Category: Storage

Home / Category: Storage

HPE recently resealsed a new version of its management tool 3PAR arrays, called StoreServ Management Console version 3.6. The latest version is visually not much different compared to previous versions but its engine to process data has been improved.

  • For an extended list of new features, the Release Notes document of SSMC 3.6 is available here.
  • The Administrator Guide for SSMC 3.6 can also be downloaded here.

Upgrading SSMC to the latest version 3.6 is very simple and straight forward. All we need to do is download the executables, an upgrade .star file which is provided together with the SSMC package. In my case I’m running SSMC version 3.4.1

  1. Navigate to HPE’s Software Depot and locate SSMC url or click here.
  2. Log in with your HPE Passport and download the package.
  3. After extracting the downloaded package, take note of a file called HPESSMC-3.6.0.0.269-Appliance_Upgrade.star. This is the upgrade file we are going to use in the next steps.
  4. Navigate to your SSMC homepage and login with your SSMC administrator credentials (Don’t forget to select the Administrator Console below the login box).
  5. Once you’re logged in as administrator, head over to the right side on the top and click on Actions then Upgrade.
  6. Browse and select the upgrade file we located in Step 3 and click Upload.
  7. Once the upload has finished, click on Yes, Upgrade to confirm.
  8. The upgrade will start and depending on your appliance’s configuration, it might take a while.
  9. At a certain point you’ll loose the connection with the web server and any CLI session.

     

  10. In my case, it took me 6 minutes for the web server to come up. I am using the recommended VM configuration for the SSMC appliance.
  11. Once the SSMC is up and running, you will notice the new version.

Having a webbased app running over unsecured protocols like HTTP, might not only be unsafe but also unprofessional. Therefore, most of the enterprises opt for a secure traffic over HTTPS. 3PAR StoreServ Service Processors run by default over unsecured http protocol. Installing a SSL Certificate is something every administrator should consider.

A technical whitepaper of Best Practices for implementing HPE 3PAR Service Processor can be found here.

How to?

Creating a Certificate File Request

  1. Navigate to your Service Processor webpage https://<sp_name>
  2. Log in with you customer credentials
  3. On the left pane, click on Support > SP Certificate
  4. On this page, click on Generate CSR
  5. Enter your information, including certificat’s Common Name and SAN (Subject Alternate Names)

    Adding a SAN record is very important as recent web browsers still give errors when a certificate does not contain this information.
  6. Click on Generate CSR and return to previous window.
  7. On the next step click on Export CSR
  8. After exporting the file, click on Download File and save it locally

    Signing and importing the SSL Certificate

    At this point we have created a request file which will be signed by our Certificate Authority. In large enterprises certificate handling is done by a separate departement. You could also give a try by yourself. Here is a good article about signing certificates with Microsoft CA.
    Once you have signed your certificate, you will get a file with .cer as extension.

  1. Navigate to your service processor’s webpage and select Import Certificate
  2. On the first step we’re going to load the SP’s certificate we have just signed in the previous step.
    (Note the sequence)
  3. Browse the certificat’s location and click on Load Certificate
  4. On the following screen we are going to load the intermediate certificate of the CA or the Issuing Certificate.
  5. Finally, we will upload the Root Certificate. Browse the file and click on Import Certificate.
  6. Once the 3rd certificate (the certificate from the previous step) the Web Service of the Service Processor will restart.
  7. Make sure to close any active browser before navigating again to the service processor
  8. Next time you navigate to the array’s SP the SSL certificate should be valid.

 

For any questions, feel free to contact us.

HPE’s entry level MSA storage arrays are delivered with a self-signed certificate from HPE. A lot of storage administrators ignore the web warnings and leave the configuration untouched. However, in order to pass the security scans performed by companies installing a CA Certificate is a must.

A self-signed certificate is a certificate issued and signed by the same entity whose identity it certifies. In this case, the MSA arrays are issued with a self-signed certificate of Hewlett-Packard Enterprise (HPE).

