Implementing CA Certificates on HPE Primera UI

HPE has released its latest storage array Primera. As announced, it is a storage solution that is ready-to-use in 10 minutes. In this article, we will go through the steps on how to implement the enterprise signed certificates on the Primera UI. Primera (and 3Par StoreServ) uses the unified-server service to establish and maintain communication. It uses the same certificate for CIM, CLI and WSAPI services.

Read the HPE Primera OS 4.0 Command Line Interface Reference Guide for the detailed information about Primera OS.

Certificate Signing Request for Primera UI

We will start by creating a certificate signing request which then accordingly will be signed by our CA authority.

1. Open Command Prompt and navigate to CLI directory. It should be under C:\Program Files (x86)\Hewlett-Packard\HP 3PAR CLI\bin
2. Launch CLI.exe and log in to your Primera / 3PAR array.
3. In this case, I start off from removing all existing certificates on the array. Type showcert to show the available certificates
4. Stop WSAPI service: stopwsapi
5. Use the following commands to remove all certificates. Repeat them until all certificate records have disappeared

   removecert
   
   removecert unified-server

6. Additionally, use the following command to create your certificate signing request file:

   createcert unified-server -csr -keysize 2048 -C BE -ST Belgium -L Brussels -O "STORCOM" -OU "IT" -CN primera.storcom.com -SAN DNS:primera,IP:192.168.100.1 primera.txt

   The file will be consequently saved on the same directory as where the CLI.exe resides in.

7. Finally copy this text file primera.txt and have it signed by your Certificate Authority.

Importing CA certificates

Next to the Primera UI certificate, your Certificate Authority will also provide you with the root and the intermediate certificate. You will need them in order for your array to recognize the valid chain. Place all your certificate files into the CLI.exe directory.

1. If you signed certificate is in any other format than .pem, use OpenSSL to convert it to .pem file format.

   openssl.exe x509 -in c:\temp\primera.storcom.com.cer -out c:\temp\primera.pem

2. In the first place, import the root certificate of the company

   importcert unified-server -ca RootCA_B64.pem

3. In addition, if you have received an intermediate certificate file, import it using the same command

   importcert unified-server -ca IssuingCA.pem

4. Finally, import the array’s certificate

   importcert unified-server primera.pem

5. Now if you run showcert command you will notice the new certificates populated.
6. Start WSAPI service and you’re good to go.

   startwsapi

Primera / Storeserv array certificates on SSMC

When your array’s certificates are altered, a new connection needs to be established on SSMC. If you navigate to your SSMC and try to accept the Primera UI certificate it might not succeed if your enterprise certificates (root and intermediate) are not imported.

1. Log in to your SSMC GUI as Administrator (ssmcadmin)
2. If you have already imported your root and intermediate certificate, you will notice a message “Acceptance certificate needed”.
3. Accept the array’s certificate and you’re good to go.
4. If your CA certificates are not imported, click on Actions and select Manage Certificates
5. Click on Add certificate and paste the plain text of your root certificate into this field. The certificate text should start BEGIN CERTIFICATE and end by END CERTIFICATE. Validate and click OK to continue.
6. Click on Add certificate and paste the plain text of you intermediate certificate into this field. The certificate text should start BEGIN CERTIFICATE and end by END CERTIFICATE. Validate and click OK to continue.
7. Now when you go back to the overview of arrays, you will notice that accepting the array’s certificate won’t be a matter anymore.

If you are using an older version of SSMC than 3.6, you can easily upgrade it by following the steps as explained on Upgrading StoreServ Management Console to 3.6

Any suggestion or question? Leave a reply below, or contact us. Make sure to also subscribe to our mailing list. No spam. Promised!