HP 3PAR StoreServ Management Console SSMC–SSL Certificate Replacement

HP have released the latest version of the 3PAR StoreServe Management Console or SSMC for short. It is the web based version of the classic 3PAR Management Console application.

Having deployed the latest version I needed to replace the default self-signed SSL certificate with one from my certificate authority (CA).

This wasn’t immediately easy as HP don’t provide a GUI interface to do this through SSMC, it has to be done through manipulating Java Keystore files. Finding the Keystore files was easy as was discovering the XML file which provides the path to the Keystore and it’s password. The difficult part was that the XML file entry for the password has been obfuscated so I either had to find a way to reverse this or get round it.

The simplest solution was to just create my own Keystore file and password then update the files and XML entries.

Note –  this work was carried out on a Microsoft Windows platform, SSMC can be deployed on a Linux box and should I receive sufficient requests I will create a guide for deploying to Linux platforms.

Step 1 – Create Certificate and Private Key

First we need to create the necessary certificate files, for this we will use OpenSSL

Private Key Creation

  • Open a Command prompt (Run as Administrator may be required to write the file depending on your system)
  • If you have not added OpenSSL to the your PATH list browse to it’s \bin directory
  • Run the command below
    • openssl.exe genrsa 2048 > ssmc.key
  • This will create a new private key using RSA with a key size of 2048 bits and output the data to a file called ssmc.key
c:\OpenSSL\bin>openssl.exe genrsa 2048 > ssmc.key
 Loading 'screen' into random state - done
 Generating RSA private key, 2048 bit long modulus
 ....................................................+++
 ....................................................................................................
 .................................+++
 e is 65537 (0x10001)

Certificate Configuration File

Next we need to create a configuration file to feed into OpenSSL to generate a certificate signing request or CSR.

I have created a sample file below which you can amend to suit your needs. Copy the data into a text file and then modify the ‘alt_names’ and the ‘req_distinguished_name’ details. Save the file with a .cfg extension –

[ CA_default ]
 default_md    = sha256
[ req ]
  default_bits = 2048
  default_keyfile = rui.key
  distinguished_name = req_distinguished_name
  encrypt_key = no
  prompt = no
  string_mask = nombstr
  req_extensions = v3_req
[ v3_req ]
  basicConstraints = CA:FALSE
  keyUsage = digitalSignature, keyEncipherment, dataEncipherment
  extendedKeyUsage = serverAuth
  subjectAltName = @alt_names
[alt_names]
  DNS.1 = BSA-3PARSSMC
  DNS.2 = BSA-3PARSSMC.bytesizedalex.com
  DNS.3 = 3PARSSMC
  DNS.4 = 3PARSSMC.bytesizedalex.com
  IP.1 = 192.168.1.1
  
 [ req_distinguished_name ]
  countryName = GB
  stateOrProvinceName = London
  localityName = London
  0.organizationName = ByteSizedAlex
  organizationalUnitName = BSA-3PARSSMC
  commonName = BSA-3PARSSMC.bytesizedalex.com
  emailAddress = [email protected]

 

Once you have created the file it’s time to create our CSR which we will then feed through the CA.

Certificate Signing Request Creation

Now that we have a private key and a configuration file it’s time to generate the CSR. To do this we will again use OpenSSL.

  • Open a Command prompt (Run as Administrator may be required to write the file depending on your system)
  • If you have not added OpenSSL to the your PATH list browse to it’s \bin directory
  • Run the command below amending the file paths
    • openssl.exe req -out ssmc.csr -key C:\pathToFile\ssmc.key -new -config C:\pathToFile\3parssmc.cfg
  • Example –
c:\OpenSSL\bin>openssl.exe req -out ssmc.csr -key C:\OpenSSl\bin\ssmc.key -new -config C:\OpenSSL\bin\Tmp\lct-3parssmc.cfg

You should now have 3 files in total –

  • Private Key file
  • Configuration File
  • Certificate Signing Request (CSR) file

 

Upload CSR To CA

Now it is time for us to ‘mint’ the certificate with our CA

  • Open a Command prompt (Run as Administrator may be required to write the file depending on your system)
  • Run the command
    • Certreq
  • A new window will appear, browse to and select your configuration file (the .cfg)

Select Config File

  • Select your CA

Select Certificate Authority

Note – your experience here may differ depending on your environment

Assuming all goes well you should now be prompted to save the newly created file. Save it with an appropriate name and a .crt extension (this is to aid in identification on the step below)

Create PEM File

The last task we have is to create a .pem file. This is basically a text file which includes the private and public key data. The simplest way to achieve this is to open both the .key file and the newly saved .crt file in a text editor then copy and paste the data as per below –

-----BEGIN RSA PRIVATE KEY-----
 ABCDEFG.............==
 -----END RSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 ABCDEFG..........==
 -----END CERTIFICATE-----

It is important to make sure there are no gaps between the ‘END’ and ‘BEGIN’ statements. Save this new file with a .pem extension.

