Tag Archive : 3PAR

/ 3PAR

LDAP over SSL for Primera and 3PAR

LDAP authentication can be tricky when using unsecured ports. As you already know, Primera and 3PAR arrays use by default unsecured LDAP port 389. In our previous article we talked about HPE Primera LDAP Active Directory Integration. This article will focus on configuring LDAP over SSL (port 636) for Primera and StoreServ (3PAR) arrays.

LDAP transactions, including sensitive data, i.g. passwords can be captured easily using Wireshark. In addition, Microsoft will soon (Q2/2020) cease to support unsigned LDAP implementations.

I assume you already have defined AD groups to map with user roles, and you have the root certificate in your possession.

  1. Log in to your Primera / 3par array using CLI
  2. Additionally, remove any existing LDAP configuration
    setauthparam -f -clearall
  3. Next, we will configure LDAP over SSL for Primera and 3PAR OS.
    For detailed information about the usage, read HPE Primera OS 4.0 Command Line Interface Reference Guide.

    setauthparam -f ldap-type MSAD
    
    setauthparam -f ldap-server <192.168.80.10>
    
    setauthparam -f ldap-server-hn <LDAPSERVER.STORCOM.COM>
    
    setauthparam -f ldap-port 636
    
    setauthparam -f ldap-ssl 1
    
    setauthparam -f ldap-reqcert 1
  4. Copy the plain text of the root certificate of your company. Paste it in CLI using the command. The – sign will prompt you to enter the text.
    Press Enter twice to complete.

    setauthparam -f ldap-ssl-cacert -
  5. Continue by configuring the following LDAP parameters. Bear in mind that GSSAPI SASL mechanism is not available with certificates. Instead, DIGEST-MD5 is used to authenticate against an Active Directory LDAPS.
    setauthparam -f binding sasl
    
    setauthparam -f sasl-mechanism DIGEST-MD5
    
    setauthparam -f kerberos-realm <STORCOM.COM>
    
    setauthparam -f accounts-dn "OU=Admin ,DC=STORCOM,DC=COM"
    
    setauthparam -f account-obj user
    
    setauthparam -f account-name-attr sAMAccountName
    
    setauthparam -f memberof-attr memberOf
  6. Finally, map the AD groups with the user roles on Primera / 3PAR OS
    setauthparam -f super-map 
    "CN=Storage Admin,OU=SecGroup,DC=STORCOM,DC=COM"
  7. To test LDAPS authentication, use the command checkpassword

    STORPRIM01 cli% checkpassword STORUSER 
    
    password:

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list.

HPE recently released a new version of its management tool 3PAR arrays, called StoreServ Management Console 3.6. The latest version is visually not much different compared to previous versions but its engine to process data has been improved.

  • For an extended list of new features, the Release Notes document of SSMC 3.6 is available here.
  • The Administrator Guide for SSMC 3.6 can also be downloaded here.
  • Please note that when upgrading from 3.x to 3.6 the GUI Admin User is removed and instead the same userid is used as when logging into the SSMC appliance through CLI “ssmcadmin”.

Upgrading to StoreServ Management Console 3.6 is very simple and straight forward. All we need to do is download the executables, an upgrade .star file which is provided together with the SSMC package. In my case, I’m running SSMC version 3.4.1

  1. Navigate to HPE’s Software Depot and locate SSMC URL or click here.
  2. Log in with your HPE Passport and download the package.
  3. After extracting the downloaded package, take note of a file called HPESSMC-3.6.0.0.269-Appliance_Upgrade.star. This is the upgrade file we are going to use in the next steps.
  4. Navigate to your SSMC homepage and login with your SSMC administrator credentials (Don’t forget to select the Administrator Console below the login box).
  5. Once you’re logged in as an administrator, head over to the right side on the top and click on Actions then Upgrade.
  6. Browse and select the upgrade file we located in Step 3 and click Upload.
  7. Once the upload has finished, click on Yes, Upgrade to confirm.
  8. The upgrade will start and depending on your appliance’s configuration, it might take a while.
  9. At a certain point, you’ll lose the connection with the webserver and any CLI session.

