Tag Archive : SSMC

/ SSMC

HPE SSMC Custom Certificates

12/12/2020 | Learning | No Comments

StoreServ Management Console

When installing SSMC by default it comes with a self-signed browser certificate. A self-signed certificate not only is unsecure, most of the browsers indicate a warning when using it. It is important to understand that there are 3 types of certificates which can be used on the SSMC appliances:

  • A browser SSL certificate
  • An array certificate and
  • 2FA certificate

In this article we will cover the steps to replace a self-signed certificate by a custom CA-signed SSL certificate. It is also highly recommended to perform a backup or take a snapshot/checkpoint of your StoreServ Management Console (SSMC) appliance before making any changes.

Creating the Keystore and the Certificate Signing Request

  1. Log in to your SSMC appliance as ssmcadmin and hit Esc-key to exit the TUI menu.
  2. First rename the keystore file where the certificate keys are stored. The file is found under /opt/hpe/ssmc/ssmcbase/etc
    mv keystore keystore.orig
  3. Then use the keytool to create a new public and private key pair in a new keystore file. Keytool is found under: /opt/hpe/ssmc/ssmcbase/fips/jre/bin/
    keytool -genkeypair -keystore keystore -alias jetty -keyalg RSA

    At the prompt, set a keystore password and make sure to write it down ;).

  4. Next, enter the certificate information gathered as part of the prerequisites. Make sure to complete it correctly. The output looks similar to the following:
    CN=<FQDN.com>, OU=<unit_name>, O=<company_name>, L=<city>, ST=<state>, C=<country>
    Verify that user entered the security information correctly. Enter Yes to continue or No to edit theinformation provided
  5. At the prompt, enter a new password for the keystore, or press Enter to use the existing keystore password.
  6. Generate a certificate signing request (CSR):
    keytool -certreq -keystore keystore -alias jetty -file <certificate.request.txt>
  7. Copy the file or the content of the file and have the CSR signed by your company Certificate Authority.

Installing the new SSMC Custom Certificate

  1. Copy the CA-signed SSL certificate to /opt/hpe/ssmc/ssmcbase/etc
  2. Examine the certificates to verify that the keytool utility can read them. This ensures that they have the correct format (PEM) before adding them to the keystore.
    keystore/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -printcert -v -file <filename>
  3. Accordingly copy the CA root certificate, the intermediate certificate (if it does exist), and the CA-signed machine certificate inside the keystore. Add all certificates to the same keystore in this order:
    1) The CA root certificate (alias is root and not jetty):

    /opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias root -keystore keystore -trustcacerts -file <RootCA.cer>

    2) Any intermediate certificates (same preceding command but without –alias):

    /opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -keystore keystore -trustcacerts -file <IntermediateCA.cer>

    3) The CA signed certificate (alias is jetty):

    opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias jetty -keystore keystore -trustcacerts -file <SignedByCA.cer>
  4. Update the jetty-ssl-context.xml in /opt/hpe/ssmc/ssmcbase/etc/ file with the passwords used by the new keystore
    – If you have changed the default password for the keystore, update theKeyStorePassword entry to reflect the new password (indicated as KeyStorePassword).
    If you have changed the password for the private key inside the keystore, update theKeyManagerPassword to reflect the new password (indicated as KeyManagerPassword)
  5. To obfuscate the password use the following command:
    /opt/hpe/ssmc/jre/bin/java -cp /opt/hpe/ssmc/jetty/lib/jetty-util-9.4.6.v20170531.jar org.eclipse.jetty.util.security.Password <password>
  6.  At this point you have completed the replacement of the new SSL certificate. All you need to do is restart the SSMC appliance to reflect the custom SSMC certificate.
  7. Call the TUI (user interface) by entering config_appliance
  8. Option 2 will reboot the SSMC appliance.
  9. Finally, navigate to your SSMC portal and the browser should reflect the new (CA-Signed) SSL Certificate.

 

Any suggestion or question? Leave a reply below, or feel free to contact us. Also make sure to subscribe to our mailing list to get the latest updates.

HPE recently released a new version of its management tool 3PAR arrays, called StoreServ Management Console 3.6. The latest version is visually not much different compared to previous versions but its engine to process data has been improved.

  • For an extended list of new features, the Release Notes document of SSMC 3.6 is available here.
  • The Administrator Guide for SSMC 3.6 can also be downloaded here.
  • Please note that when upgrading from 3.x to 3.6 the GUI Admin User is removed and instead the same userid is used as when logging into the SSMC appliance through CLI “ssmcadmin”.

Upgrading to StoreServ Management Console 3.6 is very simple and straight forward. All we need to do is download the executables, an upgrade .star file which is provided together with the SSMC package. In my case, I’m running SSMC version 3.4.1

  1. Navigate to HPE’s Software Depot and locate SSMC URL or click here.
  2. Log in with your HPE Passport and download the package.
  3. After extracting the downloaded package, take note of a file called HPESSMC-3.6.0.0.269-Appliance_Upgrade.star. This is the upgrade file we are going to use in the next steps.
  4. Navigate to your SSMC homepage and login with your SSMC administrator credentials (Don’t forget to select the Administrator Console below the login box).
  5. Once you’re logged in as an administrator, head over to the right side on the top and click on Actions then Upgrade.
  6. Browse and select the upgrade file we located in Step 3 and click Upload.
  7. Once the upload has finished, click on Yes, Upgrade to confirm.
  8. The upgrade will start and depending on your appliance’s configuration, it might take a while.
  9. At a certain point, you’ll lose the connection with the webserver and any CLI session.

     

  10. In my case, it took me 6 minutes for the webserver to come up. I am using the recommended VM configuration for the SSMC appliance.
  11. Once the SSMC is up and running, you will notice the new version.

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.