We now have all the files we need to move onto the next step.

 

Create new Java Keystore File

Now it’s time to create our own Java Keystore file which will then be configured with our certificates. It is possible and no doubt usual to do this via the command line but to be honest I far prefer using a great utility called Portecle which provides a nice GUI.

For more information on Portecle see the official site – http://portecle.sourceforge.net/

I am going to assume you are also using Portecle, if you wish to create and update the Keystore file via the command line then Google is your friend (at least till I decide to do an article on it).

  • Open Portecle

Portecle

  • Click ‘File’ and select the ‘New Keystore’ option

Portecle

  • Select a Keystore type of ‘JKS’

Portecle Java Keystore

This will create a new Keystore object which we can start working with.

We need to make sure that all root and subordinate certficates from our CA setup are imported to ensure a chain of trust exists.

  • Click ‘Tools’ and select the ‘Import Trusted Certificate’ option

Portecle Import Trusted Certificate

Make sure you have copies of your CA certs, in my case I have a root CA and one subordinate.

  • Import the ROOT CA first

Portecle Import Trusted Certificate

  • An alert will be presented, click ‘OK’
    • The Keystore is currently empty so there is no chain of trust for this certificate

Portecle Import Trusted Certificate Warning

  • You can review the certificate details to make sure they are correct then click ‘OK’

Portecle Import Trusted Certificate Details

  • Click ‘Yes’ to trust the certificate

Portecle Import Trusted Certificate Confirmation

  • Enter a name for the new certificate – make it meaningful

Portecle Import Trusted Certificate Alias

  • You should be presented with a confirmation of success

Portecle Import Trusted Certificate Success

  • Now complete the same steps to import any subordinate CA certificates

Portecle Import Subordinate Certificate

You should notive as you import your subordinate CA certificates that you are not prompted with warnings for trusting them. This is assuming they are all child CAs of the root we imported first. Portecle recognises this fact and as we chose to trust the root anything it signed will also be trusted.

Once you have imported your root CA and subordinate CA certificates it’s time to move on to importing the servers key pair. Remember we are using an asymetric form of cryptography so we have a public and private key to import. They private key being the .key file we created above and the public key being the certificate file we saved from our CA.

  • Click ‘Tools’ and select the ‘Import Key Pair’ option

Portecle Import Key Pair

  • Browse to the location where you saved the .pem file and select it

Portecle Import Key Pair

  • Click ‘OK’

Portecle Import Key Pair

  • You can review the key pair details by clicking on ‘Certificate Details’

Portecle Import Key Pair

  • Give the Key Pair an alias name

Portecle Import Key Pair Alias

  • You will be prompted to create a password for the Key Pair – make a note of this password as we will use it again in a few steps

Portecle Import Key Pair Password

  • Click ‘OK’

Portecle Import Key Pair Confirmation

Now we need to save our newly created Keystore file.

  • Click ‘File’ and select the ‘Save Keystore’ option

Portecle Save Keystore

  • Portecle will prompt for a Keystore password – I would suggest using the same password as above for simplicity however you should use your own judgement

Portecle Save Keystore Password

  • Choose a location to save the Keystore

Portecle Save Keystore

That’s it for the Keystore creation work, now we can move on to actually replacing the Keystore on our SSMC server.

Replace SSMC Keystore File

It’s taken a bit of work but finally we are at the final stage.

  • Stop the HP 3PAR StoreServ Management Console Server Service
  • Navigate to
    • C:\Program Files\Hewlett-Packard\SSMC\ssmcbase\etc
  • Rename the following files – we want to keep them in case something goes wrong and we need to revert
    • jetty-ssl.xml
    • keystore
  • Make a copy of jetty-ssl.key and make sure it has the original name, we will edit this file
  • Copy the newly created Keystore file to this directory and make sure you name it keystore (no extension)

Keystore location

Keystore location

  • We need to edit the jetty-ssl.xml file, first let me show you what it looks like

Edit jetty.xml

Pretty straightforward – the 3 sections that I have blanked out are the passwords for the Keystore. We are going to replace these entries with our own.

