HP have released the latest version of the 3PAR StoreServe Management Console or SSMC for short. It is the web based version of the classic 3PAR Management Console application.
Having deployed the latest version I needed to replace the default self-signed SSL certificate with one from my certificate authority (CA).
This wasn’t immediately easy as HP don’t provide a GUI interface to do this through SSMC, it has to be done through manipulating Java Keystore files. Finding the Keystore files was easy as was discovering the XML file which provides the path to the Keystore and it’s password. The difficult part was that the XML file entry for the password has been obfuscated so I either had to find a way to reverse this or get round it.
The simplest solution was to just create my own Keystore file and password then update the files and XML entries.
Note – this work was carried out on a Microsoft Windows platform, SSMC can be deployed on a Linux box and should I receive sufficient requests I will create a guide for deploying to Linux platforms.
Step 1 – Create Certificate and Private Key
First we need to create the necessary certificate files, for this we will use OpenSSL
Private Key Creation
- Open a Command prompt (Run as Administrator may be required to write the file depending on your system)
- If you have not added OpenSSL to the your PATH list browse to it’s \bin directory
- Run the command below
-
openssl.exe genrsa 2048 > ssmc.key
-
- This will create a new private key using RSA with a key size of 2048 bits and output the data to a file called ssmc.key
c:\OpenSSL\bin>openssl.exe genrsa 2048 > ssmc.key Loading 'screen' into random state - done Generating RSA private key, 2048 bit long modulus ....................................................+++ .................................................................................................... .................................+++ e is 65537 (0x10001)
Certificate Configuration File
Next we need to create a configuration file to feed into OpenSSL to generate a certificate signing request or CSR.
I have created a sample file below which you can amend to suit your needs. Copy the data into a text file and then modify the ‘alt_names’ and the ‘req_distinguished_name’ details. Save the file with a .cfg extension –
[ CA_default ] default_md = sha256 [ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = BSA-3PARSSMC DNS.2 = BSA-3PARSSMC.bytesizedalex.com DNS.3 = 3PARSSMC DNS.4 = 3PARSSMC.bytesizedalex.com IP.1 = 192.168.1.1 [ req_distinguished_name ] countryName = GB stateOrProvinceName = London localityName = London 0.organizationName = ByteSizedAlex organizationalUnitName = BSA-3PARSSMC commonName = BSA-3PARSSMC.bytesizedalex.com emailAddress = [email protected]
Once you have created the file it’s time to create our CSR which we will then feed through the CA.
Certificate Signing Request Creation
Now that we have a private key and a configuration file it’s time to generate the CSR. To do this we will again use OpenSSL.
- Open a Command prompt (Run as Administrator may be required to write the file depending on your system)
- If you have not added OpenSSL to the your PATH list browse to it’s \bin directory
- Run the command below amending the file paths
-
openssl.exe req -out ssmc.csr -key C:\pathToFile\ssmc.key -new -config C:\pathToFile\3parssmc.cfg
-
- Example –
c:\OpenSSL\bin>openssl.exe req -out ssmc.csr -key C:\OpenSSl\bin\ssmc.key -new -config C:\OpenSSL\bin\Tmp\lct-3parssmc.cfg
You should now have 3 files in total –
- Private Key file
- Configuration File
- Certificate Signing Request (CSR) file
Upload CSR To CA
Now it is time for us to ‘mint’ the certificate with our CA
- Open a Command prompt (Run as Administrator may be required to write the file depending on your system)
- Run the command
- Certreq
- A new window will appear, browse to and select your configuration file (the .cfg)
- Select your CA
Note – your experience here may differ depending on your environment
Assuming all goes well you should now be prompted to save the newly created file. Save it with an appropriate name and a .crt extension (this is to aid in identification on the step below)
Create PEM File
The last task we have is to create a .pem file. This is basically a text file which includes the private and public key data. The simplest way to achieve this is to open both the .key file and the newly saved .crt file in a text editor then copy and paste the data as per below –
-----BEGIN RSA PRIVATE KEY----- ABCDEFG.............== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ABCDEFG..........== -----END CERTIFICATE-----
It is important to make sure there are no gaps between the ‘END’ and ‘BEGIN’ statements. Save this new file with a .pem extension.
