- Community Home
- >
- Storage
- >
- Midrange and Enterprise Storage
- >
- HPE 3PAR StoreServ Storage
- >
- Re: 3PAR certificate management
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-05-2021 01:01 AM - edited тАО05-05-2021 02:41 AM
тАО05-05-2021 01:01 AM - edited тАО05-05-2021 02:41 AM
Hi all,
was picking up an issue with a customer 3PAR which began generating alarms with regard to expired certificates. On inspection it appears that at some point the customer has created their own signed certs for specfiic services (wsapi/cim/cli) but have left the old unified-server entry as self signed. Also I don't believe any cleanup was done during the cert replacement process for wsapi, cli and cim which has resulted in these expired certs being left behind.
edited example below. It seems some signed certs were installed for CIM, CLI and WSAPI but not for unified-server. Also no cleanup was done of the old self signed (MY3PAR.domain.com) certs which are now alarming due to expiry
Service Commonname Type Enddate Fingerprint
cim* MY3PAR.domain.com intca Jul 14 15:23:26 2019 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cim* domain-issuing-ca-01 intca Jun 20 07:54:11 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cim* domain-RCA-01 rootca Jun 20 07:50:07 2027 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cli* MY3PAR.domain.com intca Jul 14 15:23:26 2019 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cli* domain-issuing-ca-01 intca Jun 20 07:54:11 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cli* domain-RCA-01 rootca Jun 20 07:50:07 2027 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wsapi* MY3PAR.domain.com intca Jul 14 15:23:26 2019 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wsapi* domain-issuing-ca-01 intca Jun 20 07:54:11 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wsapi* domain-RCA-01 rootca Jun 20 07:50:07 2027 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
unified-server* MY3PAR.domain.com cert Nov 26 08:54:06 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The oddest thing of all is that from what i can tell wsapi (which i can test by connecting the URL) is still using the self signed 'unified-server' cert.
So my question is really the following..
I believe the correct approach would to remove everything in the first instance.
so would issue
removecert removecert unified-server
once this has been done the next steps would be install new certs. This is where i require clarification. If the customer wishes to use their own certificate chain do i just need to create a signing request for 'unified-server' as it appears this is what gets served up anyway? Or do I need to create signing requests for each service INCLUDING unified-server.
My gut feeling is all that is needed is the following.
If just following the self-signed route then all i need is
createcert unified-server -selfsigned -CN "<CERT CN>"
However if going down my own CA route then I would need to get a CSR for unified-server created and signed.
createcert unified-server -csr -keysize 2048 -C Country -ST Country -L City -O "MyOrg" -OU "MyOU" -CN MY3PAR.Name -SAN DNS:DNSNAME,IP:xxx.xxx.xxx.xxx myCERT.txt
Once I had this MyCert.txt I'd get that signed by my cert authority.
Once done I need to import everything back in
Import root CA
importcert unified-server -ca RootCA_B64.pem
Import Intermediate CA if needed
importcert unified-server -ca IssuingCA.pem
Finally import the array cert
importcert unified-server MY3PAR.name.pem
Oh and I guess you'd need to stop wsapi and start it again before and after these steps to ensure it gets the new cert.
I believe that's all that's needed and you don't need to go down the route of creating signed certs of wsapi, cli and cim individually.
I did reach out to support to confirm the steps but its been some time and we're not getting anything useful so i thought I'd try here.
It is slightly confusing as the 3PAR manual says "The unified-server establishes a common certificate among CIM, CLI, and WSAPI." however it then shows examples of importing certificates for individual services
"cli% importcert cli cli-service.pem ca.pem"
for example. A bit confusing...
Hopefully someone will confirm these steps are broadly correct and only the signed unified-server cert is needed along with any root and issuing CA for the company.
thanks in advance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2021 12:10 AM
тАО05-06-2021 12:10 AM
Re: 3PAR certificate management
I guess this is clearly a knowledge blackspot then... given this post has now generated a support call (which we already have open and to which no meaningful replies have come so far)... oh well...never mind..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2021 12:14 AM
тАО05-06-2021 12:14 AM
SolutionHello Adam,
The Unified-Server service contains both 3 services WSAPI, CLI and the CIM. I would indeed remove all certificates and start a new signing request / approval for the unified-server service.
Below a step-by-step procedure: https://www.storcom.com/implementing-ca-certificates-on-primera-ui/
Hope this helps.
Cheers,
Dardan
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2021 12:17 AM - edited тАО05-06-2021 12:58 AM
тАО05-06-2021 12:17 AM - edited тАО05-06-2021 12:58 AM
Re: 3PAR certificate management
Thanks... my thinking was fogged somewhat when i looked at the 3PAR HPE Manual. Thanks for confirming that only unified server is needed. I'll get a signing request created for that and we should be good to proceed.
thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2021 12:50 AM
тАО05-06-2021 12:50 AM
Re: 3PAR certificate management
Hello @adamdb_uk
Hello Adam,
Thank you for your elaborate query.
I just have few corrections with respect to the commands.
cli% removecert all // remove all the certificates
cli% createcert unified-server -selfsigned -CN "HP_3PAR 7400 -1615157"
cli% createcert unified-server -selfsigned -keysize 2048 -days 365
CN <common name>
Specifies the value of the common name (CN) attribute of the subject of the self-signed certificate.
When this option is not used, the default is HP 3PAR <model> <serial>, where model and
serial are the system model name and the serial number of the HP 3PAR Storage System for which
the self-signed certificate is created.
-keysize <keysize>
Specifies the encryption key size in bits of the self-signed certificate. Valid values are 1024 and
2048. The default value is 2048.
-days <days>
Specifies the valid days of the self-signed certificate. Valid values are between 1 and 3650 days
(10 years). The default value is 1095 days (3 years).
@adamdb_uk I Hope this help.
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2021 12:56 AM - edited тАО05-06-2021 01:18 AM
тАО05-06-2021 12:56 AM - edited тАО05-06-2021 01:18 AM
Re: 3PAR certificate management
thanks. I'm aware of the keysize and expiry options. The question was more around whether you needed to create CSR's for individual services when you want them signed by your own CA or if unified-server will suffice. It appears all that will be needed is unified-server either self-signed or via a CSR signed by the customer's CA (and then installed along with the customers rootCA and intermediate CA certs (so 3 in total for unified-server). It's confusing as the 3PAR CLI manaual shows individual certs being installed for acutal services. I think perhaps a re-write of that section of the manual would be a good idea to make it clear that unified-server is all that is needed.
Also I think all those options need to go on the same command line don't they?
cli% createcert unified-server -selfsigned -CN "HP_3PAR 7400 -1615157" -keysize 2048 -days 365
thanks for your clarifications though.