This is the web based version of the classic 3PAR Management Console application (if you don't use it already, you might know that the old versiont is discontinued).
Today I will show you how to change the default certificates from 3PAR SSMC in a windows platform. You can use external or internal certificates from your Certificate Authority.
Today I will show you how to change the default certificates from 3PAR SSMC in a windows platform. You can use external or internal certificates from your Certificate Authority.
All the tools you need to complete this task are pretty well already on the server where you installed the SSMC software.
I think from another post I read that when you upgrade the SSMC version this will overwrite the certificate and you will have to do this again, i have not tested this yet.
Let's see how to do it!
Make sure all the keytool commands are run from here:
C:\Program Files\Hewlett Packard Enterprise\SSMC\ssmcbase\etc
The main steps are:
- If you are running SSMC from a VM snapshot it before change anything;
- Rename keystore to keystore.bck (this gives you a fast rollback if anyhting goes wrong);
- If you are using external certificates, please jump to step 8, if not, please continue generating the internal certificate request;
- Create new Keystore:
- Type the following command and substitute in the required details of IP, FQDN, Org Unit, Organisation, Location, State and Country;
- "C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\keytool” -genkeypair -keystore keystore -alias jetty -dname "CN=FQDN, OU=X, O=X, L=X, ST=X, C=X" -keyalg RSA -ext SAN=dns:fqdn,ip:x.x.x.x,dns=singlename
- Please note the password that you used;
- Create the CSR (Certificate Request):
- "C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\keytool" -certreq -keystore keystore -alias jetty -ext SAN=dns:fqdn,ip:x.x.x.x,dns=singlename -file request.txt
- In you internal CA create your certificate like this:
- Go to your CA https://servername/certsrv
- Request a new certificate
- Submit the certificate request
- Past all the ciontent from the request.txt file, use a certificate template from WebServer or other custom template:
- This is the tricky part. You must download/export the certificate with Base 64 Encoded and will all the chains. This file will be *.P7B
- Don't forget to export the RootCA certificate too (you can do this of the first page of the CA website)
8. Import the certificates into the keystore file in the following order:
- RootCA, Intermediate CA then the final Certificate (if you don’t have a intermediate CA don’t run that one);
- If you are using external certificates, be aware that you might need to export or create new files from the original certificates like PEM or PFX. Use openssl tool, you can download it from here.
- "C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\keytool" -import -alias root -keystore keystore -trustcacerts -file root.cer
- "C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\keytool" -import -keystore keystore -trustcacerts -file intca.cer
- "C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\keytool" -import -alias jetty -keystore keystore -trustcacerts -file newcert.p7b
- At this point the keystore file will have all the certificates that we need
- You will have something like this:
9. Create the obfuscated password so we can link the keystore with the SSMC website
- Run the following commands from here:C:\Program Files\Hewlett Packard Enterprise\SSMC\jetty\lib
- "C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\java.exe" -cp jetty-util-9.4.6.v20170531.jar org.eclipse.jetty.util.security.Password YOURPASSWORD
- The password is the password you entered when creating the keystore.
- This will give you an OBF:XXXXXXXXXXXXXXXXXXXX password, copy this including the OBF.
10. From C:\Program Files\Hewlett Packard Enterprise\SSMC\ssmcbase\etc
- Copy and Rename the jetty-ssl-context.xml to jetty-ssl-context.xml.bck
- This gives you another recover point should something break;
- Edit jetty-ssl-context.xml entering the obfuscated password into the KEYSTOREPASSWORD and KEYMANAGERPASSWORD. Don’t change the TRUSTSTOREPASSWORD
11. Restart HPE SSMC service and wait a few minutes
- Your new certifcate should be installed, if it does not or the services does not start you can rollback the configurations and try to find the errors you made.
- Assuming all has gone to plan you shouldn’t get any certificate alerts.
There are other ways to create the SSMC keystore file, like using the Portecle (see the official site in http://portecle.sourceforge.net/) but I won't list the details here.
If you have any questions, please let me know.
No comments:
Post a Comment