Before we continue with the installation steps, take note of the following:

  • the installation can be done online without interruption of host IO’s but a restart of the management controllers is required at the final step.
  • To deal with certificates I use OpenSSL tool for Windows.
  • the FTP protocol is by default disabled on new MSA arrays. You might need to enable it using web interface, of using the following command:
show protocols
set protocols ftp enabled

If you are familiar with certificates, jump below to Commands Used

Request certificate

First of all, gather the needed information about your storage array, i.g. the Fully Qualified Domain Name (FQDN), your organization name etc and request your Certificate Authority owner to provide you with a certificate. Microsoft Windows CA will provide you with a .PFX file which is contains a variety of cryptographic information, including certificate(s), certificate chains, root authority and private keys.

Extract the (.pfx) certificate

In order to implement such a certificate in you MSA array, you will need to extract it in 2 separate files, one containing the certificate itself and the other containing the private keys.

  1. We will start by extracting the private keys first. Use the following command to extract the private key file:
    openssl pkcs12 -in <.pfx file path location> -nocerts -out <key-file-name.key>

    – Enter the Import Password, received by your CA Manager.
    – Choose a PEM pass phrase, or a password to secure your Private Key file

  2. The MSA array doesn’t accept protected Private Key files, use the following command to remove the pass phrase you created on step 1.
    openssl rsa -in <keyfile.key> -out <keyfile-decrypted.key>

    Now you have a supported private key file.

  3. Next step is to extract the certificate from the .PFX file. Use the following command to extract it:
    openssl pkcs12 -in <.pfx file path location> -clcerts -nokeys -out <certificate-file.crt>

    The newly create file is now called certificate-file.crt

Append Intermediate and Root certificate

In this step, you’ll need to edit the .crt certificate file you created in the previous step and add the intermediate and or the root certificate together. This is required by the array to communicate with the certificate chain implemented in your company.

The certificate file structure should look like this:

—–BEGIN CERTIFICATE—–
Array’s certificate (the content of the file you created during the previous step)
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
The intermediate certificate chain (If you company uses one)
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
The ROOT CA certificate
—–END CERTIFICATE—–

Once you have merged the certificates, use a distinctive name for your new file and save it.

Installation of the certificate

To install the certificate to your MSA array you’ll need to connect through FTP.

  1. Open an elevated command prompt and navigate to the directory where you certificate (.crt file) and private key file reside.
  2. Type FTP > Open
  3. Enter array’s IP address or DNS alias
  4. Upload the certificate using the following command
    put <certificate file name.crt> cert-file

  5. Next, upload the private key file using the following command
    put <key file.key> cert-key-file

  6. Finally, restart the management controller of your MSA and your browser should be reporting a valid SSL certificate.

Commands used

OpenSSL

Extract cerificate’s private key:

openssl pkcs12 -in <.pfx file path location> -nocerts -out <key-file-name.key>

Decrypt private key file

openssl rsa -in <keyfile.key> -out <keyfile-decrypted.key>

Extract certificate file

openssl pkcs12 -in <.pfx file path location> -clcerts -nokeys -out <certificate-file.crt>

FTP

Upload the certificate

put <certificate file name.crt> cert-file

Upload the certificate file

put <key file.key> cert-key-file

In this article we will cover the way to merge or promote a 3PAR StoreServ snapshot in to a base virtual volume. The execution of this procedure is done offline so this might bring downtime to your workloads. Before going into details, we assume you are already familiar with following technologies:

Definition snapshot: Snapshot is a common industry term denoting the ability to record the state of a storage device at any given moment and preserve that snapshot as a guide for restoring the storage device in the event that it fails. A snapshot primarily creates a point-in-time copy of the data.

Basically, what we’re going to do is restore a snapshot (taken at a certain time) into a virtual volume.

    1. Open 3PAR Management Console or SSMC and find the primary virtual volume.
    2. Expand the list and locate the desired snapshot that needs to be promoted

      – Volume and array names are obfuscated for privacy purposes.
      – Latest snapshot can be verified if you click on it and expand the Virtual Volume Details-tab.

 

  1. Take note of the snapshot that you’re going to promote to base volume
  2. Stop the corresponding RC Group
  3. Unexport Virtual Volume (Remove Virtual Volume from the Virtual Volume Set or unexport your VVOL if you’re not using Vvol Sets)
  4. Use CLI to promote the snapshot to base volume
    promotesv -rcp <snapshot name>

  5. You can check the status of the activity using following command
    showtask -d <task ID>
  6. Once the operation is completed, export the virtual volume to the host (or add the vvol to the Virtual Volume Set)
  7. Restart the RC Group
  8. You’re done!