Month: January 2020

Home / Month: January 2020

SANnav SSL Certificate

SANnav Management Portal utilizes by default a self-signed certificate, which in most cases is considered as vulnerability. Therefore, it is highly recommended to replace it by a CA signed certificate. The SSL/TLS certificate ensures that the connection between clients and the server is secure.

The replacement is done in 2 steps. First, we will create a Certificate Signing Request, which will be signed by our Certificate Authority. Then the signed certificate will be imported to the SANnav. In addition, you will also need the root and the intermediate certificates to be imported.

Make sure to read the SANNav Management Portal guide for detailed information.

Creating SANnav Certificate Signing Request

  1. Log in to your SANnav server (RedHat/CentOS)
  2. Additionally, create a new directory under /root/, you can call it /root/certificates/
    cd /root
    mkdir certificates
    cd /root/certificates
  3. To start, we will create the certificate signing request (.csr)
    openssl req -newkey rsa:2048 -nodes -keyout sannav.key -out sannav.csr
  4. Enter the certificate information regarding to your host and the company information
  5. Let your SANnav (sannav.csr) be signed by your Certificate Authority

At this point you would have received the signed certificate, together with the accompanying root and intermediate certificate.

Replacing the self-signed certificate

  1. Copy your signed certificate, together with the company’s root and the intermediate certificate to /root/certificates/
  2. First, we will need to merge the root and the intermediate certificate into one file. Use the following command:
    cat intermediate_certificate.crt root_certificate.crt > bundleCertificate.pem
  3. Launch the script found under /<sannav-installation-directory>/bin/
  4. Complete the certificate file paths as requested by the wizard:
    – Enter the path for the ssl certificate including file name: /root/certificates/sannav.cer
    – Enter the path for the ssl key including file name: /root/certificates/sannav.key
    – If you have root and intermediate CA certificates, please chain them into a single certificate file and provide the path to the file. Press enter to skip this step. /root/certificates/bundleCertificate.pem
  5. Run the script found under /<sannav-installation-directory>/bin/ to restart SANnav
  6. Restart your browser and you’re SANnav Management Portal will show a valid certificate.

Read here related articles about SANnav Management Portal
Preparing RHEL / CentOS Server for SANnav
Installing SANnav Management Portal 2.0

Any suggestion or question? Leave a reply below, or feel free to contact us.
Make sure to subscribe to our mailinglist to get the latest. No spam. Promised!

Primera Web GUI

In this article we will focus on integrating HPE Primera into Active Directory. Instead of logging into the array using local users, we can configure Primera (or StoreServ) array to use LDAP authentication. Furthermore, Primera supports several LDAP authentications, such as Microsoft Active Directory, OpenLDAP or Red Hat Directory Server.

There are 3 methods that allow us to configure our array to use external (LDAP or AD) authentication.
To begin with, we will start by creating the security groups in Active Directory. If you’re not familiar with AD, here is a good read for you Active Directory Security Groups.

In my case, I have created the following security groups:

  • HPE Primera Admin: AD Group which has full admin rights (super)
  • HPE Primera Browse: AD Group which has only read access (browse)

Feel free to be more creative with group names 😉

Configuring Primera LDAP / AD authentication using Web GUI

  1. Navigate to your Primera UI portal and log in with your admin account
  2. Click on Settings then select LDAP configuration
  3. On the right pane, click on + Create
  4. Select Microsoft Active Directory as LDAP Type
  5. Accounts DN: This is the directory where your AD users reside in. I.g. OU=Users,DC=STORCOM,DC=COM
  6. Under Binding, select GSSAPI
  7. Enter Kerberos Realm, i.g.: STORCOM.COM
  8. Under Connection Details, enter the IP Address of my LDAP server.
  9. Enter LDAP Server name. It’s the FQDN of my AD Server, i.g: SERVER01.STORCOM.COM
  10. Finally, under Authorizations you can associate your AD Groups with Primera roles.
  11. Click on Add Authorizations, and select super-map under Authorization Group
  12. The group distinguished name is the group where the admin members will be placed in. In my case it is: CN=HPE Primera Admin,OU=FunctionalGroups,DC=STORCOM,DC=COM

Integrating Active Directory authentication using Primera CLI

In the next steps we are going to configure the same using Primera CLI. Hence it is important to have understanding of CLI. A great article can be found here HPE Primera OS 4.0 Command Line Interface Reference Guide.

setauthparam -f ldap-type MSAD
setauthparam -f accounts-dn "OU=Users,DC=STORCOM,DC=COM"
setauthparam -f binding sasl
setauthparam -f sasl-mechanism GSSAPI
setauthparam -f kerberos-realm STORCOM.COM
setauthparam -f kerberos-server
setauthparam -f ldap-server
setauthparam -f ldap-server-hn SERVER01.STORCOM.COM
setauthparam -f ldap-port 389
setauthparam -f super-map "CN=HPE Primera Admin,OU=FunctionalGroups,DC=STORCOM,DC=COM"

To remove the whole authentication config, use setauthparam -f -clearall
Additionally, to only remove a specific parameter, use setauthparam -f -clear <parameter name> for example:

setauthparam -f -clear ldap-port

Configuring Primera LDAP using SSMC

The third method to configure Primera or StoreServ is to use LDAP is using StoreServ Management Console.

  1. Navigate to SSMC and log in with your admin account.
  2. Under Security, select LDAP
  3. Click on + Create LDAP configuration
  4. Select the system and eventually follow the steps above. The same steps are executed as configuring LDAP using Primera Web GUI.

See other articles about HPE Primera: Implementing CA Certificates on HPE Primera UI.

Any suggestion or question? Leave a reply below, or contact us. Make sure to also subscribe to our mailing list. No spam. Promised!

Primera Web GUI

HPE has released its latest storage array Primera. As announced, it is a storage solution that is ready-to-use in 10 minutes. In this article, we will go through the steps on how to implement the enterprise signed certificates on the Primera UI. Primera (and 3Par StoreServ) uses the unified-server service to establish and maintain communication. It uses the same certificate for CIM, CLI and WSAPI services.

Read the HPE Primera OS 4.0 Command Line Interface Reference Guide for the detailed information about Primera OS.

Certificate Signing Request for Primera UI

We will start by creating a certificate signing request which then accordingly will be signed by our CA authority.

  1. Open Command Prompt and navigate to CLI directory. It should be under C:\Program Files (x86)\Hewlett-Packard\HP 3PAR CLI\bin
  2. Launch CLI.exe and log in to your Primera / 3PAR array.
  3. In this case, I start off from removing all existing certificates on the array. Type showcert to show the available certificates
  4. Stop WSAPI service: stopwsapi
  5. Use the following commands to remove all certificates. Repeat them until all certificate records have disappeared
    removecert unified-server
  6. Additionally, use the following command to create your certificate signing request file:
    createcert unified-server -csr -keysize 2048 -C BE -ST Belgium -L Brussels -O "STORCOM" -OU "IT" -CN -SAN DNS:primera,IP: primera.txt

    The file will be consequently saved on the same directory as where the CLI.exe resides in.

  7. Finally copy this text file primera.txt and have it signed by your Certificate Authority.

Importing CA certificates

Next to the Primera UI certificate, your Certificate Authority will also provide you with the root and the intermediate certificate. You will need them in order for your array to recognize the valid chain. Place all your certificate files into the CLI.exe directory.

  1. If you signed certificate is in any other format than .pem, use OpenSSL to convert it to .pem file format.
    openssl.exe x509 -in c:\temp\ -out c:\temp\primera.pem
  2. In the first place, import the root certificate of the company
    importcert unified-server -ca RootCA_B64.pem
  3. In addition, if you have received an intermediate certificate file, import it using the same command
    importcert unified-server -ca IssuingCA.pem
  4. Finally, import the array’s certificate
    importcert unified-server primera.pem
  5. Now if you run showcert command you will notice the new certificates populated.
  6. Start WSAPI service and you’re good to go.

Primera / Storeserv array certificates on SSMC

When your array’s certificates are altered, a new connection needs to be established on SSMC. If you navigate to your SSMC and try to accept the Primera UI certificate it might not succeed if your enterprise certificates (root and intermediate) are not imported.

  1. Log in to your SSMC GUI as Administrator (ssmcadmin)
  2. If you have already imported your root and intermediate certificate, you will notice a message “Acceptance certificate needed”.
  3. Accept the array’s certificate and you’re good to go.
  4. If your CA certificates are not imported, click on Actions and select Manage Certificates
  5. Click on Add certificate and paste the plain text of your root certificate into this field. The certificate text should start BEGIN CERTIFICATE and end by END CERTIFICATE. Validate and click OK to continue.
  6. Click on Add certificate and paste the plain text of you intermediate certificate into this field. The certificate text should start BEGIN CERTIFICATE and end by END CERTIFICATE. Validate and click OK to continue.
  7. Now when you go back to the overview of arrays, you will notice that accepting the array’s certificate won’t be a matter anymore.

If you are using an older version of SSMC than 3.6, you can easily upgrade it by following the steps as explained on Upgrading StoreServ Management Console to 3.6

Any suggestion or question? Leave a reply below, or contact us. Make sure to also subscribe to our mailing list. No spam. Promised!