Tag Archive : SSL


3PAR Service Processor 5.x

In our previous post we went through the process of installing SSL Certificates on 3PAR Service Processor version 4.4.x. In this article we will tackle the same steps on the newer version of Service Processor 5.x which is slightly different than the previous one. In short, we will create a new certificate file, have it signed by our Certificate Authority, combine with the root (and eventually issuing authority) and install it on the Service Processor.

A user guide of HPE 3PAR Service Processor 5.x can be found here. At the time of writing I’m using Service Processor version

Creating a Certificate File Request (.CFR)

  1. Navigate to your Service Processor web application and log in with your admin account.
  2. Go to 3PAR Service Console and click on Settings
  3. Next to Application click on Edit
  4. Click on Certificate Signing Request
    SP Certificate Signing Request
  5. Fill in the required information about your Service Processor appliance
    SP Certificate Signing Request information
  6. Make sure to add extra SAN’s (Subject Alternate Names) so that your browser doesn’t flag the certificate as invalid. In my case I added the following:
  7. Scroll down and click on Generate
  8. Copy the generated text, save it in a file and have it signed by your Certificate Authority. I usually save these kind of files as storcomsp_certrequest.csr
    SP Certificate Signing Request content

Importing Service Processor SSL Certificates

  1. Once your certificate request is signed, you will receive it back as .cer file.
  2. Next step is to have a combined certificate which contains the whole certificate chain. Assuming you already have the Root and the Intermediate (if available) Certificate.
  3. Open the signed SP certificate with a text editor and copy the content of the Intermediate and the root certificate.
  4. Basically your combined certificate file will look like this
    <SP Signed certificate>
    -----END CERTIFICATE-----
    <CA Intermediate certificate>
    -----END CERTIFICATE-----
    <CA Root certificate>
    -----END CERTIFICATE-----
  5. Save the .cer file.
  6. Go back to Service Processor Console, click on Settings > Application and hit Edit.
  7. Click on Import Certificate to start importing the CA signed file.
    SP SSL Certificate import
  8. Copy the content of the combined .cer file (remember you saved it in step 5.)
  9. Paste the copied text to the Import window and hit Import.
  10. OK to start rebooting the Service Processor

After completing these steps your 3PAR service processor will reboot. It might take a couple of minutes before your console will be available. If everything went well your new certificate will be effective.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

HPE SSMC Custom Certificates

12/12/2020 | Learning | No Comments

StoreServ Management Console

When installing SSMC by default it comes with a self-signed browser certificate. A self-signed certificate not only is unsecure, most of the browsers indicate a warning when using it. It is important to understand that there are 3 types of certificates which can be used on the SSMC appliances:

  • A browser SSL certificate
  • An array certificate and
  • 2FA certificate

In this article we will cover the steps to replace a self-signed certificate by a custom CA-signed SSL certificate. It is also highly recommended to perform a backup or take a snapshot/checkpoint of your StoreServ Management Console (SSMC) appliance before making any changes.

Creating the Keystore and the Certificate Signing Request

  1. Log in to your SSMC appliance as ssmcadmin and hit Esc-key to exit the TUI menu.
  2. First rename the keystore file where the certificate keys are stored. The file is found under /opt/hpe/ssmc/ssmcbase/etc
    mv keystore keystore.orig
  3. Then use the keytool to create a new public and private key pair in a new keystore file. Keytool is found under: /opt/hpe/ssmc/ssmcbase/fips/jre/bin/
    keytool -genkeypair -keystore keystore -alias jetty -keyalg RSA

    At the prompt, set a keystore password and make sure to write it down ;).

  4. Next, enter the certificate information gathered as part of the prerequisites. Make sure to complete it correctly. The output looks similar to the following:
    CN=<FQDN.com>, OU=<unit_name>, O=<company_name>, L=<city>, ST=<state>, C=<country>
    Verify that user entered the security information correctly. Enter Yes to continue or No to edit theinformation provided
  5. At the prompt, enter a new password for the keystore, or press Enter to use the existing keystore password.
  6. Generate a certificate signing request (CSR):
    keytool -certreq -keystore keystore -alias jetty -file <certificate.request.txt>
  7. Copy the file or the content of the file and have the CSR signed by your company Certificate Authority.

