MSA's and CA signed certifcates

Biite · 3 weeks ago

Hi all,

I'm no sure if anyone from MSA product management or development is reading these forums, but I've got some issues with MSA's (2050's) and CA signed certificates.

To name a few:

HPE documentation is SEVERYLY lacking on this subject. It's hardly discussed in the documentation.
I'm aware of the Belgian Storcomm website which describes the procedure: Installing SSL Certificates on HPE MSA array - STORCOM Belgium
The MSA cannot create a CSR (Certificate Signing Request) by itself.
This means externally generated private keys etc. are needed and quite some procedures to convert/strip/generatie keys and certifcates the right way so upload to the MSA is possible
Once uploaded the generated certificate is ONLY active on the controller you FTP'd the certificate to.
Guess upload to the B controller is also needed???
The need for FTP sucks in a highly secure environment (like ours) and should not be necessary for this.
We need to disable LDAPS verification temporarily to enable FTP (they're mutually exclusive).
There's no way I've found to upload keys and certificates via SCP or SFTP.

Can somebody point me to some better HPE documentation about this? Or does somebody known anyone from MSA product managment?

I would love to see some MSA enhancements in this area !!!

Regards,
Martien

JohnHobbs · 3 weeks ago

Hi Martien,

To answer your question, yes, you do need to upload a certificate and private key for each controller.

You should be able to upload a certificate and private key using SFTP, using the same commands that you use for FTP. Make sure you specify the SFTP port when accessing the array, you can see which port is used for SFTP with the command show protocols.

What would you recommend for documentation on this? How you generate and sign certificates, and how you extract the private key depends on the tools and signing service you use in your environment, and so you'd need instructions particular to those tools and services. I agree we need to document that each controller has its own certificate and private key, and must be uploaded using a SFTP / FTP to each controller - you can't upload the certificate for controller B via an SFTP session to controller A.

Regards,
John

Biite · 3 weeks ago

Thank John,

Completely read over the documented SFTP port part in the SMU reference guide. Did not notice the port mentioned..

I would recommend some elaboration on the certificates part in the SMU reference guide e.g.:

Clear description on formats that need to be uploaded to the MSA (for examle PCKS #12 or #7)
This includes the fact that an unencrypted key file needs to be uploaded.
Though indeed procedures are very dependent on tools used, some examples might be helpful for the most used tools?
Indeed clear up the documentation on the upload to 2 controllers
Describe some certificate verification procedures (e.g. SMU: System -> Show certificates, CLI: show certificate)

Current documentation on CA signed certifcates is a little over half a page in a 200 page document, that's what I meant by lacking. It just describes the absolute minimum needed for certificates and keys upload and the rest is up to some guess work (or Googling).

Thanks a bunch for the notification about the SFTP port. Tried SFTP on the 'regular' SSH port in the beginning, which explains my failure to upload.

Regards,
Martien

MSA's and CA signed certifcates

MSA's and CA signed certifcates

Re: MSA's and CA signed certifcates

Re: MSA's and CA signed certifcates

Hewlett Packard Enterprise International