Community
MSA Storage

MSA's and CA signed certifcates

 
SOLVED
Go to solution
Biite
Frequent Advisor

‎05-20-2021 08:57 AM

‎05-20-2021 08:57 AM

MSA's and CA signed certifcates

Hi all,

I'm no sure if anyone from MSA product management or development is reading these forums, but I've got some issues with MSA's (2050's) and CA signed certificates.

To name a few:

  • HPE documentation is SEVERYLY lacking on this subject. It's hardly discussed in the documentation.
    I'm aware of the Belgian Storcomm website which describes the procedure: Installing SSL Certificates on HPE MSA array - STORCOM Belgium
  • The MSA cannot create a CSR (Certificate Signing Request) by itself.
    This means externally generated private keys etc. are needed and quite some procedures to convert/strip/generatie keys and certifcates the right way so upload to the MSA is possible
  • Once uploaded the generated certificate is ONLY active on the controller you FTP'd the certificate to.
    Guess upload to the B controller is also needed???
  • The need for FTP sucks in a highly secure environment (like ours) and should not be necessary for this.
    We need to disable LDAPS verification temporarily to enable FTP (they're mutually exclusive).
    There's no way I've found to upload keys and certificates via SCP or SFTP.

Can somebody point me to some better HPE documentation about this? Or does somebody known anyone from MSA product managment?

I would love to see some MSA enhancements in this area !!!

Regards,
Martien
0 Kudos
Reply
2 REPLIES 2
JohnHobbs
New Member

‎05-20-2021 01:58 PM

‎05-20-2021 01:58 PM

Solution

Re: MSA's and CA signed certifcates

Hi Martien,

To answer your question, yes, you do need to upload a certificate and private key for each controller. 

You should be able to upload a certificate and private key using SFTP, using the same commands that you use for FTP. Make sure you specify the SFTP port when accessing the array, you can see which port is used for SFTP with the command show protocols

What would you recommend for documentation on this? How you generate and sign certificates, and how you extract the private key depends on the tools and signing service you use in your environment, and so you'd need instructions particular to those tools and services. I agree we need to document that each controller has its own certificate and private key, and must be uploaded using  a SFTP / FTP to each controller - you can't upload the certificate for controller B via an SFTP session to controller A. 

Regards,
John

Reply
Biite
Frequent Advisor

‎05-20-2021 11:43 PM

‎05-20-2021 11:43 PM

Re: MSA's and CA signed certifcates

Thank John,

Completely read over the documented SFTP port part in the SMU reference guide. Did not notice the port mentioned..

I would recommend some elaboration on the certificates part in the SMU reference guide e.g.:

  • Clear description on formats that need to be uploaded to the MSA (for examle PCKS #12 or #7)
    This includes the fact that an unencrypted key file needs to be uploaded.
  • Though indeed procedures are very dependent on tools used, some examples might be helpful for the most used tools?
  • Indeed clear up the documentation on the upload to 2 controllers
  • Describe some certificate verification procedures (e.g. SMU: System -> Show certificates, CLI: show certificate)

Current documentation on CA signed certifcates is a little over half a page in a 200 page document, that's what I meant by lacking. It just describes the absolute minimum needed for certificates and keys upload and the rest is up to some guess work (or Googling).

Thanks a bunch for the notification about the SFTP port. Tried SFTP on the 'regular' SSH port in the beginning, which explains my failure to upload.

Regards,
Martien

Regards,
Martien
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.