HPE Community
MSA Storage
1819523 Members
3311 Online
109603 Solutions
New Discussion юеВ

MSA's and CA signed certifcates

 
SOLVED
Go to solution
Biite
Frequent Advisor

тАО05-20-2021 08:57 AM

тАО05-20-2021 08:57 AM

MSA's and CA signed certifcates

Hi all,

I'm no sure if anyone from MSA product management or development is reading these forums, but I've got some issues with MSA's (2050's) and CA signed certificates.

To name a few:

  • HPE documentation is SEVERYLY lacking on this subject. It's hardly discussed in the documentation.
    I'm aware of the Belgian Storcomm website which describes the procedure: Installing SSL Certificates on HPE MSA array - STORCOM Belgium
  • The MSA cannot create a CSR (Certificate Signing Request) by itself.
    This means externally generated private keys etc. are needed and quite some procedures to convert/strip/generatie keys and certifcates the right way so upload to the MSA is possible
  • Once uploaded the generated certificate is ONLY active on the controller you FTP'd the certificate to.
    Guess upload to the B controller is also needed???
  • The need for FTP sucks in a highly secure environment (like ours) and should not be necessary for this.
    We need to disable LDAPS verification temporarily to enable FTP (they're mutually exclusive).
    There's no way I've found to upload keys and certificates via SCP or SFTP.

Can somebody point me to some better HPE documentation about this? Or does somebody known anyone from MSA product managment?

I would love to see some MSA enhancements in this area !!!

Regards,
Martien
0 Kudos
Reply
4 REPLIES 4
JohnHobbs
New Member

тАО05-20-2021 01:58 PM

тАО05-20-2021 01:58 PM

Solution

Re: MSA's and CA signed certifcates

Hi Martien,

To answer your question, yes, you do need to upload a certificate and private key for each controller. 

You should be able to upload a certificate and private key using SFTP, using the same commands that you use for FTP. Make sure you specify the SFTP port when accessing the array, you can see which port is used for SFTP with the command show protocols

What would you recommend for documentation on this? How you generate and sign certificates, and how you extract the private key depends on the tools and signing service you use in your environment, and so you'd need instructions particular to those tools and services. I agree we need to document that each controller has its own certificate and private key, and must be uploaded using  a SFTP / FTP to each controller - you can't upload the certificate for controller B via an SFTP session to controller A. 

Regards,
John

Reply
Biite
Frequent Advisor

тАО05-20-2021 11:43 PM

тАО05-20-2021 11:43 PM

Re: MSA's and CA signed certifcates

Thank John,

Completely read over the documented SFTP port part in the SMU reference guide. Did not notice the port mentioned..

I would recommend some elaboration on the certificates part in the SMU reference guide e.g.:

  • Clear description on formats that need to be uploaded to the MSA (for examle PCKS #12 or #7)
    This includes the fact that an unencrypted key file needs to be uploaded.
  • Though indeed procedures are very dependent on tools used, some examples might be helpful for the most used tools?
  • Indeed clear up the documentation on the upload to 2 controllers
  • Describe some certificate verification procedures (e.g. SMU: System -> Show certificates, CLI: show certificate)

Current documentation on CA signed certifcates is a little over half a page in a 200 page document, that's what I meant by lacking. It just describes the absolute minimum needed for certificates and keys upload and the rest is up to some guess work (or Googling).

Thanks a bunch for the notification about the SFTP port. Tried SFTP on the 'regular' SSH port in the beginning, which explains my failure to upload.

Regards,
Martien

Regards,
Martien
0 Kudos
Reply
BerndS
New Member

тАО06-05-2023 03:23 AM - edited тАО06-05-2023 03:28 AM

тАО06-05-2023 03:23 AM - edited тАО06-05-2023 03:28 AM

Re: MSA's and CA signed certifcates

As i today have the same problem...

Looking into "HPE MSA 1060/2060/2062 CLI Reference Gguide" (December 2022, Edition 4) i miss the some sentences completely... ("sign request", "ssl key", "ssl certificate"')

I like to read,

  • if the MSA is able to generate an CSR (or not).
  • if i have generate it by myself - no problem - i need the restrictions (e.g. key size, support for intermediate CAs)
    i do not need how keys and certificates are created... - google helps for this...
  • for an upload i need the format info - e.g. upload as chain in PEM Format (linefeed with '\n' is ok?) with the order of the parts of the chain, how to upload the key (and the file names), the target directory and the protocol (e.g. SCP, SFTP)

This would help a lot.

 

 

Examples for the documentation (here CLI):

  • Section "create certificate":
    add to the Description the uselessness of this function for CA based ssl certificates
    add a hint to the alternate certificate creation process (a short description)
  • Section 'Using a script to access the CLI":
    NOTE The API provides default self-signed certificates for an HTTPS connection. For the certificate to be validated,
    download it through a browser and then set the following environment variable to point to the certificate:
    the Note states about a self-signed certificate - it could link to the alternative certificate (CA-Signed Certificate)


    ok, my time is up.
    Best regards,
    Bernd
0 Kudos
Reply
Dardan
Trusted Contributor

тАО06-05-2023 04:18 AM - edited тАО06-05-2023 04:19 AM

тАО06-05-2023 04:18 AM - edited тАО06-05-2023 04:19 AM

Re: MSA's and CA signed certifcates

Hi @BerndS 

See below answers on your questions:

  • if the MSA is able to generate an CSR (or not)
    no, you should create the .csr (request) and install the .cert by yourself
  • if i have generate it by myself - no problem - i need the restrictions (e.g. key size, support for intermediate CAs)
    i do not need how keys and certificates are created... - google helps for this...
    already answered
  • for an upload i need the format info - e.g. upload as chain in PEM Format (linefeed with '\n' is ok?) with the order of the parts of the chain, how to upload the key (and the file names), the target directory and the protocol (e.g. SCP, SFTP)
    you can use FTP to upload the certificate(s).

In the past, i've created an article that described this process step by step INSTALLING SSL CERTIFICATES ON HPE MSA ARRAY
Hope this helps.
Cheers,
Dardan

___________
Hit the Kudo's button to show appreciation or mark as solution if your question was answered.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.