We now have all the files we need to move onto the next step.
Create new Java Keystore File
Now it’s time to create our own Java Keystore file which will then be configured with our certificates. It is possible and no doubt usual to do this via the command line but to be honest I far prefer using a great utility called Portecle which provides a nice GUI.
For more information on Portecle see the official site – http://portecle.sourceforge.net/
I am going to assume you are also using Portecle, if you wish to create and update the Keystore file via the command line then Google is your friend (at least till I decide to do an article on it).
- Open Portecle
- Click ‘File’ and select the ‘New Keystore’ option
- Select a Keystore type of ‘JKS’
This will create a new Keystore object which we can start working with.
We need to make sure that all root and subordinate certficates from our CA setup are imported to ensure a chain of trust exists.
- Click ‘Tools’ and select the ‘Import Trusted Certificate’ option
Make sure you have copies of your CA certs, in my case I have a root CA and one subordinate.
- Import the ROOT CA first
- An alert will be presented, click ‘OK’
- The Keystore is currently empty so there is no chain of trust for this certificate
- You can review the certificate details to make sure they are correct then click ‘OK’
- Click ‘Yes’ to trust the certificate
- Enter a name for the new certificate – make it meaningful
- You should be presented with a confirmation of success
- Now complete the same steps to import any subordinate CA certificates
You should notive as you import your subordinate CA certificates that you are not prompted with warnings for trusting them. This is assuming they are all child CAs of the root we imported first. Portecle recognises this fact and as we chose to trust the root anything it signed will also be trusted.
Once you have imported your root CA and subordinate CA certificates it’s time to move on to importing the servers key pair. Remember we are using an asymetric form of cryptography so we have a public and private key to import. They private key being the .key file we created above and the public key being the certificate file we saved from our CA.
- Click ‘Tools’ and select the ‘Import Key Pair’ option
- Browse to the location where you saved the .pem file and select it
- Click ‘OK’
- You can review the key pair details by clicking on ‘Certificate Details’
- Give the Key Pair an alias name
- You will be prompted to create a password for the Key Pair – make a note of this password as we will use it again in a few steps
- Click ‘OK’
Now we need to save our newly created Keystore file.
- Click ‘File’ and select the ‘Save Keystore’ option
- Portecle will prompt for a Keystore password – I would suggest using the same password as above for simplicity however you should use your own judgement
- Choose a location to save the Keystore
That’s it for the Keystore creation work, now we can move on to actually replacing the Keystore on our SSMC server.
Replace SSMC Keystore File
It’s taken a bit of work but finally we are at the final stage.
- Stop the HP 3PAR StoreServ Management Console Server Service
- Navigate to
- C:\Program Files\Hewlett-Packard\SSMC\ssmcbase\etc
- Rename the following files – we want to keep them in case something goes wrong and we need to revert
- jetty-ssl.xml
- keystore
- Make a copy of jetty-ssl.key and make sure it has the original name, we will edit this file
- Copy the newly created Keystore file to this directory and make sure you name it keystore (no extension)
- We need to edit the jetty-ssl.xml file, first let me show you what it looks like
Pretty straightforward – the 3 sections that I have blanked out are the passwords for the Keystore. We are going to replace these entries with our own.
Note – You can either enter your password in cleartext here e.g “myPassword” or you can do something more secure like obfuscating it. I would suggest the latter but again use your own judgement.