Installing the new SSMC Custom Certificate

  1. Copy the CA-signed SSL certificate to /opt/hpe/ssmc/ssmcbase/etc
  2. Examine the certificates to verify that the keytool utility can read them. This ensures that they have the correct format (PEM) before adding them to the keystore.
    keystore/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -printcert -v -file <filename>
  3. Accordingly copy the CA root certificate, the intermediate certificate (if it does exist), and the CA-signed machine certificate inside the keystore. Add all certificates to the same keystore in this order:
    1) The CA root certificate (alias is root and not jetty):

    /opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias root -keystore keystore -trustcacerts -file <RootCA.cer>

    2) Any intermediate certificates (same preceding command but without –alias):

    /opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -keystore keystore -trustcacerts -file <IntermediateCA.cer>

    3) The CA signed certificate (alias is jetty):

    opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias jetty -keystore keystore -trustcacerts -file <SignedByCA.cer>
  4. Update the jetty-ssl-context.xml in /opt/hpe/ssmc/ssmcbase/etc/ file with the passwords used by the new keystore
    – If you have changed the default password for the keystore, update theKeyStorePassword entry to reflect the new password (indicated as KeyStorePassword).
    If you have changed the password for the private key inside the keystore, update theKeyManagerPassword to reflect the new password (indicated as KeyManagerPassword)
  5. To obfuscate the password use the following command:
    /opt/hpe/ssmc/jre/bin/java -cp /opt/hpe/ssmc/jetty/lib/jetty-util-9.4.6.v20170531.jar org.eclipse.jetty.util.security.Password <password>
  6.  At this point you have completed the replacement of the new SSL certificate. All you need to do is restart the SSMC appliance to reflect the custom SSMC certificate.
  7. Call the TUI (user interface) by entering config_appliance
  8. Option 2 will reboot the SSMC appliance.
  9. Finally, navigate to your SSMC portal and the browser should reflect the new (CA-Signed) SSL Certificate.


Any suggestion or question? Leave a reply below, or feel free to contact us. Also make sure to subscribe to our mailing list to get the latest updates.

SANnav SSL Certificate

SANnav Management Portal utilizes by default a self-signed certificate, which in most cases is considered as vulnerability. Therefore, it is highly recommended to replace it by a CA signed certificate. The SSL/TLS certificate ensures that the connection between clients and the server is secure.

The replacement is done in 2 steps. First, we will create a Certificate Signing Request, which will be signed by our Certificate Authority. Then the signed certificate will be imported to the SANnav. In addition, you will also need the root and the intermediate certificates to be imported.

Make sure to read the SANNav Management Portal guide for detailed information.

Creating SANnav Certificate Signing Request

  1. Log in to your SANnav server (RedHat/CentOS)
  2. Additionally, create a new directory under /root/, you can call it /root/certificates/
    cd /root
    mkdir certificates
    cd /root/certificates
  3. To start, we will create the certificate signing request (.csr)
    openssl req -newkey rsa:2048 -nodes -keyout sannav.key -out sannav.csr
  4. Enter the certificate information regarding to your host and the company information
  5. Let your SANnav (sannav.csr) be signed by your Certificate Authority

At this point you would have received the signed certificate, together with the accompanying root and intermediate certificate.

Replacing the self-signed certificate

  1. Copy your signed certificate, together with the company’s root and the intermediate certificate to /root/certificates/
  2. First, we will need to merge the root and the intermediate certificate into one file. Use the following command:
    cat intermediate_certificate.crt root_certificate.crt > bundleCertificate.pem
  3. Launch the script replace-server-cert.sh found under /<sannav-installation-directory>/bin/
  4. Complete the certificate file paths as requested by the wizard:
    – Enter the path for the ssl certificate including file name: /root/certificates/sannav.cer
    – Enter the path for the ssl key including file name: /root/certificates/sannav.key
    – If you have root and intermediate CA certificates, please chain them into a single certificate file and provide the path to the file. Press enter to skip this step. /root/certificates/bundleCertificate.pem
  5. Run the script restart-server.sh found under /<sannav-installation-directory>/bin/ to restart SANnav
  6. Restart your browser and you’re SANnav Management Portal will show a valid certificate.

