Tag Archive : HPE

/ HPE

HPE’s entry level MSA storage arrays are delivered with a self-signed certificate from HPE. A lot of storage administrators ignore the web warnings and leave the configuration untouched. However, in order to pass the security scans performed by companies installing a CA Certificate is a must.

A self-signed certificate is a certificate issued and signed by the same entity whose identity it certifies. In this case, the MSA arrays are issued with a self-signed certificate of Hewlett-Packard Enterprise (HPE).

Before we continue with the installation steps, take note of the following:

  • the installation can be done online without interruption of host IO’s but a restart of the management controllers is required at the final step.
  • To deal with certificates I use OpenSSL tool for Windows.
  • the FTP protocol is by default disabled on new MSA arrays. You might need to enable it using web interface, of using the following command:
show protocols
set protocols ftp enabled

If you are familiar with certificates, jump below to Commands Used

Request certificate

First of all, gather the needed information about your storage array, i.g. the Fully Qualified Domain Name (FQDN), your organization name etc and request your Certificate Authority owner to provide you with a certificate. Microsoft Windows CA will provide you with a .PFX file which is contains a variety of cryptographic information, including certificate(s), certificate chains, root authority and private keys.

Extract the (.pfx) certificate

In order to implement such a certificate in you MSA array, you will need to extract it in 2 separate files, one containing the certificate itself and the other containing the private keys.

  1. We will start by extracting the private keys first. Use the following command to extract the private key file:
    openssl pkcs12 -in <.pfx file path location> -nocerts -out <key-file-name.key>

    – Enter the Import Password, received by your CA Manager.
    – Choose a PEM pass phrase, or a password to secure your Private Key file

  2. The MSA array doesn’t accept protected Private Key files, use the following command to remove the pass phrase you created on step 1.
    openssl rsa -in <keyfile.key> -out <keyfile-decrypted.key>

    Now you have a supported private key file.

  3. Next step is to extract the certificate from the .PFX file. Use the following command to extract it:
    openssl pkcs12 -in <.pfx file path location> -clcerts -nokeys -out <certificate-file.crt>

    The newly create file is now called certificate-file.crt

Append Intermediate and Root certificate

In this step, you’ll need to edit the .crt certificate file you created in the previous step and add the intermediate and or the root certificate together. This is required by the array to communicate with the certificate chain implemented in your company.

The certificate file structure should look like this:

—–BEGIN CERTIFICATE—–
Array’s certificate (the content of the file you created during the previous step)
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
The intermediate certificate chain (If you company uses one)
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
The ROOT CA certificate
—–END CERTIFICATE—–

Once you have merged the certificates, use a distinctive name for your new file and save it.

Installation of the certificate

To install the certificate to your MSA array you’ll need to connect through FTP.

  1. Open an elevated command prompt and navigate to the directory where you certificate (.crt file) and private key file reside.
  2. Type FTP > Open
  3. Enter array’s IP address or DNS alias
  4. Upload the certificate using the following command
    put <certificate file name.crt> cert-file

  5. Next, upload the private key file using the following command
    put <key file.key> cert-key-file

  6. Finally, restart the management controller of your MSA and your browser should be reporting a valid SSL certificate.

Commands used

OpenSSL

Extract cerificate’s private key:

openssl pkcs12 -in <.pfx file path location> -nocerts -out <key-file-name.key>

Decrypt private key file

openssl rsa -in <keyfile.key> -out <keyfile-decrypted.key>

Extract certificate file

openssl pkcs12 -in <.pfx file path location> -clcerts -nokeys -out <certificate-file.crt>

FTP

Upload the certificate

put <certificate file name.crt> cert-file

Upload the certificate file

put <key file.key> cert-key-file