Obfuscate Password
If you want to obfuscate the password –
- Open a Command prompt (Run as Administrator may be required to write the file depending on your system)
- Change directory to C:\Program Files\Hewlett-Packard\SSMC\jetty\lib
- Run the command below
-
"C:\Program Files\Hewlett-Packard\SSMC\jre\bin\java.exe" -cp jetty-util-9.2.1.v20140609.jar org.eclipse.jetty.util.security.Password myPassword
-
- Example –
C:\Program Files\Hewlett-Packard\SSMC\jetty\lib>"C:\Program Files\Hewlett-Packard\SSMC\jre\bin\java. exe" -cp jetty-util-9.2.1.v20140609.jar org.eclipse.jetty.util.security.Password myPassword 2015-05-06 17:27:46.487:INFO::main: Logging initialized @179ms myPassword OBF:1uh41zly1qw01vu11ym71ym71vv91qxq1zlk1ugm MD5:deb1536f480475f7d593219aa1afd74c
The important section is the ‘OBF:…’ this is our obfuscated password
Update Jetty-ssl.xml File
Update the jetty-ssl.xml file with the new password, example below.
<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "<a href="http://www.eclipse.org/jetty/configure_9_0.dtd"">http://www.eclipse.org/jetty/configure_9_0.dtd"</a>> <!-- ============================================================= --> <!-- Configure a TLS (SSL) Context Factory --> <!-- This configuration must be used in conjunction with jetty.xml --> <!-- and either jetty-https.xml or jetty-spdy.xml (but not both) --> <!-- ============================================================= --> <Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/keystore"/></Set> <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1uh41zly1qw01vu11ym71ym71vv91qxq1zlk1ugm"/></Set> <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1uh41zly1qw01vu11ym71ym71vv91qxq1zlk1ugm"/></Set> <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set> <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1uh41zly1qw01vu11ym71ym71vv91qxq1zlk1ugm"/></Set> <Set name="EndpointIdentificationAlgorithm"></Set> <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set> <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set> <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> </Array> </Set>
- Save the jetty-ssl.xml file
- You should have a directory that looks something like this
Finally start the HP 3PAR StoreServ Management Console Server Service – give it a moment after the service has started, if you try to load the webpage too quickly you may find you get a ‘Page can’t be Found’.
Assuming all has gone to plan you shouldn’t get any certificate alerts. For example my page now shows an Extended Validation (EV) banner (the green URL bar) demonstrating that my system trusts the certificate.
Hopefully I’ve covered everything in sufficient detail however if anything is missing or you want to check something please drop a comment below and I’ll do my best to assist.
Do you mind if I quote a few of your articles as long as I provide credit and sources back to your webpage?
My website is in the very same niche as yours and my users would certainly benefit from a lot of
the information you provide here. Please let me know if this okay with you.
Cheers!
Hello ‘google advertising professional’ :)
I am happy for people to reference my material as long as due credit is provided and links to the source material.
Regards
Alex Bytes
Appreciating the time and energy you put into your blog and in depth information you present.
It’s awesome to come across a blog every once in a while that isn’t
the same outdated rehashed information. Great read!
I’ve bookmarked your site and I’m adding your RSS feeds to my Google account.
Found your post on the HP forums. I keep running into an error with the cert request from my CA. It’s claiming that the request contains no certificate template information (0x80094801). Most posts on the interweb indicate that it’s due to a permissioning issue on the server template on my CA but, I’ve filled numerous cert requests from other systems just fine (NetScaler, etc). I did a direct copy and past and updated the 2 subsections as indicated from your info above. Could there be a spacing issue with the CFG file when copying and pasting from the webpage?
Hi there Khue,
First off sorry for the slow reply I was hospitalised so I’ve been away quite some time. I would say that is entirely possible, you may have some formatting that isn’t showing up – have you tried in Notepad++ to see if there are any hidden special characters?
I figured it out. My template submission process was fubared. The proper syntax for my certificate request should have been:
> certreq -attrib “CertificateTemplate:” -submit jetty.csr
I wasn’t passing the certificate template type in the request and the CA was unsure which template to use when issuing. Everything is all good now. Great write up and I’ve actually modified this process for a few other Jetty servers we have running here.
That’s great news – I’ve seen that before where somebody was submitting but not defining a template and of course if you don’t use the Microsoft MMC to create your CSR you need to let the CA know what template you need. Face palm for myself as I should have queried that but learning these things ourselves tends to make them stick in memory better.
