Community
HPE 3PAR StoreServ Storage

SSMC 3.6 Custom Certificate

 
SOLVED
Go to solution
psychomike
Visitor

‎05-21-2020 02:10 PM - edited ‎05-21-2020 02:20 PM

‎05-21-2020 02:10 PM - edited ‎05-21-2020 02:20 PM

SSMC 3.6 Custom Certificate

Having and issue with a newly deployed VA version 3.6. Admin has gone through the steps to generate the CSR/key for custom CA certificates. When we get to the step to update the Jetty-SSL-Context.xml file, we can not update it due to permissions. We are logged in with the ssmcadmin account. When we look at the file in WinSCP it shows the owner as hpe3parssmcuser. So how do we update the file with our keymanager password etc...if the ssmcadmin account does not have permission to modify the file? We tried to change owner of the file, but received permission denied. Any help would be appreciated.

0 Kudos
Reply
7 REPLIES 7
Dardan
Valued Contributor

‎05-21-2020 10:06 PM

‎05-21-2020 10:06 PM

Re: SSMC 3.6 Custom Certificate

Hello,

Can you double-check if you're trying to update the correct file?

It's jetty-ssl-context.xml file the under /opt/hpe/ssmc/ssmcbase/etc/ that needs to be updated. That shouldn't be a problem with your ssmcadmin UID.

Cheers,
Dardan

___________
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
0 Kudos
Reply
psychomike
Visitor

‎05-22-2020 01:38 AM

‎05-22-2020 01:38 AM

Re: SSMC 3.6 Custom Certificate

Thank you for your reply.

That is the file that we are trying to update. We are able to CP the file to "home>ssmcadmin" as directed in a previous step. We are able to update the copy as the owner is the ssmcadmin account. In VI editor, when attempting to save/write changes, we receive the read-only error (no permission to write changes). Tried using WinSCP (connected using ssmcadmin), we can download the file, open the file etc...but when trying to save changes or upload (replace the file), we get permission denied. Tried chaning owner of the file to ssmcadmin, and receive permission errors.

I can upload screen grabs of the errors when I get to work in a couple hours.

0 Kudos
Reply
psychomike
Visitor

‎05-22-2020 05:54 AM

‎05-22-2020 05:54 AM

Re: SSMC 3.6 Custom Certificate

So we are able to update that file, however, it still wants to use the self signed certificate (after restarting). In the Admin Guide (Page 67 Step 8), it mentions that the Certificates provided by the customer CA can be in the same or seperate files. It then lists the 3 required certificates. We imported the Server.pem, Root.pem, Intermediate.pem...do these need to be combined into a signle chain? Or does the Root.pem need to be combined with the Intermediate.pem? And if so, in what format/order?

0 Kudos
Reply
Dardan
Valued Contributor

‎05-22-2020 08:13 AM - edited ‎12-16-2020 07:04 AM

‎05-22-2020 08:13 AM - edited ‎12-16-2020 07:04 AM

Solution

Re: SSMC 3.6 Custom Certificate

I would recommend to add certificates separately. You can check the validity of certificates (before adding them to the keystore) by running the following command:

/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -printcert -v -file <filename>

Next step is to place the Root certificate, the Intermediate certifiate (if it exists) and the client ceritificate (your ssmc appliance) inside the keystore.

1) Adding root cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias root -keystore <my_keystore> -trustcacerts -file <RootCA.cer>

2) Adding intermediate cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -keystore <my_keystore> -trustcacerts -file <IntermediateCA.cer>

3) Finally add client cert
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias jetty -keystore <my_keystore> -trustcacerts -file <SignedByCA.cer>

Go back to your SSMC Appliance, restart (shutdow/start) services and your new cert should reflect.

Hope this helps.
Cheers, Dardan

P.S. I've created a detailed manual to cover these steps: https://www.storcom.com/hpe-ssmc-custom-certificates/

___________
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
Reply
psychomike
Visitor

‎05-22-2020 09:58 AM

‎05-22-2020 09:58 AM

Re: SSMC 3.6 Custom Certificate

Thank sir. That worked. The final issue was the keystore file path. Thank you for all your help!

0 Kudos
Reply
psychomike70
Occasional Visitor

‎09-03-2020 10:17 AM

‎09-03-2020 10:17 AM

Re: SSMC 3.6 Custom Certificate

So now we are attempting this on another appliance on another network. This network has (2) Intermediate CAs in the path. When we create (2) separate Intermediate .pem files, we can only import one. When attempting to import the second Intermediate cert, we get an error that the alias "mykey" already exists?

0 Kudos
Reply
Dardan
Valued Contributor

‎09-03-2020 11:11 PM

‎09-03-2020 11:11 PM

Re: SSMC 3.6 Custom Certificate

Hi,
I would try to combine the intermediate certificates into one .pem file, and upload it.
- Open both .pem files with any text editor
- Copy the content of the 2nd intermediate certificate and paste it at the end of the first certificate.
- Save the file as .pem.
- Upload using the same commands.

___________
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.