HPE Community
Array Setup and Networking
1753765 Members
6143 Online
108799 Solutions
New Discussion юеВ

Re: Adding a signed SSL certificate to the Nimble GUI

 
SOLVED
Go to solution
aprice119
Valued Contributor

тАО05-03-2013 02:43 PM

тАО05-03-2013 02:43 PM

Adding a signed SSL certificate to the Nimble GUI

Hi all.

We're just getting our new Nimble finished up and deployed and I was wondering if anybody had any insight into how to add a signed SSL certificate to the Nimble GUI.  I'd like to make the connection trusted and secure rather than adding exceptions to my browser.

Thanks!

Reply
20 REPLIES 20
benwatson87
Valued Contributor

тАО05-05-2013 02:12 PM

тАО05-05-2013 02:12 PM

Re: Adding a signed SSL certificate to the Nimble GUI

I, too, have wondered this. Unfortunately I can't offer you a solution, but hoping someone can post one (I'm piggybacking on your question mainly).

0 Kudos
Reply
Not applicable

тАО05-30-2013 08:09 AM

тАО05-30-2013 08:09 AM

Re: Adding a signed SSL certificate to the Nimble GUI

Bump - Looking to see if there is anything new on this.

0 Kudos
Reply
aprice119
Valued Contributor

тАО05-30-2013 08:51 AM

тАО05-30-2013 08:51 AM

Re: Adding a signed SSL certificate to the Nimble GUI

I decided to ask support about this since it looks like there's community interest, but no answer.  As of right now, there is no way to add a custom SSL certificate to a CS-series array.  It's in the development queue as RFE #368, so it's being explored.

Reply
Nick_Dyer
Honored Contributor

тАО05-31-2013 06:32 AM

тАО05-31-2013 06:32 AM

Re: Adding a signed SSL certificate to the Nimble GUI

I believe this is something that is slated for release in the future (although unsure of the timeframes of it personally).

Nick Dyer
twitter: @nick_dyer_
0 Kudos
Reply
marktheblue45
Valued Contributor

тАО02-25-2014 09:12 AM

тАО02-25-2014 09:12 AM

Re: Adding a signed SSL certificate to the Nimble GUI

This is feature that will be required for PSN (UK Public Services Network) for Compliance. I've just minted VCentre certs using Active Directory Certificate Authority but once the Nimble VCentre plugin is installed I get those annoying security warnings. Hopefully someone will get the procedure to do this shortly. Looks like RFE #368 has been in the to do list for a while now.


0 Kudos
Reply
Daniel-san
Frequent Advisor

тАО02-28-2014 06:50 AM

тАО02-28-2014 06:50 AM

Re: Adding a signed SSL certificate to the Nimble GUI

It's pretty unbelievable that a publicly-traded company would bring a product to market without a signed SSL cert.  I still have no idea who jetty.mortbay.org is - sounds like a cert for a project that someone started in their garage.  Nimble support confirmed that they have multiple RFEs to fix this and many people have requested they do - yet they still can't say WHEN they'll do it.

But whatever, until Nimble gets this properly implemented, here is a workaround you can use:

 

  1. Open IE as "Run as Administrator".
  2. Navigate to Tools > Internet Options
    > Advanced tab > Deselect the following under Security:
    * Check for publishers certificate revocation
    * Check for server certificate revocation*
    * Warn about certificate address mismatch*
  3. Navigate to the Array UI, go past the security warning, in the login page the address bar has a red box next to it which says Certificate Error. Double click it and install the certificate in the Trusted Root... folder.
  4. Close and open IE and navigate to Array UI. (no security error should be displayed now)
0 Kudos
Reply
aprice119
Valued Contributor

тАО02-28-2014 07:46 AM

тАО02-28-2014 07:46 AM

Re: Adding a signed SSL certificate to the Nimble GUI

You're right Daniel, it is very odd that the issue hasn't been addressed yet.  I know when I added my particular feature request I was contacted by the PM team to discuss what kind of options I would want to see for SSL certificate management (import a PFX?  send an online certificate request?  upload private key and certificate files?) but nothing has yet come of that conversation.

To address a couple of your points:

jetty.mortbay.org is an old reference to the original creators of Jetty, MortBay.  Jetty is the Java-based web and servlet server from Eclipse that Nimble uses to offer up it's interface.  The built-in self-signed certificate is a Jetty default.

Your workaround does clear the IE warning but it also disables some critical checkpoints for validating SSL certificates in the entire browser.  IE doesn't provide a method to exempt a certificate on a particular site or for that exact cert, but Firefox does.  I use Firefox for most of my admin work now anyway, and it's especially nice since I can tell it to make the Nimble's exception permanent (but only until the certificate in the Nimble changes, or I change the DNS alias of the array).  I do the same thing with some other picky systems, notably VMware and Cisco.

I was hoping to see the SSL certificates fixed in NOS 2.0 but alas, 'twas not to be.  Hopefully sometime very soon, especially for those prospective customers who HAVE to have a signed cert for compliance reasons (like Mark Harrison).

Alan

0 Kudos
Reply
kent106
New Member

тАО01-08-2015 02:05 PM

тАО01-08-2015 02:05 PM

Solution

Re: Adding a signed SSL certificate to the Nimble GUI

A couple of points:

1. The 2.1 release has code that generates a new self-signed certificate chain on group setup that replaces the mortbay certificate for use by the webui. There is a CA certificate and a host certificate that contains the group and array FQDNs, as well as management IP addresses. The certificates generated are also stronger than the mortbay one, using 2048 bit RSA keys and SHA hashing..

2. There is a mechanism whereby customer generated certificates can be installed on an array with the aid of Nimble support. These certificates will now survive a software upgrade, which was previously not the case.

3. Adding the capability to create a CSR, get a signed certificate from the customer's CA, and import it is on the roadmap. We may also support automating the process that support does manually now to import the keys and certificates, and install them.. I can't say when this will be released.

The reason this has taken so long, by the way, is that the demand for the feature is relatively small. We have a support-assisted solution, cumbersome as it is, and the burden on support to do this when requested has been negligible.

Kent

Reply
nick_caldwell
New Member

тАО01-14-2015 04:02 PM

тАО01-14-2015 04:02 PM

Re: Adding a signed SSL certificate to the Nimble GUI

Thanks Kent for the info. Browsers are going to get more and more annoying about untrusted certs, and some are talking about not letting someone go to a site at all if it doesn't have a good cert, so this issue may come up as a bigger problem quickly. Hopefully we can get a solution in to the GUI before then.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.