HPE 3PAR StoreServ Storage

3PAR certificate management

 
SOLVED
Go to solution
adamdb_uk
Advisor

3PAR certificate management

Hi all,

           was picking up an issue with a customer 3PAR which began generating alarms with regard to expired certificates. On inspection it appears that at some point the customer has created their own signed certs for specfiic services (wsapi/cim/cli) but have left the old unified-server entry as self signed. Also I don't believe any cleanup was done during the cert replacement process for wsapi, cli and cim which has resulted in these expired certs being left behind.

edited example below. It seems some signed certs were installed for CIM, CLI  and WSAPI but not for unified-server. Also no cleanup was done of the old self signed (MY3PAR.domain.com) certs which are now alarming due to expiry

Service Commonname Type Enddate Fingerprint
cim* MY3PAR.domain.com intca Jul 14 15:23:26 2019 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cim* domain-issuing-ca-01 intca Jun 20 07:54:11 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cim* domain-RCA-01 rootca Jun 20 07:50:07 2027 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cli* MY3PAR.domain.com intca Jul 14 15:23:26 2019 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cli* domain-issuing-ca-01 intca Jun 20 07:54:11 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cli* domain-RCA-01 rootca Jun 20 07:50:07 2027 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wsapi* MY3PAR.domain.com intca Jul 14 15:23:26 2019 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wsapi* domain-issuing-ca-01 intca Jun 20 07:54:11 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wsapi* domain-RCA-01 rootca Jun 20 07:50:07 2027 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
unified-server* MY3PAR.domain.com cert Nov 26 08:54:06 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The oddest thing of all is that from what i can tell wsapi (which i can test by connecting the URL) is still using the self signed 'unified-server' cert.

So my question is really the following..

I believe the correct approach would to remove everything in the first instance.

so would issue

removecert

removecert unified-server

 once this has been done the next steps would be install new certs. This is where i require clarification. If the customer wishes to use their own certificate chain do i just need to create a signing request for 'unified-server' as it appears this is what gets served up anyway? Or do I need to create signing requests for each service INCLUDING unified-server.

My gut feeling is all that is needed is the following.

If just following the self-signed route then all i need is

createcert unified-server -selfsigned -CN "<CERT CN>"

However if going down my own CA route then I would need to get a CSR for unified-server created and signed.

createcert unified-server -csr -keysize 2048 -C Country -ST Country -L City -O "MyOrg" -OU "MyOU" -CN MY3PAR.Name -SAN DNS:DNSNAME,IP:xxx.xxx.xxx.xxx myCERT.txt

 Once I had this MyCert.txt I'd get that signed by my cert authority.

Once done I need to import everything back in

Import root CA

importcert unified-server -ca RootCA_B64.pem

 Import Intermediate CA if needed

importcert unified-server -ca IssuingCA.pem

Finally import the array cert

importcert unified-server MY3PAR.name.pem

 

Oh and I guess you'd need to stop wsapi and start it again before and after these steps to ensure it gets the new cert.

I believe that's all that's needed and you don't need to go down the route of creating signed certs of wsapi, cli and cim individually.

I did reach out to support to confirm the steps but its been some time and we're not getting anything useful so i thought I'd try here. 

It is slightly confusing as the 3PAR manual says "The unified-server establishes a common certificate among CIM, CLI, and WSAPI." however it then shows examples of importing certificates for individual services 

"cli% importcert cli cli-service.pem ca.pem"

for example. A bit confusing...

Hopefully someone will confirm these steps are broadly correct and only the signed unified-server cert is needed along with any root and issuing CA for the company.

thanks in advance.

5 REPLIES 5
adamdb_uk
Advisor

Re: 3PAR certificate management

I guess this is clearly a knowledge blackspot then... given this post has now generated a support call (which we already have open and to which no meaningful replies have come so far)... oh well...never mind..

Dardan
Valued Contributor
Solution

Re: 3PAR certificate management

Hello Adam,

The Unified-Server service contains both 3 services WSAPI, CLI and the CIM. I would indeed remove all certificates and start a new signing request / approval for the unified-server service.

Below a step-by-step procedure: https://www.storcom.com/implementing-ca-certificates-on-primera-ui/

Hope this helps.

Cheers,

Dardan

___________
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
adamdb_uk
Advisor

Re: 3PAR certificate management

Thanks... my thinking was fogged somewhat when i looked at the 3PAR HPE Manual. Thanks for confirming that only unified server is needed. I'll get a signing request created for that and we should be good to proceed.

 

thank you.

Josh94K
HPE Pro

Re: 3PAR certificate management

Hello @adamdb_uk 

Hello Adam,

Thank you for your elaborate query. 

I just have few corrections with respect to the commands. 

 

cli% removecert all // remove all the certificates 

cli% createcert unified-server -selfsigned -CN "HP_3PAR 7400 -1615157"

cli% createcert unified-server -selfsigned -keysize 2048 -days 365

 

CN <common name>

Specifies the value of the common name (CN) attribute of the subject of the self-signed certificate.

When this option is not used, the default is HP 3PAR <model> <serial>, where model and

serial are the system model name and the serial number of the HP 3PAR Storage System for which

the self-signed certificate is created.

 

-keysize <keysize>

Specifies the encryption key size in bits of the self-signed certificate. Valid values are 1024 and

2048. The default value is 2048.

 

-days <days>

Specifies the valid days of the self-signed certificate. Valid values are between 1 and 3650 days

(10 years). The default value is 1095 days (3 years).

 

@adamdb_uk I Hope this help. 

If you feel this was helpful please click the KUDOS! thumb below!

 

Accept or Kudo

I work for HPE.
adamdb_uk
Advisor

Re: 3PAR certificate management

thanks. I'm aware of the keysize and expiry options. The question was more around whether you needed to create CSR's for individual services when you want them signed by your own CA or if unified-server will suffice. It appears all that will be needed is unified-server either self-signed or via a CSR signed by the customer's CA (and then installed along with the customers rootCA and intermediate CA certs (so 3 in total for unified-server). It's confusing as the 3PAR CLI manaual shows individual certs being installed for acutal services. I think perhaps a re-write of that section of the manual would be a good idea to make it clear that unified-server is all that is needed.

Also I think all those options need to go on the same command line don't they?

cli% createcert unified-server -selfsigned -CN "HP_3PAR 7400 -1615157" -keysize 2048 -days 365

 

thanks for your clarifications though.