Category: Storage

Home / Category: Storage

LDAP over SSL for Primera and 3PAR

LDAP authentication can be tricky when using unsecured ports. As you already know, Primera and 3PAR arrays use by default unsecured LDAP port 389. In our previous article we talked about HPE Primera LDAP Active Directory Integration. This article will focus on configuring LDAP over SSL (port 636) for Primera and StoreServ (3PAR) arrays.

LDAP transactions, including sensitive data, i.g. passwords can be captured easily using Wireshark. In addition, Microsoft will soon (Q2/2020) cease to support unsigned LDAP implementations.

I assume you already have defined AD groups to map with user roles, and you have the root certificate in your possession.

  1. Log in to your Primera / 3par array using CLI
  2. Additionally, remove any existing LDAP configuration
    setauthparam -f -clearall
  3. Next, we will configure LDAP over SSL for Primera and 3PAR OS.
    For detailed information about the usage, read HPE Primera OS 4.0 Command Line Interface Reference Guide.

    setauthparam -f ldap-type MSAD
    
    setauthparam -f ldap-server <192.168.80.10>
    
    setauthparam -f ldap-server-hn <LDAPSERVER.STORCOM.COM>
    
    setauthparam -f ldap-port 636
    
    setauthparam -f ldap-ssl 1
    
    setauthparam -f ldap-reqcert 1
  4. Copy the plain text of the root certificate of your company. Paste it in CLI using the command. The – sign will prompt you to enter the text.
    Press Enter twice to complete.

    setauthparam -f ldap-ssl-cacert -
  5. Continue by configuring the following LDAP parameters. Bear in mind that GSSAPI SASL mechanism is not available with certificates. Instead, DIGEST-MD5 is used to authenticate against an Active Directory LDAPS.
    setauthparam -f binding sasl
    
    setauthparam -f sasl-mechanism DIGEST-MD5
    
    setauthparam -f kerberos-realm <STORCOM.COM>
    
    setauthparam -f accounts-dn "OU=Admin ,DC=STORCOM,DC=COM"
    
    setauthparam -f account-obj user
    
    setauthparam -f account-name-attr sAMAccountName
    
    setauthparam -f memberof-attr memberOf
  6. Finally, map the AD groups with the user roles on Primera / 3PAR OS
    setauthparam -f super-map 
    "CN=Storage Admin,OU=SecGroup,DC=STORCOM,DC=COM"
  7. To test LDAPS authentication, use the command checkpassword

    STORPRIM01 cli% checkpassword STORUSER 
    
    password:

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list.

Primera Web GUI

In this article we will focus on integrating HPE Primera into Active Directory. Instead of logging into the array using local users, we can configure Primera (or StoreServ) array to use LDAP authentication. Furthermore, Primera supports several LDAP authentications, such as Microsoft Active Directory, OpenLDAP or Red Hat Directory Server.

There are 3 methods that allow us to configure our array to use external (LDAP or AD) authentication.
To begin with, we will start by creating the security groups in Active Directory. If you’re not familiar with AD, here is a good read for you Active Directory Security Groups.

In my case, I have created the following security groups:

  • HPE Primera Admin: AD Group which has full admin rights (super)
  • HPE Primera Browse: AD Group which has only read access (browse)

Feel free to be more creative with group names ūüėČ

Configuring Primera LDAP / AD authentication using Web GUI

  1. Navigate to your Primera UI portal and log in with your admin account
  2. Click on Settings then select LDAP configuration
  3. On the right pane, click on + Create
  4. Select Microsoft Active Directory as LDAP Type
  5. Accounts DN: This is the directory where your AD users reside in. I.g. OU=Users,DC=STORCOM,DC=COM
  6. Under Binding, select GSSAPI
  7. Enter Kerberos Realm, i.g.: STORCOM.COM
  8. Under Connection Details, enter the IP Address of my LDAP server.
  9. Enter LDAP Server name. It’s the FQDN of my AD Server, i.g: SERVER01.STORCOM.COM
  10. Finally, under Authorizations you can associate your AD Groups with Primera roles.
  11. Click on Add Authorizations, and select super-map under Authorization Group
  12. The group distinguished name is the group where the admin members will be placed in. In my case it is: CN=HPE Primera Admin,OU=FunctionalGroups,DC=STORCOM,DC=COM

Integrating Active Directory authentication using Primera CLI

In the next steps we are going to configure the same using Primera CLI. Hence it is important to have understanding of CLI. A great article can be found here HPE Primera OS 4.0 Command Line Interface Reference Guide.

