Tag Archive : MSA

/ MSA

HPE’s entry-level MSA storage arrays are shipped with a self-signed certificate from HPE. A lot of storage administrators ignore the web warnings and leave the configuration unchanged. Instead, it is highly recommended to install a TLS/SSL Certificate on your array.

Before we continue with the installation steps, take note of the following:

  • The installation can be done online without interruption of host IO’s but a restart of the management controllers is required at the final step.
  • To deal with certificates I use OpenSSL tool for Windows.
  • The FTP protocol is by default disabled on new MSA arrays. You need to enable it using the web interface, or using the following command:
show protocols
set protocols ftp enabled

If you are familiar with certificates, jump below to Commands Used

Requesting a MSA SSL Certificate

First of all, gather the needed information about your storage array, i.g. the Fully Qualified Domain Name (FQDN), your organization name etc and request your Certificate Authority owner to provide you with a certificate. Microsoft Windows CA will provide you with a .PFX file which is contains a variety of cryptographic information, including certificate(s), certificate chains, root authority and private keys.

Extract the (.pfx) certificate

In order to implement such a certificate in your MSA array, you will need to extract it in 2 separate files, one containing the certificate itself and the other containing the private keys.

  1. We will start by extracting the private keys first. Use the following command to extract the private key file:
    openssl pkcs12 -in <.pfx file path location> -nocerts -out <key-file-name.key>

    – Enter the Import Password, received by your CA Manager.
    – Choose a PEM pass phrase, or a password to secure your Private Key file

  2. The array doesn’t accept protected Private Key files, use the following command to remove the passphrase you created on step 1.
    openssl rsa -in <keyfile.key> -out <keyfile-decrypted.key>

    Now you have a supported private key file.

  3. Next step is to extract the certificate from the .PFX file. Use the following command to extract it:
    openssl pkcs12 -in <.pfx file path location> -clcerts -nokeys -out <certificate-file.crt>

    The newly created file is now called certificate-file.crt

Append Intermediate and Root certificate

In this step, you’ll need to edit the .crt certificate file you created in the previous step and add the intermediate and or the root certificate together. This is required by the array to communicate with the certificate chain implemented in your company.

The certificate file structure should look like this:

—–BEGIN CERTIFICATE—–
Array’s certificate (the content of the file you created during the previous step)
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
The intermediate certificate chain (If your company uses one)
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
The ROOT CA certificate
—–END CERTIFICATE—–

Once you have merged the certificates, use a distinctive name for your new file and save it.

Installation of the MSA SSL Certificate

To install the certificate to your MSA array you’ll need to connect through FTP.

  1. Open an elevated command prompt and navigate to the directory where you certificate (.crt file) and private key file reside.
  2. Type FTP > Open
  3. Enter array’s IP address or DNS alias
  4. Upload the certificate using the following command
    put <certificate file name.crt> cert-file

  5. Next, upload the private key file using the following command
    put <key file.key> cert-key-file

  6. Finally, restart the management controller of your MSA and your browser should be reporting a valid SSL certificate.

Commands used

OpenSSL

Extract certificate’s private key:

openssl pkcs12 -in <.pfx file path location> -nocerts -out <key-file-name.key>

Decrypt private key file

openssl rsa -in <keyfile.key> -out <keyfile-decrypted.key>

Extract certificate file

openssl pkcs12 -in <.pfx file path location> -clcerts -nokeys -out <certificate-file.crt>

FTP

Upload the certificate

put <certificate file name.crt> cert-file

Upload the certificate file

put <key file.key> cert-key-file

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.