Read here related articles about SANnav Management Portal
Preparing RHEL / CentOS Server for SANnav
Installing SANnav Management Portal 2.0

Any suggestion or question? Leave a reply below, or feel free to contact us.
Make sure to subscribe to our mailinglist to get the latest. No spam. Promised!

Enable HTTPS protocol on Brocade switches

11/12/2019 | SAN | 11 Comments

This article will focus on implementing CA-signed certificates and enabling the HTTPS protocol on Brocade switches. I assume you already have a Certificate Authority implemented and you can sign certificates requests.

Required/used freeware

Putty: Used to connect to the switch.
Alex’s FTP Server: Used to upload and download files from or onto the switch.
OpenSSL: Used to convert and test certificate files.
Dos2Unix: Used to convert Windows-created filed to Unix/Linux files.

Deprecated commands:
seccertUtil CLI will be deprecated. Use secCertMgmt for Certificate related operations.

The command seccertUtil is replaced by secCertMgmt.

It is highly recommended to back up your switch configuration before performing any changes. For tracing purposes, I have configured my Putty terminal to log every session. It will also flush the log file frequently.

Generating Certificate Signing Request (.csr) file

To list available certificates on the switch use the command:

seccertmgmt show -all

To create the .csr file in interactive mode type

seccertmgmt generate -csr https

Generate the Certificate Signing Request
Generate certificate signing request file on Brocade switch

Generate the file and export it locally. Accordingly, request your CA to have it signed.

The following command exports the .csr file in an interactive mode:

seccertmgmt export -csr https -protocol ftp

Export Certificate Signing Request
Export Certificate Signing Request (.csr) file using FTP

Preparing certificates for import

I signed the client’s certificate and got it in a .cer file. I also have the Root and Intermediate certificates in my possession.

Brocade switches require to have root and intermediate certificates merged into one file. The merge order is also important, first the Root certificate then the Intermediate. Work your way up the chain to the root certificate.

Before merging the certificates we will convert them to .pem files. To convert them from .cer to .pem file format use the following command

openssl x509 -in <certificate path & file name> -out <certificate path & file name>

Convert certificate .cer to .pem file
Converting certificate .cer files to .pem file format

Convert certificate files from .cer to .pem format
Converting certificate .cer files to .pem file format

Combining Root and Intermediate certificate

To merge the certificates use the Windows copy command. The /B parameter prevents Windows to append ASCII characters (CTRZ – Z) to the file.

copy /B <file name path 1> <file name path 2> <destination file name path>

Merge certificate files
Merging root and intermediate certificate files

Converting Windows files to Unix

Files created in Windows are sometimes incorrectly read in Unix/Linux. It’s because of Windows handling i.g. newlines and carriage returns in a different way.

In order to “clean” the certificates, we will use the tool dos2unix to convert them into Unix files.

dos2unix.exe <file name>

The file is rewritten and the output is saved under the same location.

Convert windows to unix files
Use dos2unix to convert Windows files to Unix-readable files

Testing certificates

Additionally, we can test the certificate chain and our client certificate using the following command.

openssl verify -verbose -purpose sslserver -CAfile <root certificate.pem> <switch certificate.pem>

Test certificate
Testing client certificate compatibility with the certificate authority chain

Importing certificates

First, we will import the root certificate using the command below.

seccertmgmt import -ca -server https

Importing CA root certificate
Importing CA chain certificate onto the switch

Finally, we can import the switch certificate file.

seccertmgmt import -cert https

Importing client certificate
Importing the client’s certificate onto the switch

We have enabled the switch to communicate over HTTPS protocol and HTTP requests are redirected to HTTPS.