setauthparam -f ldap-type MSAD
setauthparam -f accounts-dn "OU=Users,DC=STORCOM,DC=COM"
setauthparam -f binding sasl
setauthparam -f sasl-mechanism GSSAPI
setauthparam -f kerberos-realm STORCOM.COM
setauthparam -f kerberos-server 192.168.1.10
setauthparam -f ldap-server 192.168.1.10
setauthparam -f ldap-server-hn SERVER01.STORCOM.COM
setauthparam -f ldap-port 389
setauthparam -f super-map "CN=HPE Primera Admin,OU=FunctionalGroups,DC=STORCOM,DC=COM"

To remove the whole authentication config, use setauthparam -f -clearall
Additionally, to only remove a specific parameter, use setauthparam -f -clear <parameter name> for example:

setauthparam -f -clear ldap-port

Configuring Primera LDAP using SSMC

The third method to configure Primera or StoreServ is to use LDAP is using StoreServ Management Console.

  1. Navigate to SSMC and log in with your admin account.
  2. Under Security, select LDAP
  3. Click on + Create LDAP configuration
  4. Select the system and eventually follow the steps above. The same steps are executed as configuring LDAP using Primera Web GUI.

See other articles about HPE Primera: Implementing CA Certificates on HPE Primera UI.

Any suggestion or question? Leave a reply below, or contact us. Make sure to also subscribe to our mailing list. No spam. Promised!

Primera Web GUI

HPE has released its latest storage array Primera. As announced, it is a storage solution that is ready-to-use in 10 minutes. In this article, we will go through the steps on how to implement the enterprise signed certificates on the Primera UI. Primera (and 3Par StoreServ) uses the unified-server service to establish and maintain communication. It uses the same certificate for CIM, CLI and WSAPI services.

Read the HPE Primera OS 4.0 Command Line Interface Reference Guide for the detailed information about Primera OS.

Certificate Signing Request for Primera UI

We will start by creating a certificate signing request which then accordingly will be signed by our CA authority.

  1. Open Command Prompt and navigate to CLI directory. It should be under C:\Program Files (x86)\Hewlett-Packard\HP 3PAR CLI\bin
  2. Launch CLI.exe and log in to your Primera / 3PAR array.
  3. In this case, I start off from removing all existing certificates on the array. Type showcert to show the available certificates
  4. Stop WSAPI service: stopwsapi
  5. Use the following commands to remove all certificates. Repeat them until all certificate records have disappeared
    removecert
    
    removecert unified-server
  6. Additionally, use the following command to create your certificate signing request file:
    createcert unified-server -csr -keysize 2048 -C BE -ST Belgium -L Brussels -O "STORCOM" -OU "IT" -CN primera.storcom.com -SAN DNS:primera,IP:192.168.100.1 primera.txt

    The file will be consequently saved on the same directory as where the CLI.exe resides in.

  7. Finally copy this text file primera.txt and have it signed by your Certificate Authority.

Importing CA certificates

Next to the Primera UI certificate, your Certificate Authority will also provide you with the root and the intermediate certificate. You will need them in order for your array to recognize the valid chain. Place all your certificate files into the CLI.exe directory.

  1. If you signed certificate is in any other format than .pem, use OpenSSL to convert it to .pem file format.
    openssl.exe x509 -in c:\temp\primera.storcom.com.cer -out c:\temp\primera.pem
  2. In the first place, import the root certificate of the company
    importcert unified-server -ca RootCA_B64.pem
  3. In addition, if you have received an intermediate certificate file, import it using the same command
    importcert unified-server -ca IssuingCA.pem
  4. Finally, import the array’s certificate
    importcert unified-server primera.pem
  5. Now if you run showcert command you will notice the new certificates populated.
  6. Start WSAPI service and you’re good to go.
    startwsapi

Primera / Storeserv array certificates on SSMC

When your array’s certificates are altered, a new connection needs to be established on SSMC. If you navigate to your SSMC and try to accept the Primera UI certificate it might not succeed if your enterprise certificates (root and intermediate) are not imported.

  1. Log in to your SSMC GUI as Administrator (ssmcadmin)
  2. If you have already imported your root and intermediate certificate, you will notice a message “Acceptance certificate needed”.
  3. Accept the array’s certificate and you’re good to go.
  4. If your CA certificates are not imported, click on Actions and select Manage Certificates
  5. Click on Add certificate and paste the plain text of your root certificate into this field. The certificate text should start BEGIN CERTIFICATE and end by END CERTIFICATE. Validate and click OK to continue.
  6. Click on Add certificate and paste the plain text of you intermediate certificate into this field. The certificate text should start BEGIN CERTIFICATE and end by END CERTIFICATE. Validate and click OK to continue.
  7. Now when you go back to the overview of arrays, you will notice that accepting the array’s certificate won’t be a matter anymore.