Note – You can either enter your password in cleartext here e.g “myPassword” or you can do something more secure like obfuscating it. I would suggest the latter but again use your own judgement.

Obfuscate Password

If you want to obfuscate the password –

  • Open a Command prompt (Run as Administrator may be required to write the file depending on your system)
  • Change directory to C:\Program Files\Hewlett-Packard\SSMC\jetty\lib
  • Run the command below
    • "C:\Program Files\Hewlett-Packard\SSMC\jre\bin\java.exe" -cp jetty-util-9.2.1.v20140609.jar org.eclipse.jetty.util.security.Password myPassword
  • Example –
C:\Program Files\Hewlett-Packard\SSMC\jetty\lib>"C:\Program Files\Hewlett-Packard\SSMC\jre\bin\java.
 exe" -cp jetty-util-9.2.1.v20140609.jar org.eclipse.jetty.util.security.Password myPassword
 2015-05-06 17:27:46.487:INFO::main: Logging initialized @179ms
 myPassword
 OBF:1uh41zly1qw01vu11ym71ym71vv91qxq1zlk1ugm
 MD5:deb1536f480475f7d593219aa1afd74c

The important section is the ‘OBF:…’ this is our obfuscated password

Update Jetty-ssl.xml File

Update the jetty-ssl.xml file with the new password, example below.

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "<a href="http://www.eclipse.org/jetty/configure_9_0.dtd&quot;">http://www.eclipse.org/jetty/configure_9_0.dtd"</a>>

<!-- ============================================================= -->
<!-- Configure a TLS (SSL) Context Factory                         -->
<!-- This configuration must be used in conjunction with jetty.xml -->
<!-- and either jetty-https.xml or jetty-spdy.xml (but not both)   -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/keystore"/></Set>
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1uh41zly1qw01vu11ym71ym71vv91qxq1zlk1ugm"/></Set>
<Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1uh41zly1qw01vu11ym71ym71vv91qxq1zlk1ugm"/></Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1uh41zly1qw01vu11ym71ym71vv91qxq1zlk1ugm"/></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
</Array>
</Set>

 

  • Save the jetty-ssl.xml file
  • You should have a directory that looks something like this

Folder Layout

 

Finally start the HP 3PAR StoreServ Management Console Server Service – give it a moment after the service has started, if you try to load the webpage too quickly you may find you get a ‘Page can’t be Found’.

Assuming all has gone to plan you shouldn’t get any certificate alerts. For example my page now shows an Extended Validation (EV) banner (the green URL bar) demonstrating that my system trusts the certificate.

Success - HTTPS

 


 

 

Hopefully I’ve covered everything in sufficient detail however if anything is missing or you want to check something please drop a comment below and I’ll do my best to assist.

28 thoughts on “HP 3PAR StoreServ Management Console SSMC–SSL Certificate Replacement”

  1. Do you mind if I quote a few of your articles as long as I provide credit and sources back to your webpage?

    My website is in the very same niche as yours and my users would certainly benefit from a lot of
    the information you provide here. Please let me know if this okay with you.
    Cheers!

    Reply
    • Hello ‘google advertising professional’ :)

      I am happy for people to reference my material as long as due credit is provided and links to the source material.

      Regards

      Alex Bytes

      Reply
  2. Appreciating the time and energy you put into your blog and in depth information you present.
    It’s awesome to come across a blog every once in a while that isn’t
    the same outdated rehashed information. Great read!

    I’ve bookmarked your site and I’m adding your RSS feeds to my Google account.

    Reply
  3. Found your post on the HP forums. I keep running into an error with the cert request from my CA. It’s claiming that the request contains no certificate template information (0x80094801). Most posts on the interweb indicate that it’s due to a permissioning issue on the server template on my CA but, I’ve filled numerous cert requests from other systems just fine (NetScaler, etc). I did a direct copy and past and updated the 2 subsections as indicated from your info above. Could there be a spacing issue with the CFG file when copying and pasting from the webpage?

    Reply
    • Hi there Khue,

      First off sorry for the slow reply I was hospitalised so I’ve been away quite some time. I would say that is entirely possible, you may have some formatting that isn’t showing up – have you tried in Notepad++ to see if there are any hidden special characters?