I’ve noticed my Brocade Network Advisor claims that the switch is unreachable after installing the certificate. Finally, I got this resolved by performing a hareboot. The hareboot restarts the web linker daemon which is responsible for web communication.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

Having a web-based app running over unsecured protocols like HTTP, might not only be unsafe but also unprofessional. Therefore, most of the enterprises opt for secure traffic over HTTPS. In this article, we will implement Service Processor SSL Certificates signed by CA. 3PAR StoreServ Service Processors run by default over unsecured HTTP protocol. Installing an SSL Certificate is something every administrator should consider.

A technical whitepaper of Best Practices for Implementing HPE 3PAR Service Processor can be found here.

Running SP version 5.5 or later? Then read our other blog post Installing SSL certificates on 3PAR Service Processor 5.x.

How to?

Creating a Certificate File Request

  1. Navigate to your Service Processor webpage https://<sp_name>
  2. Log in with you customer credentials
  3. On the left pane, click on Support > SP Certificate
  4. On this page, click on Generate CSR
  5. Enter your information, including certificate’s Common Name and SAN (Subject Alternate Names)

    Adding a SAN record is very important as recent web browsers still give errors when a certificate does not contain this information.
  6. Click on Generate CSR and return to the previous window.
  7. On the next step click on Export CSR
  8. After exporting the file, click on Download File and save it locally

    Signing and importing the Service Processor SSL Certificates

    At this point, we have created a request file which will be signed by our Certificate Authority. In large enterprises, certificate handling is done by a separate department. You could also give a try by yourself. Here is a good article about signing certificates with Microsoft CA.
    Once you have signed your certificate, you will get a file with .cer as an extension.

  1. Navigate to your service processor’s webpage and select Import Certificate
  2. On the first step we’re going to load the Service Processor SSL certificates we have just signed in the previous step.
    (Bear in mind the sequence)
  3. Browse the certificate’s location and click on Load Certificate
  4. On the following screen, we are going to load the intermediate certificate of the CA or the Issuing Certificate.
  5. Finally, we will upload the Root Certificate. Browse the file and click on Import Certificate.
  6. Once the 3rd certificate (the certificate from the previous step) the Web Service of the Service Processor will restart.
  7. Make sure to close any active browser before navigating again to the service processor
  8. Next time you navigate to the array’s SP the SSL certificate should be valid.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.

Free SSL certificate for your website

05/03/2019 | WebDev | No Comments


Nothing more annoying that browsing a website that indicates insecure content with an red sign on the address bar.

Imagine running a website that deals with sensitive data, being it personal records coming from a web form or anything else where the connection is insecure. Your visitors wouldn’t be happy with that.

Today, most of the professional websites utilize SSL certificates. Even Google pushes towards secure URL in its indexing mechanism. Some sources even claim that HTTPS-links are better crawled by search engines.

In the article, we will go through some possibilities on how to get rid of the “red sign address bar”. Furthermore, implementing an SSL certificate on your website doesn’t need to be costly – if not free of charge 😉

What is SSL or an SSL Certificate?

SSL stands for Secure Socket Layer and it is the standard security technology for establishing an encrypted link between a web server and a browser. This secure link ensures that visitors (=customers) data remains private and encrypted during transmission.
An SSL Certificate is a digital certificate that proves the host (website’s visitors) that the corresponding web service has the ownership of the domain. The issuance is done by the Certificate Authority (CA).

There are different Certificate Authority entities worldwide, with Comodo, Symantec, GlobalSign, DigiCert being the well known. A W3Techs survey from May 2018 shows that IdenTrust, a cross-signer of Let’s Encrypt intermediates, has risen to be the most popular SSL certificate authority.

Let’s Encrypt and CloudFlare

Let’s Encrypt and CloudFlare are 2 SSL CA providers where I would like to pay attention at.

Let’s Encrypt is a non-profit certificate authority that provides X.509 certificates at no charge. The certificates issued by Let’s Encrypt remain valid for 90 days, and during the time they can also be renewed. The project’s goals are to make the World Wide Web servers standard encrypted.