If you are using an older version of SSMC than 3.6, you can easily upgrade it by following the steps as explained on Upgrading StoreServ Management Console to 3.6

Any suggestion or question? Leave a reply below, or contact us. Make sure to also subscribe to our mailing list. No spam. Promised!

HPE recently released a new version of its management tool 3PAR arrays, called StoreServ Management Console 3.6. The latest version is visually not much different compared to previous versions but its engine to process data has been improved.

  • For an extended list of new features, the Release Notes document of SSMC 3.6 is available¬†here.
  • The Administrator Guide for SSMC 3.6 can also be downloaded here.
  • Please note that when upgrading from 3.x to 3.6 the GUI Admin User is removed and instead the same userid is used as when logging into the SSMC appliance through CLI “ssmcadmin”.

Upgrading to StoreServ Management Console 3.6 is very simple and straight forward. All we need to do is download the executables, an upgrade .star file which is provided together with the SSMC package. In my case, I’m running SSMC version 3.4.1

  1. Navigate to HPE’s Software Depot and locate SSMC URL or click here.
  2. Log in with your HPE Passport and download the package.
  3. After extracting the downloaded package, take note of a file called HPESSMC-3.6.0.0.269-Appliance_Upgrade.star. This is the upgrade file we are going to use in the next steps.
  4. Navigate to your SSMC homepage and login with your SSMC administrator credentials (Don’t forget to select the Administrator Console below the login box).
  5. Once you’re logged in as an administrator, head over to the right side on the top and click on Actions then Upgrade.
  6. Browse and select the upgrade file we located in Step 3 and click Upload.
  7. Once the upload has finished, click on Yes, Upgrade to confirm.
  8. The upgrade will start and depending on your appliance’s configuration, it might take a while.
  9. At a certain point, you’ll lose the connection with the webserver and any CLI session.

     

  10. In my case, it took me 6 minutes for the webserver to come up. I am using the recommended VM configuration for the SSMC appliance.
  11. Once the SSMC is up and running, you will notice the new version.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

Having a web-based app running over unsecured protocols like HTTP, might not only be unsafe but also unprofessional. Therefore, most of the enterprises opt for secure traffic over HTTPS. In this article, we will implement Service Processor SSL Certificates signed by CA. 3PAR StoreServ Service Processors run by default over unsecured HTTP protocol. Installing an SSL Certificate is something every administrator should consider.

A technical whitepaper of Best Practices for Implementing HPE 3PAR Service Processor can be found here.

How to?

Creating a Certificate File Request

  1. Navigate to your Service Processor webpage https://<sp_name>
  2. Log in with you customer credentials
  3. On the left pane, click on Support > SP Certificate
  4. On this page, click on Generate CSR
  5. Enter your information, including certificate’s Common Name and SAN (Subject Alternate Names)

    Adding a SAN record is very important as recent web browsers still give errors when a certificate does not contain this information.
  6. Click on Generate CSR and return to the previous window.
  7. On the next step click on Export CSR
  8. After exporting the file, click on Download File and save it locally

    Signing and importing the Service Processor SSL Certificates

    At this point, we have created a request file which will be signed by our Certificate Authority. In large enterprises, certificate handling is done by a separate department. You could also give a try by yourself. Here is a good article about signing certificates with Microsoft CA.
    Once you have signed your certificate, you will get a file with .cer as an extension.

  1. Navigate to your service processor’s webpage and select Import Certificate
  2. On the first step we’re going to load the Service Processor SSL certificates we have just signed in the previous step.
    (Bear in mind the sequence)
  3. Browse the certificate’s location and click on Load Certificate
  4. On the following screen, we are going to load the intermediate certificate of the CA or the Issuing Certificate.
  5. Finally, we will upload the Root Certificate. Browse the file and click on Import Certificate.
  6. Once the 3rd certificate (the certificate from the previous step) the Web Service of the Service Processor will restart.
  7. Make sure to close any active browser before navigating again to the service processor
  8. Next time you navigate to the array’s SP the SSL certificate should be valid.

 

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

HPE’s entry-level MSA storage arrays are shipped with a self-signed certificate from HPE. A lot of storage administrators ignore the web warnings and leave the configuration unchanged. Instead, it is highly recommended to install a TLS/SSL Certificate on your array.

