Tag Archive : HPE Primera

/ HPE Primera

LDAP over SSL for Primera and 3PAR

LDAP authentication can be tricky when using unsecured ports. As you already know, Primera and 3PAR arrays use by default unsecured LDAP port 389. In our previous article we talked about HPE Primera LDAP Active Directory Integration. This article will focus on configuring LDAP over SSL (port 636) for Primera and StoreServ (3PAR) arrays.

LDAP transactions, including sensitive data, i.g. passwords can be captured easily using Wireshark. In addition, Microsoft will soon (Q2/2020) cease to support unsigned LDAP implementations.

I assume you already have defined AD groups to map with user roles, and you have the root certificate in your possession.

  1. Log in to your Primera / 3par array using CLI
  2. Additionally, remove any existing LDAP configuration
    setauthparam -f -clearall
  3. Next, we will configure LDAP over SSL for Primera and 3PAR OS.
    For detailed information about the usage, read HPE Primera OS 4.0 Command Line Interface Reference Guide.

    setauthparam -f ldap-type MSAD
    
    setauthparam -f ldap-server <192.168.80.10>
    
    setauthparam -f ldap-server-hn <LDAPSERVER.STORCOM.COM>
    
    setauthparam -f ldap-port 636
    
    setauthparam -f ldap-ssl 1
    
    setauthparam -f ldap-reqcert 1
  4. Copy the plain text of the root certificate of your company. Paste it in CLI using the command. The – sign will prompt you to enter the text.
    Press Enter twice to complete.

    setauthparam -f ldap-ssl-cacert -
  5. Continue by configuring the following LDAP parameters. Bear in mind that GSSAPI SASL mechanism is not available with certificates. Instead, DIGEST-MD5 is used to authenticate against an Active Directory LDAPS.
    setauthparam -f binding sasl
    
    setauthparam -f sasl-mechanism DIGEST-MD5
    
    setauthparam -f kerberos-realm <STORCOM.COM>
    
    setauthparam -f accounts-dn "OU=Admin ,DC=STORCOM,DC=COM"
    
    setauthparam -f account-obj user
    
    setauthparam -f account-name-attr sAMAccountName
    
    setauthparam -f memberof-attr memberOf
  6. Finally, map the AD groups with the user roles on Primera / 3PAR OS
    setauthparam -f super-map 
    "CN=Storage Admin,OU=SecGroup,DC=STORCOM,DC=COM"
  7. To test LDAPS authentication, use the command checkpassword

    STORPRIM01 cli% checkpassword STORUSER 
    
    password:

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list.

Primera Web GUI

In this article we will focus on integrating HPE Primera into Active Directory. Instead of logging into the array using local users, we can configure Primera (or StoreServ) array to use LDAP authentication. Furthermore, Primera supports several LDAP authentications, such as Microsoft Active Directory, OpenLDAP or Red Hat Directory Server.

There are 3 methods that allow us to configure our array to use external (LDAP or AD) authentication.
To begin with, we will start by creating the security groups in Active Directory. If you’re not familiar with AD, here is a good read for you Active Directory Security Groups.

In my case, I have created the following security groups:

  • HPE Primera Admin: AD Group which has full admin rights (super)
  • HPE Primera Browse: AD Group which has only read access (browse)

Feel free to be more creative with group names 😉

Configuring Primera LDAP / AD authentication using Web GUI

  1. Navigate to your Primera UI portal and log in with your admin account
  2. Click on Settings then select LDAP configuration
  3. On the right pane, click on + Create
  4. Select Microsoft Active Directory as LDAP Type
  5. Accounts DN: This is the directory where your AD users reside in. I.g. OU=Users,DC=STORCOM,DC=COM
  6. Under Binding, select GSSAPI
  7. Enter Kerberos Realm, i.g.: STORCOM.COM
  8. Under Connection Details, enter the IP Address of my LDAP server.
  9. Enter LDAP Server name. It’s the FQDN of my AD Server, i.g: SERVER01.STORCOM.COM
  10. Finally, under Authorizations you can associate your AD Groups with Primera roles.
  11. Click on Add Authorizations, and select super-map under Authorization Group
  12. The group distinguished name is the group where the admin members will be placed in. In my case it is: CN=HPE Primera Admin,OU=FunctionalGroups,DC=STORCOM,DC=COM

Integrating Active Directory authentication using Primera CLI

In the next steps we are going to configure the same using Primera CLI. Hence it is important to have understanding of CLI. A great article can be found here HPE Primera OS 4.0 Command Line Interface Reference Guide.

setauthparam -f ldap-type MSAD
setauthparam -f accounts-dn "OU=Users,DC=STORCOM,DC=COM"
setauthparam -f binding sasl
setauthparam -f sasl-mechanism GSSAPI
setauthparam -f kerberos-realm STORCOM.COM
setauthparam -f kerberos-server 192.168.1.10
setauthparam -f ldap-server 192.168.1.10
setauthparam -f ldap-server-hn SERVER01.STORCOM.COM
setauthparam -f ldap-port 389
setauthparam -f super-map "CN=HPE Primera Admin,OU=FunctionalGroups,DC=STORCOM,DC=COM"

To remove the whole authentication config, use setauthparam -f -clearall
Additionally, to only remove a specific parameter, use setauthparam -f -clear <parameter name> for example:

setauthparam -f -clear ldap-port

Configuring Primera LDAP using SSMC

The third method to configure Primera or StoreServ is to use LDAP is using StoreServ Management Console.