Thanks for the comments, I prefer this to the CLI method and I hadn’t seen anyone else talk about it. If you have any suggestions or improvements I’d love to hear them.
Alex Bytes
Would be nice to get a procedure nailed too for the Linux build of SSMC
Hi Neil,
This is something I can look into – I’ll add it to my to do list and get a guide up as soon as I can.
Alex
Thanks Alex
I found that it’s Jetty-based so shouldn’t be too complex to me or you to fathom given the time.
Also worth doing, there doesn’t appear to be another source on Google that ranks high enough to quickly show you how.
Neil
You can always try a password of BuyMore3PAR! for the keystore. A few steps less, when installing a custom cert.
Thanks for the feedback Andras – really appreciated and definitely something I will consider with future deployments. If you have any other knowledge to share I’m sure everyone would love to hear it!
Alex
Hi,
have you tried that wird SSMC 2.3.1?
Hi Markus,
I can’t say I have – it’s on my list of things to do but I’ve not got round to updating SSMC recently. Are there issues with that version?
@Markus ref SSMC 2.3.1, I installed it a while ago and the upgrade was very easy. There’s no impact in doing so, so I’d give it a try. The extra reporting is useful.
@lex – I still haven’t got that certificate installed ^. Did you manage it yourself? :-)
Hi Neil,
That’s a good reminder, I need to do the Linux build and certificate deployment. My ‘to do’ list seems to just grow bigger :) I will take a look and see if I can figure out the Linux process in a user friendly way.
Hi Alex,
I had a problem… In previous updates i used the same “jetty-ssl.xml” and “keystore” after updates was completed.
But with 2.3.1 it only worked with a newly created “keystore”. After Creation I imported CA Chain and the Old WebServer Cert…
That’s good to know – will keep that in mind for any new deployments
I wrote a small Blog Post about that Issue:
https://mycloudrevolution.wordpress.com/2016/05/17/hp-3par-storeserv-management-console-2-3-1-update/
The HP 3PAR StoreServ Management Console 2.3 Administrator’s Guide contains quite simple instructions on how the certificates can be replaced. The upgrade limitation with customer supplied certificates is also documented.
Regards,
Sebastian Koehler
Hi Sebastian,
Indeed it does, though earlier versions didn’t have the warning so it came as a surprise during installation. Thankfully things seem to be improving so we do now get prompted.
Regards,
Alex
Hi Alex,
Your post has helped me a ton! I’m so close, but getting an error when SSMC restarts. The error in the ssmc.log is “java.io.IOException: Keystore was tampered with, or password was incorrect”. I’ve tried putting the keystore password into the “jetty-ssl.xml” file both in clear text and OBF format and get the same error. I know the password is correct because I can use the keytool command to list the keystore. Any ideas?
Thanks!
Hi Tracy,
Sorry for the slow reply – glad I’ve helped so far. Somebody mentioned something similar and I think I got them to try an older version of SSMC to see if the issue existed as I think at some point in the release cycle this problem came about. Do you have the ability to test on a previous release? Hopefully we can get to the bottom of this problem together, let me know your progress and we shall work through till resolved.
Alex
Thanks for the suggestion Alex. I am running SSMC 2.1 now, so I am going to try upgrading instead of downgrading. I know the earlier versions of SSMC had some issues. I’ll keep you posted.
great article. I stuck where i should upload the cfg file to my Enterprise CA. I get the following error
Certificate Request Processor: ASN1 bad tag value met. 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG)
any idea how to fix this?
thanks!
Hi André,
Can you confirm the command line syntax you are using? Have you defined the template in the command – if not you would need to, e.g certreq -attrib “CertificateTemplate:Web-Server”
Obviously you would replace the template name (in my example WebServer) with whatever one you are using. Also, it isn’t the .cfg file you upload, it should be the CSR file which you created in the ‘Certificate Signing Request Creation’ section of the post.
Alex
Hi Alex
Thanks for your reply. I also tried with the .csr file but it did not work.
I’ll check the -attrib syntax and match it to the templates we have on our ca.
Best Regards
André
awesome post!