- Community Home
- >
- Storage
- >
- Midrange and Enterprise Storage
- >
- HPE 3PAR StoreServ Storage
- >
- Re: SSMC 3.6 Custom Certificate
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-21-2020 02:10 PM - edited тАО05-21-2020 02:20 PM
тАО05-21-2020 02:10 PM - edited тАО05-21-2020 02:20 PM
Having and issue with a newly deployed VA version 3.6. Admin has gone through the steps to generate the CSR/key for custom CA certificates. When we get to the step to update the Jetty-SSL-Context.xml file, we can not update it due to permissions. We are logged in with the ssmcadmin account. When we look at the file in WinSCP it shows the owner as hpe3parssmcuser. So how do we update the file with our keymanager password etc...if the ssmcadmin account does not have permission to modify the file? We tried to change owner of the file, but received permission denied. Any help would be appreciated.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-21-2020 10:06 PM
тАО05-21-2020 10:06 PM
Re: SSMC 3.6 Custom Certificate
Hello,
Can you double-check if you're trying to update the correct file?
It's jetty-ssl-context.xml file the under /opt/hpe/ssmc/ssmcbase/etc/ that needs to be updated. That shouldn't be a problem with your ssmcadmin UID.
Cheers,
Dardan
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-22-2020 01:38 AM
тАО05-22-2020 01:38 AM
Re: SSMC 3.6 Custom Certificate
Thank you for your reply.
That is the file that we are trying to update. We are able to CP the file to "home>ssmcadmin" as directed in a previous step. We are able to update the copy as the owner is the ssmcadmin account. In VI editor, when attempting to save/write changes, we receive the read-only error (no permission to write changes). Tried using WinSCP (connected using ssmcadmin), we can download the file, open the file etc...but when trying to save changes or upload (replace the file), we get permission denied. Tried chaning owner of the file to ssmcadmin, and receive permission errors.
I can upload screen grabs of the errors when I get to work in a couple hours.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-22-2020 05:54 AM
тАО05-22-2020 05:54 AM
Re: SSMC 3.6 Custom Certificate
So we are able to update that file, however, it still wants to use the self signed certificate (after restarting). In the Admin Guide (Page 67 Step 8), it mentions that the Certificates provided by the customer CA can be in the same or seperate files. It then lists the 3 required certificates. We imported the Server.pem, Root.pem, Intermediate.pem...do these need to be combined into a signle chain? Or does the Root.pem need to be combined with the Intermediate.pem? And if so, in what format/order?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-22-2020 08:13 AM - edited тАО12-16-2020 07:04 AM
тАО05-22-2020 08:13 AM - edited тАО12-16-2020 07:04 AM
SolutionI would recommend to add certificates separately. You can check the validity of certificates (before adding them to the keystore) by running the following command:
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -printcert -v -file <filename>
Next step is to place the Root certificate, the Intermediate certifiate (if it exists) and the client ceritificate (your ssmc appliance) inside the keystore.
1) Adding root cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias root -keystore <my_keystore> -trustcacerts -file <RootCA.cer>
2) Adding intermediate cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -keystore <my_keystore> -trustcacerts -file <IntermediateCA.cer>
3) Finally add client cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias jetty -keystore <my_keystore> -trustcacerts -file <SignedByCA.cer>
Go back to your SSMC Appliance, restart (shutdow/start) services and your new cert should reflect.
Hope this helps.
Cheers, Dardan
P.S. I've created a detailed manual to cover these steps: https://www.storcom.com/hpe-ssmc-custom-certificates/
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-22-2020 09:58 AM
тАО05-22-2020 09:58 AM
Re: SSMC 3.6 Custom Certificate
Thank sir. That worked. The final issue was the keystore file path. Thank you for all your help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-03-2020 10:17 AM
тАО09-03-2020 10:17 AM
Re: SSMC 3.6 Custom Certificate
So now we are attempting this on another appliance on another network. This network has (2) Intermediate CAs in the path. When we create (2) separate Intermediate .pem files, we can only import one. When attempting to import the second Intermediate cert, we get an error that the alias "mykey" already exists?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-03-2020 11:11 PM
тАО09-03-2020 11:11 PM
Re: SSMC 3.6 Custom Certificate
Hi,
I would try to combine the intermediate certificates into one .pem file, and upload it.
- Open both .pem files with any text editor
- Copy the content of the 2nd intermediate certificate and paste it at the end of the first certificate.
- Save the file as .pem.
- Upload using the same commands.
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-01-2022 08:15 AM
тАО08-01-2022 08:15 AM
Re: SSMC 3.6 Custom Certificate
Hate to resurrect an old post...our custom certificate is due to expire and we are having an issue updating again.
Our first attempt we used the original CSR to re-submit for a new certificate. We were able to remove the Intermediate and Server certificate from the keystore and import the updated .pems. However, when restarting the services, we are unable to access the management console. The keystore passwords did not change.
So since the first attempt failed we were just going to repeat the original process, however, we are getting permission denied when trying to copy the keystore file (step 2 or 3). Looking at the permissions, it looks like all the files under /opt/hpe/ssmc/ssmcbase/etc are owned by hpe3parssmcuser and ssmcadmin is unable to do anything (including chmod/chown). What are we missing?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2022 12:51 AM
тАО08-04-2022 12:51 AM
Re: SSMC 3.6 Custom Certificate
Hello @psychomike70,
Since you have posted in an old topic and there is no response yet, I would recommend you to create a new topic using the create "New Discussion" button, so the experts can check and help you further.
Sunitha G
I'm an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]