  1. Navigate to SSMC and log in with your admin account.
  2. Under Security, select LDAP
  3. Click on + Create LDAP configuration
  4. Select the system and eventually follow the steps above. The same steps are executed as configuring LDAP using Primera Web GUI.

See other articles about HPE Primera: Implementing CA Certificates on HPE Primera UI.

Any suggestion or question? Leave a reply below, or contact us. Make sure to also subscribe to our mailing list. No spam. Promised!

Primera Web GUI

HPE has released its latest storage array Primera. As announced, it is a storage solution that is ready-to-use in 10 minutes. In this article, we will go through the steps on how to implement the enterprise signed certificates on the Primera UI. Primera (and 3Par StoreServ) uses the unified-server service to establish and maintain communication. It uses the same certificate for CIM, CLI and WSAPI services.

Read the HPE Primera OS 4.0 Command Line Interface Reference Guide for the detailed information about Primera OS.

Certificate Signing Request for Primera UI

We will start by creating a certificate signing request which then accordingly will be signed by our CA authority.

  1. Open Command Prompt and navigate to CLI directory. It should be under C:\Program Files (x86)\Hewlett-Packard\HP 3PAR CLI\bin
  2. Launch CLI.exe and log in to your Primera / 3PAR array.
  3. In this case, I start off from removing all existing certificates on the array. Type showcert to show the available certificates
  4. Stop WSAPI service: stopwsapi
  5. Use the following commands to remove all certificates. Repeat them until all certificate records have disappeared
    removecert
    
    removecert unified-server
  6. Additionally, use the following command to create your certificate signing request file:
    createcert unified-server -csr -keysize 2048 -C BE -ST Belgium -L Brussels -O "STORCOM" -OU "IT" -CN primera.storcom.com -SAN DNS:primera,IP:192.168.100.1 primera.txt

    The file will be consequently saved on the same directory as where the CLI.exe resides in.

  7. Finally copy this text file primera.txt and have it signed by your Certificate Authority.

Importing CA certificates

Next to the Primera UI certificate, your Certificate Authority will also provide you with the root and the intermediate certificate. You will need them in order for your array to recognize the valid chain. Place all your certificate files into the CLI.exe directory.

  1. If you signed certificate is in any other format than .pem, use OpenSSL to convert it to .pem file format.
    openssl.exe x509 -in c:\temp\primera.storcom.com.cer -out c:\temp\primera.pem
  2. In the first place, import the root certificate of the company
    importcert unified-server -ca RootCA_B64.pem
  3. In addition, if you have received an intermediate certificate file, import it using the same command
    importcert unified-server -ca IssuingCA.pem
  4. Finally, import the array’s certificate
    importcert unified-server primera.pem
  5. Now if you run showcert command you will notice the new certificates populated.
  6. Start WSAPI service and you’re good to go.
    startwsapi

Primera / Storeserv array certificates on SSMC

When your array’s certificates are altered, a new connection needs to be established on SSMC. If you navigate to your SSMC and try to accept the Primera UI certificate it might not succeed if your enterprise certificates (root and intermediate) are not imported.

  1. Log in to your SSMC GUI as Administrator (ssmcadmin)
  2. If you have already imported your root and intermediate certificate, you will notice a message “Acceptance certificate needed”.
  3. Accept the array’s certificate and you’re good to go.
  4. If your CA certificates are not imported, click on Actions and select Manage Certificates
  5. Click on Add certificate and paste the plain text of your root certificate into this field. The certificate text should start BEGIN CERTIFICATE and end by END CERTIFICATE. Validate and click OK to continue.
  6. Click on Add certificate and paste the plain text of you intermediate certificate into this field. The certificate text should start BEGIN CERTIFICATE and end by END CERTIFICATE. Validate and click OK to continue.
  7. Now when you go back to the overview of arrays, you will notice that accepting the array’s certificate won’t be a matter anymore.

If you are using an older version of SSMC than 3.6, you can easily upgrade it by following the steps as explained on Upgrading StoreServ Management Console to 3.6

Any suggestion or question? Leave a reply below, or contact us. Make sure to also subscribe to our mailing list. No spam. Promised!