     

  10. In my case, it took me 6 minutes for the webserver to come up. I am using the recommended VM configuration for the SSMC appliance.
  11. Once the SSMC is up and running, you will notice the new version.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

Having a web-based app running over unsecured protocols like HTTP, might not only be unsafe but also unprofessional. Therefore, most of the enterprises opt for secure traffic over HTTPS. In this article, we will implement Service Processor SSL Certificates signed by CA. 3PAR StoreServ Service Processors run by default over unsecured HTTP protocol. Installing an SSL Certificate is something every administrator should consider.

A technical whitepaper of Best Practices for Implementing HPE 3PAR Service Processor can be found here.

How to?

Creating a Certificate File Request

  1. Navigate to your Service Processor webpage https://<sp_name>
  2. Log in with you customer credentials
  3. On the left pane, click on Support > SP Certificate
  4. On this page, click on Generate CSR
  5. Enter your information, including certificate’s Common Name and SAN (Subject Alternate Names)

    Adding a SAN record is very important as recent web browsers still give errors when a certificate does not contain this information.
  6. Click on Generate CSR and return to the previous window.
  7. On the next step click on Export CSR
  8. After exporting the file, click on Download File and save it locally

    Signing and importing the Service Processor SSL Certificates

    At this point, we have created a request file which will be signed by our Certificate Authority. In large enterprises, certificate handling is done by a separate department. You could also give a try by yourself. Here is a good article about signing certificates with Microsoft CA.
    Once you have signed your certificate, you will get a file with .cer as an extension.

  1. Navigate to your service processor’s webpage and select Import Certificate
  2. On the first step we’re going to load the Service Processor SSL certificates we have just signed in the previous step.
    (Bear in mind the sequence)
  3. Browse the certificate’s location and click on Load Certificate
  4. On the following screen, we are going to load the intermediate certificate of the CA or the Issuing Certificate.
  5. Finally, we will upload the Root Certificate. Browse the file and click on Import Certificate.
  6. Once the 3rd certificate (the certificate from the previous step) the Web Service of the Service Processor will restart.
  7. Make sure to close any active browser before navigating again to the service processor
  8. Next time you navigate to the array’s SP the SSL certificate should be valid.

 

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

In this article, we will cover the way to merge or promote a 3PAR StoreServ snapshot into a base virtual volume. The execution of this procedure is done offline so this might bring downtime to your workloads. Before going into details, we assume you are already familiar with the following technologies:

Definition snapshot: Snapshot is a common industry term denoting the ability to record the state of a storage device at any given moment and preserve that snapshot as a guide for restoring the storage device in the event that it fails. A snapshot primarily creates a point-in-time copy of the data.

Basically, what we’re going to do is restore a snapshot (taken at a certain time) into a virtual volume.

    1. Open 3PAR Management Console or SSMC and find the primary virtual volume.
    2. Expand the list and locate the desired snapshot that needs to be promoted

      – Volume and array names are obfuscated for privacy purposes.
      – Latest snapshot can be verified if you click on it and expand the Virtual Volume Details-tab.

 

  1. Take note of the snapshot that you’re going to promote to the base volume
  2. Stop the corresponding RC Group
  3. Unexport Virtual Volume (Remove Virtual Volume from the Virtual Volume Set or unexport your VVOL if you’re not using VVOL Sets)
  4. Use CLI to promote the snapshot to a base volume
    promotesv -rcp <snapshot name>

  5. You can check the status of the activity using the following command
    showtask -d <task ID>
  6. Once the operation is completed, export the virtual volume to the host (or add the VVOL to the Virtual Volume Set)
  7. Restart the RC Group
  8. You’re done!

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.