HPE Storage Users Group

A Storage Administrator Community




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Re-issue Self Signed Cert Quick Question
PostPosted: Tue Apr 24, 2018 10:13 am 

Joined: Thu Nov 30, 2017 11:20 am
Posts: 70
Location: WI
Good afternoon all. A month or so back someone here needed to reissue a self signed cert on the 3PAR. I was curious and checked mine and 2 of the 3 units we have need this done by June. I am set to do it but want to make sure it wont hose anything. We currently use Remote copy and I want to be totally sure redoing the cert wont mess with the existing relationships.

Anyone who has ever done this can confirm there are no issues one would run in to by reissuing the cert?


Here is what I will use for the work:

Get the common name of the certs:
-showcert

For each expired cert renew them (example is for renewing the unified-server):
-createcert unified-server -selfsigned -CN "<CERT CN>"

Thanks.


Top
 Profile  
Reply with quote  
 Post subject: Re: Re-issue Self Signed Cert Quick Question
PostPosted: Tue Apr 24, 2018 10:41 am 

Joined: Wed Nov 09, 2011 12:01 pm
Posts: 392
Did one this week, the only issue I had was with SSMC, didn't seem to see the new cert until I rebooted the SSMC server (probably a service restart would also work) and then had to accept the new cert in the SSMC admin console (had this with both 3.1 and 3.3).

SSH via putty and Service Processor connections didn't seem to care about either expired cert or new one. That's the only other IP things talking to it, we use RCFC.

I just used;

createcert unified-server -selfsigned

It picked up the same common name as was shown in showcert and asked to confirm I think.


Top
 Profile  
Reply with quote  
 Post subject: Re: Re-issue Self Signed Cert Quick Question
PostPosted: Tue Apr 24, 2018 12:41 pm 

Joined: Thu Nov 30, 2017 11:20 am
Posts: 70
Location: WI
ailean wrote:
Did one this week, the only issue I had was with SSMC, didn't seem to see the new cert until I rebooted the SSMC server (probably a service restart would also work) and then had to accept the new cert in the SSMC admin console (had this with both 3.1 and 3.3).

SSH via putty and Service Processor connections didn't seem to care about either expired cert or new one. That's the only other IP things talking to it, we use RCFC.

I just used;

createcert unified-server -selfsigned

It picked up the same common name as was shown in showcert and asked to confirm I think.


Awesome. Thanks for the information. That will be helpful.


Top
 Profile  
Reply with quote  
 Post subject: Re: Re-issue Self Signed Cert Quick Question
PostPosted: Tue Apr 24, 2018 1:28 pm 

Joined: Mon Sep 21, 2015 2:11 pm
Posts: 1570
Location: Europe
It's been a while since I did it, but I think you also could just login to the admin console of SSMC and do "reconnect" or something.

_________________
The views and opinions expressed are my own and do not necessarily reflect those of my current or previous employers.


Top
 Profile  
Reply with quote  
 Post subject: Re: Re-issue Self Signed Cert Quick Question
PostPosted: Wed Apr 25, 2018 6:04 am 

Joined: Wed Nov 09, 2011 12:01 pm
Posts: 392
MammaGutt wrote:
It's been a while since I did it, but I think you also could just login to the admin console of SSMC and do "reconnect" or something.

You can if it's just disconnected but if it thinks the cert is expired you have to accept the cert before it'll try connection. It won't allow you to accept an expired cert and after several attempts to make it refresh the cert check on two SSMC servers I gave up and just rebooted one (had actual work to do, darn it :) ).

Only other option I think I could have done from the admin console would be to remove the array and add it again, presumably it would then check the cert.

3.3 I think also had a cert manager option, I did try going into that and removing the expired cert (in the hope that it would then check the array again) but that didn't help.

Annoyingly, SSMC being the only thing that took offence at the cert being expired, there doesn't appear to be any server health dashboard warnings regarding upcoming cert expiries. :roll:


Top
 Profile  
Reply with quote  
 Post subject: Re: Re-issue Self Signed Cert Quick Question
PostPosted: Wed Apr 25, 2018 10:57 am 

Joined: Thu Nov 30, 2017 11:20 am
Posts: 70
Location: WI
Thanks for all the info everyone. I went ahead and refreshed these this morning. Easy as can be.


Top
 Profile  
Reply with quote  
 Post subject: Re: Re-issue Self Signed Cert Quick Question
PostPosted: Tue Sep 24, 2019 9:18 am 

Joined: Tue Sep 24, 2019 8:26 am
Posts: 1
I read this form which helped me out of a hard spot and I wanted to give back a little. The self-signed cert expired locking me out of the SSMC 3.2

Below is my experience creating a selfsigned cert for a 3PAR SS 8400. I didn't assign a common name with -CN but went back later and changed it to the proper name we used before.

-CN is case sensitive and no <> around the name needed

cli% createcert unified-server -selfsigned -CN name_without_spaces

After I changed it I had to go to the SSMC 3.2 Administrator console to remove and re-add the system so I could access the SSMC again.


NAME-3PRp cli% createcert unified-server -selfsigned
No host name was specfied with -CN; Is the hostname hostname.domain.net correct? y
Please type "yes" or "no": yes
The following services will be restarted if currently running:
cim: manages communications with SMI-S clients

wsapi: Web Services API server

Continue creating self-signed certificate (yes/no)? yes
Self-signed certificate created.
cimserver restarted
The Web Services API server stopped successfully.

The Web Services API Server will start shortly.

NAME-3PRp cli% showcert
Service Commonname Type Enddate Fingerprint
unified-server* hostname.domain.net cert Sep 22 20:09:45 2022 GMT 789678967896789679


Top
 Profile  
Reply with quote  
 Post subject: Re: Re-issue Self Signed Cert Quick Question
PostPosted: Sun Jan 12, 2020 7:35 am 

Joined: Wed Sep 03, 2014 7:58 am
Posts: 9
If anybody is considering to implement CA signed certificates on 3PAR / Primera, I've created a step-by-step procedure: https://storcom.com/implementing-ca-cer ... imera-gui/
The unified-server certificate establishes a common connection among cli, wsapi and cim.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 


Who is online

Users browsing this forum: Google [Bot] and 66 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group | DVGFX2 by: Matt