On the other hand, CloudFlare is a company that provides content delivery network services, DDoS attack protection, internet security and Domain Name Server services. I personally recommend using CloudFlare’s services for your website.


CloudFlare is my favourite free method to encrypt the traffic to my website. It is also easier and simple to configure.

All you need to do is create an account, verify domain ownership and replace your domain name servers with CloudFlare’s own nameservers.

Let’s Encrypt

Enabling and installing an SSL certificate on your web depends on the type of web hosting you own. If your web runs on a dedicated server and you have root permissions you can easily request and install an SSL certificate from Let’s Encrypt – just read the manual.

In my case, I use Linux (shared) hosting from GoDaddy and my host runs on a Linux Cloud OS with limited root access rights.

Basically, if your hosting provider does not support Let’s Encrypt by default, you’ll have to use alternative ways to create the certificate request and approve it by Let’s Encrypt.

Hosting providers that support Let’s Encrypt can be found here.

In order to create the Certificate Signing Request (CSR) we will use an online freeware called ZeroSSL.

  1. Navigate to ZeroSSL.com
  2. Click on Online Tools
  3. Click Start to start the FREE SSL Certificate Wizard
  4. Enter your domain name (include a record with and without www-prefix)
  5. Make sure to check the following boxes:
    – HTTP verification
    – Accept ZeroSSL TOS
    – Accept Let’s Encrypt SA (pdf)
  6. In my case, I only entered storcom.com without the www-prefix but the wizard asked if I wanted to add the prefix
  7. Hit Next to proceed
  8. At this point, we have received the CSR (Certificate Signing Request)
  9. Click Download or Save it manually in a text file
  10. Click Next to continue
  11. Once the Key Account is created, download it or save it manually
  12. At this point, we should have 2 separate files
    – The CSR file and
    – The Key Account file
  13. Next we will need to verify the domain ownership. Download 2 files below
  14. Navigate to your web hosting’s CPANEL and open the file manager
  15. On the root directory (i.g. public_html) create a folder .well-known and a subfolder acme-challenge. The directory structure should look like this:
  16. If the folder is not visible, go to Settings (top right corner) and check Show Hidden Files (dotfiles)
  17. Under the .well-known/acme-challenge upload the 2 files we downloaded from step 13
  18. Navigate back to the ZeroSSL web and click on the links

    If the links are resolved into text files you have uploaded, you should be OK to continue.
  19. Proceed by clicking Next and your certificate should be created and valid for 90 days.
  20. Below the page, download the Certificate file (CRT) and the Domain (Key) file
  21. Navigate to your hosting’s CPANEL and open TLS/SSL
  22. Click on Manage SSL sites
  23. Select your domain
  24. Copy the text from the Certificate (CRT) file and paste it into the Certificate: (CRT) text box

    Notice that the CRT file includes both: the certificate itself and the certificate bundle. Cut or remove the certificate bundle, and paste it below on the 3rd box Certificate Bundle.
  25. Copy and paste the Domain Key into the Private Key (KEY) text box
  26. Make sure the Certificate Authority Bundle (CABUNDLE) has been filled in and click Install Certificate
  27. Congrats! You have installed a free certificate on your website.

  28. Your website should indicate a valid SSL certificate.

Redirect HTTP to HTTPS

Finally, in order to use the installed certificate correctly, you will need to tell your webserver to always use HTTPS for incoming requests. 


  1. Go to your WP admin panel
  2. Navigate to Settings > General
  3. Modify the WordPress (URL) and Site Address (URL) to point to https


Another way to accomplish it is to tell your webserver to redirect all HTTP requests to https. This can be easily done by adding a code to the .htaccess file.

Redirect on Apache webserver

  1. Go to your hosting’s file manager
  2. On the root directory /public_html edit or create a file called .htaccess
  3. Append the following code at the end:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirect on Nginx webserver

  1. Go to your hosting’s file manager
  2. Look for nginx config-file
  3. Append the following code:
server {
listen 80;
server_name domain.com www.domain.com;
return 301 https://domain.com$request_uri;

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.