Before we continue with the installation steps, take note of the following:

  • The installation can be done online without interruption of host IO’s but a restart of the management controllers is required at the final step.
  • To deal with certificates I use OpenSSL tool for Windows.
  • The FTP protocol is by default disabled on new MSA arrays. You need to enable it using the web interface, or using the following command:
show protocols
set protocols ftp enabled

If you are familiar with certificates, jump below to Commands Used

Requesting a MSA SSL Certificate

First of all, gather the needed information about your storage array, i.g. the Fully Qualified Domain Name (FQDN), your organization name etc and request your Certificate Authority owner to provide you with a certificate. Microsoft Windows CA will provide you with a .PFX file which is contains a variety of cryptographic information, including certificate(s), certificate chains, root authority and private keys.

Extract the (.pfx) certificate

In order to implement such a certificate in your MSA array, you will need to extract it in 2 separate files, one containing the certificate itself and the other containing the private keys.

  1. We will start by extracting the private keys first. Use the following command to extract the private key file:
    openssl pkcs12 -in <.pfx file path location> -nocerts -out <key-file-name.key>

    – Enter the Import Password, received by your CA Manager.
    – Choose a PEM pass phrase, or a password to secure your Private Key file

  2. The array doesn’t accept protected Private Key files, use the following command to remove the passphrase you created on step 1.
    openssl rsa -in <keyfile.key> -out <keyfile-decrypted.key>

    Now you have a supported private key file.

  3. Next step is to extract the certificate from the .PFX file. Use the following command to extract it:
    openssl pkcs12 -in <.pfx file path location> -clcerts -nokeys -out <certificate-file.crt>

    The newly created file is now called certificate-file.crt

Append Intermediate and Root certificate

In this step, you’ll need to edit the .crt certificate file you created in the previous step and add the intermediate and or the root certificate together. This is required by the array to communicate with the certificate chain implemented in your company.

The certificate file structure should look like this:

—–BEGIN CERTIFICATE—–
Array’s certificate (the content of the file you created during the previous step)
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
The intermediate certificate chain (If your company uses one)
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
The ROOT CA certificate
—–END CERTIFICATE—–

Once you have merged the certificates, use a distinctive name for your new file and save it.

Installation of the MSA SSL Certificate

To install the certificate to your MSA array you’ll need to connect through FTP.

  1. Open an elevated command prompt and navigate to the directory where you certificate (.crt file) and private key file reside.
  2. Type FTP > Open
  3. Enter array’s IP address or DNS alias
  4. Upload the certificate using the following command
    put <certificate file name.crt> cert-file

  5. Next, upload the private key file using the following command
    put <key file.key> cert-key-file

  6. Finally, restart the management controller of your MSA and your browser should be reporting a valid SSL certificate.

Commands used

OpenSSL

Extract certificate’s private key:

openssl pkcs12 -in <.pfx file path location> -nocerts -out <key-file-name.key>

Decrypt private key file

openssl rsa -in <keyfile.key> -out <keyfile-decrypted.key>

Extract certificate file

openssl pkcs12 -in <.pfx file path location> -clcerts -nokeys -out <certificate-file.crt>

FTP

Upload the certificate

put <certificate file name.crt> cert-file

Upload the certificate file

put <key file.key> cert-key-file

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

In this article, we will cover the way to merge or promote a 3PAR StoreServ snapshot into a base virtual volume. The execution of this procedure is done offline so this might bring downtime to your workloads. Before going into details, we assume you are already familiar with the following technologies:

Definition snapshot: Snapshot is a common industry term denoting the ability to record the state of a storage device at any given moment and preserve that snapshot as a guide for restoring the storage device in the event that it fails. A snapshot primarily creates a point-in-time copy of the data.

Basically, what we’re going to do is restore a snapshot (taken at a certain time) into a virtual volume.

    1. Open 3PAR Management Console or SSMC and find the primary virtual volume.
    2. Expand the list and locate the desired snapshot that needs to be promoted

      – Volume and array names are obfuscated for privacy purposes.
      – Latest snapshot can be verified if you click on it and expand the Virtual Volume Details-tab.

 

  1. Take note of the snapshot that you’re going to promote to the base volume
  2. Stop the corresponding RC Group
  3. Unexport Virtual Volume (Remove Virtual Volume from the Virtual Volume Set or unexport your VVOL if you’re not using VVOL Sets)
  4. Use CLI to promote the snapshot to a base volume
    promotesv -rcp <snapshot name>

  5. You can check the status of the activity using the following command
    showtask -d <task ID>
  6. Once the operation is completed, export the virtual volume to the host (or add the VVOL to the Virtual Volume Set)
  7. Restart the RC Group
  8. You’re done!

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.