    (c) Copyright 2004 All Rights Reserved  Smart-UPS & Matrix-UPS APP     v3.7.2
    -----------------------------------------------------------------------------

            ********************************************************
            Warning: User name and passord information will displayed
            to the screen in clear text.
            ********************************************************


            IP Address of target to upgrade:

    After making sure that the display says "AOS V3.9.0" and has the correct application type for your device, go ahead and provide the IP address, username, and password. Select Continue with upgrade. If you get a Windows Firewall or anti-virus alert (you shouldn't - you DID check this before, right?) go ahead and allow the connection. The upgrade utility should load the AOS and APP, with a display similar to this:

    C:\Temp\old>upgrd_util.exe
    NMC Upgrade Tool v1.2


    American Power Conversion               Network Management Card AOS    v3.9.0
    (c) Copyright 2004 All Rights Reserved  Smart-UPS & Matrix-UPS APP     v3.7.2
    -----------------------------------------------------------------------------

            ********************************************************
            Warning: User name and passord information will displayed
            to the screen in clear text.
            ********************************************************


            IP Address of target to upgrade: 10.20.30.40
            User Name: apc
            Password: apc


            You have entered:
            IP Address: 10.20.30.40
            Username:   apc
            Password:   apc

            1: Continue with upgrade
            2: Enter new parameters
            3: Quit
            Action: 1

     

            ***************************************************
            Starting Upgrade to 10.20.30.40.
            Checking network connection ...                  OK
            Testing login ...                                OK
            Checking version information ...                 OK
            Attempting to log in to 10.20.30.40 ...          OK
            Loading OS, please wait ...                      OK
            Please wait (2 minutes ) for system restart      OK
            Attempting connection to verify restart          OK
            Attempting to log in to 10.20.30.40 ...          OK
            Loading application, please wait ...             OK
            Please wait (30 seconds) for system restart      OK
            Attempting connection to verify restart          OK


            Verifying 10.20.30.40 upgrade ... OK

            ***************************************************

     

            *********** Upgrade Summary ***********
            All upgrades completed successfully.


            Warning: A file called 'iplist.txt' exists in this directory
            that may contain user names and passwords in clear text.
            You may want to delete this file if other users have access
            to this directory.


            Thank you for using APC products

            Press <Enter> to exit.

    Your device should now be running the AOS 3.9.0, which allows TLS V1.0 connections. In a subsequent post I will describe how to verify this in a variety of popular browsers.

  • Terry_Kennedy
    Terry
    Apprentice
    Apprentice
    Terry 7/20/2015 10:49 PM (in response to Terry)

    This is a cut-and-paste of my post from another discussion thread which documents the way AOS 3.9.0 interacts with various web browsers:

    This works as expected in Internet Explorer 11 (the SSL version of the page displays with no warnings).

    In Firefox 38.0.5, you will get a "ssl_error_no_cypher_overlap" with the default Firefox security settings. I was able to work around this by going to "about:config" and changing the "security.tls.version.fallback-limit" from 3 to 1 as described here. Note that if you are security-conscious, you won't take the word of some random person from the Internet (me) and will research this yourself (or check with your corporate IT people). There will be a gray warning triangle to the left of the URL which tells you "encryption is not strong enough" if you click on it.

    In Google Chrome 43.0.2357.81 I get a red strikethrough slash in the https: part of the URL, but the page displays properly. If I click on the lock icon, I get two warnings, one for "encrypted with obsolete cryptography" and one for "no public audit records" (the second is due to my use of a private CA and you probably will not see it).

    In any event, this update does seem to restore SSL operability with the above browsers. It should be secure enough for local / intranet use (you probably don't want these devices accessible via the whole Internet anyway) and is definitely better than unencrypted pages.

    The same thing happens with Firefox 39. And, apparently as a "user convenience" Firefox resets the fallback limit whenever it upgrades itself.

  • voidstar
    voidstar
    Expert
    Expert
    voidstar 7/21/2015 5:05 AM (in response to Terry)

    You can also rename the firmware upgrade wizard to a .zip file, extract them, then FTP to the NMC the AOS binary from one, wait for card to reboot, and then the SUMX binary from the other.

    While unzipping and FTPing firmware in is supported, mixing different AOS and SUMX releases isn't. It would almost never work back when the 3xx branch was being maintained due to constant change in the interface between the two, but has a chance of working now that it's no longer an active project.

  • Terry_Kennedy
    Terry
    Apprentice
    Apprentice
    Terry 7/21/2015 6:42 AM (in response to voidstar)

    Yup. And for people who aren't running Windows, that's what they have to do anyway. I figured it was better to modify the config file for the official upgrade utility, since I'd prefer people tried it out with the stock firmware first to make sure they don't have any firewall issues before going and doing something unsupported where they might get into trouble.

  • UnexpectedBill
    William
    Apprentice
    Apprentice
    William 1/18/2016 11:40 PM (in response to Terry)

    Terry,

    I'd like to add a report (even though this is an older thread, and perhaps not the most appropriate location) that your procedure worked well for me on an early production (06/20/2003, S/N JA0325038310) AP9617 card in a 2008-era Smart-UPS 750. Just to be clear for anyone who's reading this in future, I went into this with the full understanding that I would bear all the risk and responsibility for any result that came from attempting this. Anyone wanting to attempt this must fully understand that only they can be responsible for the results. My application isn't mission critical. I've found that the AP9617 platform seems pretty hard to brick, as I've tried mightily with a broken one and never managed to do it.

    So far it's worked great. I have no found no issue with any functionality. If anything, interacting with the management interface's web pages over HTTPS/TLS 1.0 has become considerably faster. I don't know if anyone from APC/Schneider Electric will see this or if input from the user community is being accepted, but I'd certainly like to see an official release of the SUMX app and AOS 3.9 firmware bundle for AP9617/18/19. My experience so far seems to strongly suggest that it's viable, at least unofficially.

  • Page 1 of 1 (14 items)
Choose your language:  English  
powered by Communifire
Version 5.0.5741.40378