      Reply
  4. I figured it out. My template submission process was fubared. The proper syntax for my certificate request should have been:

    > certreq -attrib “CertificateTemplate:” -submit jetty.csr

    I wasn’t passing the certificate template type in the request and the CA was unsure which template to use when issuing. Everything is all good now. Great write up and I’ve actually modified this process for a few other Jetty servers we have running here.

    Reply
    • That’s great news – I’ve seen that before where somebody was submitting but not defining a template and of course if you don’t use the Microsoft MMC to create your CSR you need to let the CA know what template you need. Face palm for myself as I should have queried that but learning these things ourselves tends to make them stick in memory better.

      Thanks for the comments, I prefer this to the CLI method and I hadn’t seen anyone else talk about it. If you have any suggestions or improvements I’d love to hear them.

      Alex Bytes

      Reply
      • Thanks Alex

        I found that it’s Jetty-based so shouldn’t be too complex to me or you to fathom given the time.

        Also worth doing, there doesn’t appear to be another source on Google that ranks high enough to quickly show you how.

        Neil

        Reply
    • Thanks for the feedback Andras – really appreciated and definitely something I will consider with future deployments. If you have any other knowledge to share I’m sure everyone would love to hear it!

      Alex

      Reply
    • Hi Markus,

      I can’t say I have – it’s on my list of things to do but I’ve not got round to updating SSMC recently. Are there issues with that version?

      Reply
  5. @Markus ref SSMC 2.3.1, I installed it a while ago and the upgrade was very easy. There’s no impact in doing so, so I’d give it a try. The extra reporting is useful.

    @lex – I still haven’t got that certificate installed ^. Did you manage it yourself? :-)

    Reply
    • Hi Neil,

      That’s a good reminder, I need to do the Linux build and certificate deployment. My ‘to do’ list seems to just grow bigger :) I will take a look and see if I can figure out the Linux process in a user friendly way.

      Reply
  6. Hi Alex,

    I had a problem… In previous updates i used the same “jetty-ssl.xml” and “keystore” after updates was completed.
    But with 2.3.1 it only worked with a newly created “keystore”. After Creation I imported CA Chain and the Old WebServer Cert…

    Reply
  7. The HP 3PAR StoreServ Management Console 2.3 Administrator’s Guide contains quite simple instructions on how the certificates can be replaced. The upgrade limitation with customer supplied certificates is also documented.

    Regards,
    Sebastian Koehler

    Reply
    • Hi Sebastian,

      Indeed it does, though earlier versions didn’t have the warning so it came as a surprise during installation. Thankfully things seem to be improving so we do now get prompted.

      Regards,

      Alex

      Reply
  8. Hi Alex,

    Your post has helped me a ton! I’m so close, but getting an error when SSMC restarts. The error in the ssmc.log is “java.io.IOException: Keystore was tampered with, or password was incorrect”. I’ve tried putting the keystore password into the “jetty-ssl.xml” file both in clear text and OBF format and get the same error. I know the password is correct because I can use the keytool command to list the keystore. Any ideas?

    Thanks!

    Reply
    • Hi Tracy,

      Sorry for the slow reply – glad I’ve helped so far. Somebody mentioned something similar and I think I got them to try an older version of SSMC to see if the issue existed as I think at some point in the release cycle this problem came about. Do you have the ability to test on a previous release? Hopefully we can get to the bottom of this problem together, let me know your progress and we shall work through till resolved.

      Alex

      Reply
      • Thanks for the suggestion Alex. I am running SSMC 2.1 now, so I am going to try upgrading instead of downgrading. I know the earlier versions of SSMC had some issues. I’ll keep you posted.

        Reply
  9. great article. I stuck where i should upload the cfg file to my Enterprise CA. I get the following error
    Certificate Request Processor: ASN1 bad tag value met. 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG)
    any idea how to fix this?
    thanks!

    Reply
    • Hi André,

      Can you confirm the command line syntax you are using? Have you defined the template in the command – if not you would need to, e.g certreq -attrib “CertificateTemplate:Web-Server”

      Obviously you would replace the template name (in my example WebServer) with whatever one you are using. Also, it isn’t the .cfg file you upload, it should be the CSR file which you created in the ‘Certificate Signing Request Creation’ section of the post.

      Alex

      Reply
      • Hi Alex
        Thanks for your reply. I also tried with the .csr file but it did not work.
        I’ll check the -attrib syntax and match it to the templates we have on our ca.
        Best Regards
        André

        Reply

Leave a Reply to Alex BytesCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.