- Community Home
- >
- Storage
- >
- Entry Storage Systems
- >
- MSA Storage
- >
- MSA's and CA signed certifcates
-
-
Forums
- Products
- Servers and Operating Systems
- Storage
- Software
- Services
- HPE GreenLake
- Company
- Events
- Webinars
- Partner Solutions and Certifications
- Local Language
- China - 简体中文
- Japan - 日本語
- Korea - 한국어
- Taiwan - 繁體中文
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Latin America
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Blog, Poland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
05-20-2021 08:57 AM
05-20-2021 08:57 AM
Hi all,
I'm no sure if anyone from MSA product management or development is reading these forums, but I've got some issues with MSA's (2050's) and CA signed certificates.
To name a few:
- HPE documentation is SEVERYLY lacking on this subject. It's hardly discussed in the documentation.
I'm aware of the Belgian Storcomm website which describes the procedure: Installing SSL Certificates on HPE MSA array - STORCOM Belgium - The MSA cannot create a CSR (Certificate Signing Request) by itself.
This means externally generated private keys etc. are needed and quite some procedures to convert/strip/generatie keys and certifcates the right way so upload to the MSA is possible - Once uploaded the generated certificate is ONLY active on the controller you FTP'd the certificate to.
Guess upload to the B controller is also needed??? - The need for FTP sucks in a highly secure environment (like ours) and should not be necessary for this.
We need to disable LDAPS verification temporarily to enable FTP (they're mutually exclusive).
There's no way I've found to upload keys and certificates via SCP or SFTP.
Can somebody point me to some better HPE documentation about this? Or does somebody known anyone from MSA product managment?
I would love to see some MSA enhancements in this area !!!
Martien
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
05-20-2021 01:58 PM
05-20-2021 01:58 PM
SolutionHi Martien,
To answer your question, yes, you do need to upload a certificate and private key for each controller.
You should be able to upload a certificate and private key using SFTP, using the same commands that you use for FTP. Make sure you specify the SFTP port when accessing the array, you can see which port is used for SFTP with the command show protocols.
What would you recommend for documentation on this? How you generate and sign certificates, and how you extract the private key depends on the tools and signing service you use in your environment, and so you'd need instructions particular to those tools and services. I agree we need to document that each controller has its own certificate and private key, and must be uploaded using a SFTP / FTP to each controller - you can't upload the certificate for controller B via an SFTP session to controller A.
Regards,
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
05-20-2021 11:43 PM
05-20-2021 11:43 PM
Re: MSA's and CA signed certifcates
Thank John,
Completely read over the documented SFTP port part in the SMU reference guide. Did not notice the port mentioned..
I would recommend some elaboration on the certificates part in the SMU reference guide e.g.:
- Clear description on formats that need to be uploaded to the MSA (for examle PCKS #12 or #7)
This includes the fact that an unencrypted key file needs to be uploaded. - Though indeed procedures are very dependent on tools used, some examples might be helpful for the most used tools?
- Indeed clear up the documentation on the upload to 2 controllers
- Describe some certificate verification procedures (e.g. SMU: System -> Show certificates, CLI: show certificate)
Current documentation on CA signed certifcates is a little over half a page in a 200 page document, that's what I meant by lacking. It just describes the absolute minimum needed for certificates and keys upload and the rest is up to some guess work (or Googling).
Thanks a bunch for the notification about the SFTP port. Tried SFTP on the 'regular' SSH port in the beginning, which explains my failure to upload.
Regards,
Martien
Martien
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2022 Hewlett Packard Enterprise Development LP