How to replace VNX Control Station self-signed SSL certificates with signed certificates from a local Certificate Authority?

Product:

 

VNX Series

 

Description:

 

Browser error message stating that the connection is untrusted.

 

Unisphere runs on the VNX Control Station (CS) and also on the Storage Processor (SP). Communications between the client machine and the CS are secured with SSL encryption. By default, the VNX uses self-signed certificates to create the SSL tunnel. Usually, this results in an error in the client browser regarding a certificate that cannot be verified because it was self-signed. Some organizations also require that all web servers are secured with SSL certificates signed by a local Certificate Authority (CA).

 

Resolution:

 

Follow this procedure to replace the self-signed certificate with one signed by the local Certificate Authority. 

 

  1. Using SSH, login to the Control Station as nasadmin and su to root.
      
  2. Run the following commands and record the results. 
    1. /sbin/ifconfig eth3    (note the IP address) 
    2. hostname –s  
    3. hostname -f

  3. Edit /nas/http/conf/celerrassl.cnf file and change the following entries:

    # vi /nas/http/conf/celerrassl.cnf

    IP_ADDR = “<IP Address of the Control Station eth3>”
    HOSTNAME_SHORT = "<output from hostname -s>"
    HOSTNAME_LONG = "<output from hostname -f>"
      
  4. Generate a 2048 bit private key for the Control Station:

    # /usr/bin/openssl genrsa -out /nas/http/conf/ssl.key/ssl_key.<HOSTNAME_SHORT> 2048
      
  5. Change directory to /nas/http/conf and delete the existing link to current.key (rm current.key) then point a link to the new key:

    # ln -s /nas/http/conf/ssl.key/ssl_key.<HOSTNAME_SHORT> /nas/http/conf/current.key
      
  6. Using the new 2048 bit private key, generate a 2048 bit certificate on the Control Station:

    #/usr/bin/openssl req -new -key /nas/http/conf/ssl.key/ssl_key.<HOSTNAME_SHORT> -x509 -days 365 -out /nas/http/conf/ssl.crt/ssl_crt.<HOSTNAME_SHORT>

    Enter the following when prompted. Examples provided as if we were generating a certificate for EMC (insert your own information):

    Country Name:  US
    State or Province Name (full name):  Massachusetts
    Locality Name (eg, city):  Southboro
    Organization Name (eg, company):  EMC Corporation
    Organizational Unit Name (eg, section):  VNX
    Common Name (eg, your name or server’s hostname):  <HOSTNAME_SHORT>
    Email Address:  <e-mail address>

     
  7. Delete the existing link to current.crt (rm current.crt) then point a link to the new certificate:

    # ln -s /nas/http/conf/ssl.crt/ssl_crt.<HOSTNAME_SHORT> /nas/http/conf/current.crt

     
  8. Stop the currently running server instances with the kill command.  This allows Apache to shutdown gracefully: 

    # kill `cat /nas/http/logs/httpd.pid`

     
  9. Restart Apache Service:

    # /nas/sbin/httpd -D HAVE_PERL -D HAVE_SSL -D NO_DETACH -f /nas/http/conf/httpd.conf >> /nas/http/logs/apache_restart.out 2>&1

     
  10. Create the new certificate request and save it to the /home/nasadmin directory:

    # /usr/bin/openssl req -new -key /nas/http/conf/current.key -config /nas/http/conf/celerrassl.cnf -out /home/nasadmin/<HOSTNAME_SHORT>_cert_request.csr

 

Download the certificate request file from /home/nasadmin and submit it to the local Certificate Authority. At this point, Apache will still be running with a self-signed key.  

 

Once you have the new signed certificate, you need to get it on to the Control Station and set up Apache to use it:

 

  1. Edit a new file in the /nas/http/conf/ssl.crt directory called <HOSTNAME_SHORT>.ssl_custom_cert.crt. Paste in the certificate text exactly as it is shown from the Certificate Authority. Make sure to get everything, including the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.
      
  2. Change directory to /nas/http/conf and delete the link to the existing certificate (current.crt). Create a link to the new certificate:

    # ln -s /nas/http/conf/ssl.crt/<HOSTNAME_SHORT>.ssl_custom_cert.crt /nas/http/conf/current.crt
     
  3. Stop the currently running server instance:

    # kill `cat /nas/http/logs/httpd.pid`
      
  4. Restart the Apache service:

    # /nas/sbin/httpd -D HAVE_PERL -D HAVE_SSL -D NO_DETACH -f /nas/http/conf/httpd.conf >> /nas/http/logs/apache_restart.out 2>&1

 

Test the new certificate by using your browser to attach to Unisphere. Be sure to completely close any existing Unisphere sessions and close the browser before you re-connect. You should see Unisphere start with no warnings and the browser should display a lock icon to indicate that the connection is secure and trusted.

 

 

For more information on this, refer primus solution “emc323331”.