HPE 3PAR StoreServ Storage
1747972 Members
3447 Online
108756 Solutions
New Discussion юеВ

Re: SSMC 3.6 Custom Certificate

 
SOLVED
Go to solution
psychomike
Visitor

SSMC 3.6 Custom Certificate

Having and issue with a newly deployed VA version 3.6. Admin has gone through the steps to generate the CSR/key for custom CA certificates. When we get to the step to update the Jetty-SSL-Context.xml file, we can not update it due to permissions. We are logged in with the ssmcadmin account. When we look at the file in WinSCP it shows the owner as hpe3parssmcuser. So how do we update the file with our keymanager password etc...if the ssmcadmin account does not have permission to modify the file? We tried to change owner of the file, but received permission denied. Any help would be appreciated.

9 REPLIES 9
Dardan
Trusted Contributor

Re: SSMC 3.6 Custom Certificate

Hello,

Can you double-check if you're trying to update the correct file?

It's jetty-ssl-context.xml file the under /opt/hpe/ssmc/ssmcbase/etc/ that needs to be updated. That shouldn't be a problem with your ssmcadmin UID.

Cheers,
Dardan

___________
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
psychomike
Visitor

Re: SSMC 3.6 Custom Certificate

Thank you for your reply.

That is the file that we are trying to update. We are able to CP the file to "home>ssmcadmin" as directed in a previous step. We are able to update the copy as the owner is the ssmcadmin account. In VI editor, when attempting to save/write changes, we receive the read-only error (no permission to write changes). Tried using WinSCP (connected using ssmcadmin), we can download the file, open the file etc...but when trying to save changes or upload (replace the file), we get permission denied. Tried chaning owner of the file to ssmcadmin, and receive permission errors.

I can upload screen grabs of the errors when I get to work in a couple hours.

psychomike
Visitor

Re: SSMC 3.6 Custom Certificate

So we are able to update that file, however, it still wants to use the self signed certificate (after restarting). In the Admin Guide (Page 67 Step 8), it mentions that the Certificates provided by the customer CA can be in the same or seperate files. It then lists the 3 required certificates. We imported the Server.pem, Root.pem, Intermediate.pem...do these need to be combined into a signle chain? Or does the Root.pem need to be combined with the Intermediate.pem? And if so, in what format/order?

Dardan
Trusted Contributor
Solution

Re: SSMC 3.6 Custom Certificate

I would recommend to add certificates separately. You can check the validity of certificates (before adding them to the keystore) by running the following command:

/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -printcert -v -file <filename>

Next step is to place the Root certificate, the Intermediate certifiate (if it exists) and the client ceritificate (your ssmc appliance) inside the keystore.

1) Adding root cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias root -keystore <my_keystore> -trustcacerts -file <RootCA.cer>

2) Adding intermediate cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -keystore <my_keystore> -trustcacerts -file <IntermediateCA.cer>

3) Finally add client cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias jetty -keystore <my_keystore> -trustcacerts -file <SignedByCA.cer>

Go back to your SSMC Appliance, restart (shutdow/start) services and your new cert should reflect.

Hope this helps.
Cheers, Dardan

P.S. I've created a detailed manual to cover these steps: https://www.storcom.com/hpe-ssmc-custom-certificates/

___________
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
psychomike
Visitor

Re: SSMC 3.6 Custom Certificate

Thank sir. That worked. The final issue was the keystore file path. Thank you for all your help!

psychomike70
Occasional Visitor

Re: SSMC 3.6 Custom Certificate

So now we are attempting this on another appliance on another network. This network has (2) Intermediate CAs in the path. When we create (2) separate Intermediate .pem files, we can only import one. When attempting to import the second Intermediate cert, we get an error that the alias "mykey" already exists?

Dardan
Trusted Contributor

Re: SSMC 3.6 Custom Certificate

Hi,
I would try to combine the intermediate certificates into one .pem file, and upload it.
- Open both .pem files with any text editor
- Copy the content of the 2nd intermediate certificate and paste it at the end of the first certificate.
- Save the file as .pem.
- Upload using the same commands.

___________
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
psychomike70
Occasional Visitor

Re: SSMC 3.6 Custom Certificate

Hate to resurrect an old post...our custom certificate is due to expire and we are having an issue updating again.

Our first attempt we used the original CSR to re-submit for a new certificate. We were able to remove the Intermediate and Server certificate from the keystore and import the updated .pems. However, when restarting the services, we are unable to access the management console. The keystore passwords did not change.

So since the first attempt failed we were just going to repeat the original process, however, we are getting permission denied when trying to copy the keystore file (step 2 or 3). Looking at the permissions, it looks like all the files under /opt/hpe/ssmc/ssmcbase/etc are owned by hpe3parssmcuser and ssmcadmin is unable to do anything (including chmod/chown). What are we missing?

Sunitha_Mod
Moderator

Re: SSMC 3.6 Custom Certificate

Hello @psychomike70

Since you have posted in an old topic and there is no response yet, I would recommend you to create a new topic using the create "New Discussion" button, so the experts can check and help you further. 

Thanks,
Sunitha G
I'm an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo