Category: Learning

Home / Category: Learning

3PAR Service Processor 5.x

In our previous post we went through the process of installing SSL Certificates on 3PAR Service Processor version 4.4.x. In this article we will tackle the same steps on the newer version of Service Processor 5.x which is slightly different than the previous one. In short, we will create a new certificate file, have it signed by our Certificate Authority, combine with the root (and eventually issuing authority) and install it on the Service Processor.

A user guide of HPE 3PAR Service Processor 5.x can be found here. At the time of writing I’m using Service Processor version 5.0.9.2-29072.

Creating a Certificate File Request (.CFR)

  1. Navigate to your Service Processor web application and log in with your admin account.
  2. Go to 3PAR Service Console and click on Settings
  3. Next to Application click on Edit
  4. Click on Certificate Signing Request
    SP Certificate Signing Request
  5. Fill in the required information about your Service Processor appliance
    SP Certificate Signing Request information
  6. Make sure to add extra SAN’s (Subject Alternate Names) so that your browser doesn’t flag the certificate as invalid. In my case I added the following:
    dns=STORCOMSP,dns=STORCOMSP.COM,ip=10.13.12.20
  7. Scroll down and click on Generate
  8. Copy the generated text, save it in a file and have it signed by your Certificate Authority. I usually save these kind of files as storcomsp_certrequest.csr
    SP Certificate Signing Request content

Importing Service Processor SSL Certificates

  1. Once your certificate request is signed, you will receive it back as .cer file.
  2. Next step is to have a combined certificate which contains the whole certificate chain. Assuming you already have the Root and the Intermediate (if available) Certificate.
  3. Open the signed SP certificate with a text editor and copy the content of the Intermediate and the root certificate.
  4. Basically your combined certificate file will look like this
    -----BEGIN CERTIFICATE-----
    <SP Signed certificate>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <CA Intermediate certificate>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <CA Root certificate>
    -----END CERTIFICATE-----
  5. Save the .cer file.
  6. Go back to Service Processor Console, click on Settings > Application and hit Edit.
  7. Click on Import Certificate to start importing the CA signed file.
    SP SSL Certificate import
  8. Copy the content of the combined .cer file (remember you saved it in step 5.)
  9. Paste the copied text to the Import window and hit Import.
  10. OK to start rebooting the Service Processor

After completing these steps your 3PAR service processor will reboot. It might take a couple of minutes before your console will be available. If everything went well your new certificate will be effective.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

CommVault

This article covers the implementation of CommVault archiving for the O365 Exchange Online environment. As is generally known, in these times, more and more companies are moving their applications to Cloud, including Sharepoint and Exchange.

In a traditional Exchange environment (on-prem), CommVault software is used to perform backups of Exchange databases (DAG’s). A database can contain up to a hundred or thousand mailboxes. The downside of such an approach is that when performing a restore of a single mailbox, the whole database needs to be restored.

Unlike the case with Exchange backups on-prem, archiving of Exchange Online mailboxes is done in a more granual way. In short, each mailbox / e-mail content is archived using CommVault access nodes. Hence, restores are also more granular, meaning you can restore a single mail or mailbox.

Exchange Online Requirements

At this time of writing, I’m using CommVault version 11 Service Pack 24. CommVault documentation page provides an extended explanation of pre-requisites and best-practices, however in this article highlights the most important ones. I’ll be covering every step using CommCell Console, however there is also Command Center available with most of the tasks automated.

Basically, what you’ll need to set up the environment is the following:

  1. An CommServe environment (assuming you already haver one, as you landed on this page)
  2. Media Agent(s)
  3. Access Node(s) or proxy servers that establish the connection with the O365/Exchange Online API’s
  4. An Index Server – preferably on separate VM
  5. A Storage Policy for your Exchange Online archives

In short, the flow between your backup target location and O365 API’s goes as following:

O365 (Cloud) API’s > CV Access Nodes > (optionally Media Agents) > Storage Library

Service Accounts and Application ID’s

In order to connect, discover and perform archive operations of Exchange Online we need to have some administrative & privileged accounts.

  • Local service account: This is a local admin account used on the access nodes
  • Exchange Online Service account: This is an Exchange Online (O365), global admin account and is used to discover mailboxes from the tenant
  • Application ID‘s are used to perform archive operations in Modern Authentication mode. When using Command Center, you can register application ID’s automatically by using the custom toolkit or you can register them manually by following Registering Exchange Online with Azure.

Ports

Assuming your O365 environment is hosted in public (All Regions) hosting at Microsoft. You’ll need to have the following ports and URL’s allowed on your proxy/firewall (if any in-between) devices:

Protocol: https

Ports: 80, 443

URLs:

  • https://www.office.com/
  • https://outlook.office365.com/Powershell-LiveID
  • https://outlook.office365.com/EWS/Exchange.asmx
  • https://login.microsoftonline.com/
  • https://graph.microsoft.com/

CommVault Online Access Nodes

An Access or Proxy node is the edge server used to establish the connection with O365 API’s and perform the archiving jobs. Depending on your needs, you can always start off with a single access node, then scale out to more nodes. Find below recommendations of an Access Node in a setup using Content Indexing.

EnvironmentMediumLarge
Mailboxes5,00010,000
Messages per day500,0001 million
Guidelines
Access nodesNormal availability: 1High availability: 2 or moreNormal availability: 1High availability: 2 or more
CPU or vCPU for the access nodes8 cores16 cores
RAM for the access nodes16 GB32 GB
Streams per access node1020
Azure apps510
Content Indexing on Access Nodes

CommVault Index Server

An index server is used to store metadata, perform content indexing and search mailboxes for message when requesting a restore. You can install the indexing feature on an access node, but it is highly recommended that you create the index cache in a separate server.

EnvironmentSmallMediumLarge
Application5 TB15 TB25 TB
Mailboxes4002,0005,000
Objects per node (estimated)50 million150 million250 million
Guidelines
CPU or vCPU8 cores16 cores16 cores
RAM16 GB32 GB64 GB
Index disk2 TB6 TB10 TB
Index disk IOPSMinimum: 800Minimum: 1,600Minimum: 2,400
Index Server using Content Indexing

Archiving Policy

  • In CommCell console go to Policies > Configuration Policies > Exchange Policies
  • Right click on it and select New Archiving Policy
  • Fill in the name and the desired information and finish by clicking OK.

CommVault Exchange Online software installation

Make sure to download the latest CommVault software before starting with the installation and configuration of Exchange Online nodes.

Access Node

The setup on the access node is an easy and straight forward installation. The only thing that you need to pay attention to is the selection of CommVault roles. When prompted, select Office365 as seen in the figure below.

O365 Role CommVault software installation

Index Server

The installation of the Index Server is pretty much the same as the access node, however, there are some things to pay attention to when installing it. Make sure to create an extra disk on the server of 2 TB.

  • When prompted if you want to Create a new CommCell, Join and existing CommCell or Advanced selection select the last option Advanced selection.
  • Under Window Packages, tick off the following features: Index Store, Index Gateway and Content Extractor.
  • The Installation path can be left as default.
  • Index Cache path: select the extra disk you created previously, in my case the path becomes: E:\Program Files\CommVault\ContentStore\IndexCache.

Creating and configuring Exchange Online client

Before we create the Exchange Online Client, we need to have the Indexing Server ready.

Creating Index Server

In CommCell Console, expand Client Computer Groups, right click on Index Server group and select New Index Server. Under General tab, give the index a name, e.g.: O365-ExchangeOnline
– Check Enable Cloud and enter Index Directory, e.g.: D:\Index\
– Uncheck Enable Cloud

Under Roles tab select Exchange Index and click on Include >
Finally, under Nodes tab, click on Add and and add the server name of the Index Server.

Creating Exchange Online client

  • In CommCell Console, right click on Client Computers and select New Client
  • Under Application, click on Exchange Mailbox and select User Mailbox.

The wizard consists of different settings, which can be defined according to your needs.

General tab

  • Fill in the client name, e.g.: STORCOM_EXO
  • Storage Policy: An earlier defined storage policy. See CommVault documentation on how to create one.
  • Index Server: The name of the Index Server you created previously
  • Job Results Directory: This is a shared network path. I usually create a shared folder on the first access node, for example: \\STORCOMSRV01\JobResults\

Access Nodes

  • Click on Add to add one or more access nodes

Environment Type

  • I assume you have a O365 environment which is independent of your on-prem environment, in this case select Exchange Online (Access through On-premises Active Directory), in other cases use Exchange Hybrid (or Exchnage On-Premises)
  • Select Use Modern Authentication

When using Modern Authentication, Application ID that you will create are used to perform archive operations.

Azure App Details

  • Leave Cloud Region as Default (Global Service)
  • Click on Add and start adding Application ID’s that you created previously.

Service Account Settings

At this step you need at least two service accounts. One will be a local admin account on your access nodes, and the second one is a Exchange global admin account in Azure.

  • Click on Add and start adding your service accounts

Other tabs (Other/Advanced, AD Server, Security, Activity Control) are optional and to be used in specific environments.

Discovering Exchange Online mailboxes and running the first Archiving job

Once you have completed the above steps, we are one step closer to starting the first archiving job. In order to launch the backup (archiving job), we first need to tell CommVault what mailboxes to archive.

Discovering mailboxes

  • Go to the Exchange client (named: O365-ExchangeOnline) we created previously
  • Expand Exchange Mailbox, and User Mailbox and select the subclient, named by default usermailbox
  • On the bottom click on Mailboxes
  • Right click on the page and select New Association > User
  • Click Configure and then Discover
    At this point the discovery of mailboxes will start running in the background. In my case it took 10 to 15 minutes for the discovery process to finish.
  • Repeat same steps after 10 to 15 minutes until the mailboxes are discovered.
  • Once done, select them all, uncheck Perform discover operation in cached mode and click OK
  • Finally under Policies tab, select the archiving policy we created previously and we are done.

First archiving job

After a successful completion of the above steps, we are ready to start the first archiving job.

  • In CommCell Console click on the Exchange Online client, under User Mailbox select the subclient
  • Right click on the subclient usermailbox and click on Archive
  • The first archiving operation will be always a full
  • Finally click on OK to start the job.

Any suggestion or question? Leave a reply below, or feel free to contact us. Subscribe to our mailing list for the latest updates.

HPE SSMC Custom Certificates

12/12/2020 | Learning | No Comments

StoreServ Management Console

When installing SSMC by default it comes with a self-signed browser certificate. A self-signed certificate not only is unsecure, most of the browsers indicate a warning when using it. It is important to understand that there are 3 types of certificates which can be used on the SSMC appliances:

  • A browser SSL certificate
  • An array certificate and
  • 2FA certificate

In this article we will cover the steps to replace a self-signed certificate by a custom CA-signed SSL certificate. It is also highly recommended to perform a backup or take a snapshot/checkpoint of your StoreServ Management Console (SSMC) appliance before making any changes.

Creating the Keystore and the Certificate Signing Request

  1. Log in to your SSMC appliance as ssmcadmin and hit Esc-key to exit the TUI menu.
  2. First rename the keystore file where the certificate keys are stored. The file is found under /opt/hpe/ssmc/ssmcbase/etc
    mv keystore keystore.orig
  3. Then use the keytool to create a new public and private key pair in a new keystore file. Keytool is found under: /opt/hpe/ssmc/ssmcbase/fips/jre/bin/
    keytool -genkeypair -keystore keystore -alias jetty -keyalg RSA

    At the prompt, set a keystore password and make sure to write it down ;).

  4. Next, enter the certificate information gathered as part of the prerequisites. Make sure to complete it correctly. The output looks similar to the following:
    CN=<FQDN.com>, OU=<unit_name>, O=<company_name>, L=<city>, ST=<state>, C=<country>
    Verify that user entered the security information correctly. Enter Yes to continue or No to edit theinformation provided
  5. At the prompt, enter a new password for the keystore, or press Enter to use the existing keystore password.
  6. Generate a certificate signing request (CSR):
    keytool -certreq -keystore keystore -alias jetty -file <certificate.request.txt>
  7. Copy the file or the content of the file and have the CSR signed by your company Certificate Authority.

Installing the new SSMC Custom Certificate

  1. Copy the CA-signed SSL certificate to /opt/hpe/ssmc/ssmcbase/etc
  2. Examine the certificates to verify that the keytool utility can read them. This ensures that they have the correct format (PEM) before adding them to the keystore.
    keystore/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -printcert -v -file <filename>
  3. Accordingly copy the CA root certificate, the intermediate certificate (if it does exist), and the CA-signed machine certificate inside the keystore. Add all certificates to the same keystore in this order:
    1) The CA root certificate (alias is root and not jetty):

    /opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias root -keystore keystore -trustcacerts -file <RootCA.cer>

    2) Any intermediate certificates (same preceding command but without –alias):

    /opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -keystore keystore -trustcacerts -file <IntermediateCA.cer>

    3) The CA signed certificate (alias is jetty):

    opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias jetty -keystore keystore -trustcacerts -file <SignedByCA.cer>
  4. Update the jetty-ssl-context.xml in /opt/hpe/ssmc/ssmcbase/etc/ file with the passwords used by the new keystore
    – If you have changed the default password for the keystore, update theKeyStorePassword entry to reflect the new password (indicated as KeyStorePassword).
    If you have changed the password for the private key inside the keystore, update theKeyManagerPassword to reflect the new password (indicated as KeyManagerPassword)
  5. To obfuscate the password use the following command:
    /opt/hpe/ssmc/jre/bin/java -cp /opt/hpe/ssmc/jetty/lib/jetty-util-9.4.6.v20170531.jar org.eclipse.jetty.util.security.Password <password>
  6.  At this point you have completed the replacement of the new SSL certificate. All you need to do is restart the SSMC appliance to reflect the custom SSMC certificate.
  7. Call the TUI (user interface) by entering config_appliance
  8. Option 2 will reboot the SSMC appliance.
  9. Finally, navigate to your SSMC portal and the browser should reflect the new (CA-Signed) SSL Certificate.

 

Any suggestion or question? Leave a reply below, or feel free to contact us. Also make sure to subscribe to our mailing list to get the latest updates.