3PAR StoreServ Storage
cancel
Showing results for 
Search instead for 
Did you mean: 

SSMC 3.6 Custom Certificate

 
SOLVED
Go to solution
Highlighted
Visitor

SSMC 3.6 Custom Certificate

Having and issue with a newly deployed VA version 3.6. Admin has gone through the steps to generate the CSR/key for custom CA certificates. When we get to the step to update the Jetty-SSL-Context.xml file, we can not update it due to permissions. We are logged in with the ssmcadmin account. When we look at the file in WinSCP it shows the owner as hpe3parssmcuser. So how do we update the file with our keymanager password etc...if the ssmcadmin account does not have permission to modify the file? We tried to change owner of the file, but received permission denied. Any help would be appreciated.

5 REPLIES 5
Highlighted
Valued Contributor

Re: SSMC 3.6 Custom Certificate

Hello,

Can you double-check if you're trying to update the correct file?

It's jetty-ssl-context.xml file the under /opt/hpe/ssmc/ssmcbase/etc/ that needs to be updated. That shouldn't be a problem with your ssmcadmin UID.

Cheers,
Dardan

___________
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
Highlighted
Visitor

Re: SSMC 3.6 Custom Certificate

Thank you for your reply.

That is the file that we are trying to update. We are able to CP the file to "home>ssmcadmin" as directed in a previous step. We are able to update the copy as the owner is the ssmcadmin account. In VI editor, when attempting to save/write changes, we receive the read-only error (no permission to write changes). Tried using WinSCP (connected using ssmcadmin), we can download the file, open the file etc...but when trying to save changes or upload (replace the file), we get permission denied. Tried chaning owner of the file to ssmcadmin, and receive permission errors.

I can upload screen grabs of the errors when I get to work in a couple hours.

Highlighted
Visitor

Re: SSMC 3.6 Custom Certificate

So we are able to update that file, however, it still wants to use the self signed certificate (after restarting). In the Admin Guide (Page 67 Step 8), it mentions that the Certificates provided by the customer CA can be in the same or seperate files. It then lists the 3 required certificates. We imported the Server.pem, Root.pem, Intermediate.pem...do these need to be combined into a signle chain? Or does the Root.pem need to be combined with the Intermediate.pem? And if so, in what format/order?

Highlighted
Valued Contributor
Solution

Re: SSMC 3.6 Custom Certificate

I would recommend to add certificates separately. You can check the validity of certificates (before adding them to the keystore) by running the following command:

/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -printcert -v -file <filename>

Next step is to place the Root certificate, the Intermediate certifiate (if it exists) and the client ceritificate (your ssmc appliance) inside the keystore.

1) Adding root cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias root -keystore <my_keystore> -trustcacerts -file <RootCA.cer>

2) Adding intermediate cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -keystore <my_keystore> -trustcacerts -file <IntermediateCA.cer>

3) Finally add client cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias jetty -keystore <my_keystore> -trustcacerts -file <SignedByCA.cer>

Go back to your SSMC Appliance, restart (shutdow/start) services and your new cert should reflect.

Hope this helps.
Cheers, Dardan

___________
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
Highlighted
Visitor

Re: SSMC 3.6 Custom Certificate

Thank sir. That worked. The final issue was the keystore file path. Thank you for all your help!