6/12/2020 How to replace VNX/eNAS Control Station self-signed SSL certificates with signed certificates from a local Certificate

ed certificates from a local Certificate Authority. | Dell US

Customer View
How to replace VNX/eNAS Control Station self-signed SSL certificates with signed certificates from a local
Certificate Authority.

Article Number: 334819

Version: 3
Article Type: Break Fix
Audience Level: Level 30 = Customers
Last Published: 05 Dec 2016
Summary:

Issue How to replace VNX Control Station self-signed SSL certificates with signed certificates from a local Certificate Authority.

Browser error message stating that the connection is untrusted.

Security scans fail because the web server uses a self-signed certificate.

Cause Unisphere runs on the VNX Control Station (CS) and also on the Storage Processor (SP). Communications between the client machine
and the CS are secured with SSL encryption. By default, the VNX uses self-signed certificates to create the SSL tunnel. Usually, this
results in an error in the client browser regarding a certificate that cannot be verified because it was self-signed. Some organizations
also require that all web servers are secured with SSL certificates signed by a local Certificate Authority (CA).

Resolution NOTE: If you have a dual Control Station environment, this procedure MUST be run IN ITS ENTIRETY on each Control Station.  A
recommended method to perform this activity with two Control Stations:

Perform the full procedure on the primary Control Station

Fail over or switch over your Control Stations
Perform the new full procedure on the former secondary Control Station.

Follow the procedure below to replace the self-signed certificate with one signed by the local Certificate Authority:

1. Using SSH, login to the Control Station as nasadmin and su to root.

2. Run the following commands and record the results:

/sbin/ifconfig eth3    (note the IP address)

(or nas_cs -info    on eNAS systems note the first IP address)
hostname -s
hostname -f

3. Edit /nas/http/conf/celerrassl.cnf file and change the following entries:

# vi /nas/http/conf/celerrassl.cnf

IP_ADDR = <IP Address of the Control Station eth3 or on eNAS nas_cs -info first IP>
HOSTNAME_SHORT = "<output from hostname -s>"
HOSTNAME_LONG = "<output from hostname -f>

In the remaining examples, replace <HOSTNAME_SHORT> with the information you retrieved in Step 2.

4. Generate a 2048 bit private key for the Control Station:

# /usr/bin/openssl genrsa -out /nas/http/conf/ssl.key/ssl_key.<HOSTNAME_SHORT> 2048

5. Change permissions on the generated file:

# chmod 600 /nas/http/conf/ssl.key/ssl_key.<HOSTNAME_SHORT>

https://www.dell.com/support/kbdoc/en-us/print/334819/30 1/3
6/12/2020 How to replace VNX/eNAS Control Station self-signed SSL certificates with signed certificates from a local Certificate Authority. | Dell US

. Change directory to /nas/http/conf and delete the existing link to current.key (rm current.key) then point a link to the new key:

# ln -s /nas/http/conf/ssl.key/ssl_key.<HOSTNAME_SHORT> /nas/http/conf/current.key

7. Using the new 2048 bit private key, generate a 2048 bit certificate on the Control Station:

#/usr/bin/openssl req -new -key /nas/http/conf/ssl.key/ssl_key.<HOSTNAME_SHORT> -x509 -days 365 -out

/nas/http/conf/ssl.crt/ssl_crt.<HOSTNAME_SHORT>

Enter the following when prompted. Examples provided as if we were generating a certificate for EMC (insert your own
information):

Country Name:  US
State or Province Name (full name):  Massachusetts
Locality Name (eg, city):  Southboro
Organization Name (eg, company):  EMC Corporation
Organizational Unit Name (eg, section):  VNX
Common Name (eg, your name or server   s hostname):  <HOSTNAME_SHORT>
Email Address:  <e-mail address>

.  Delete the existing link to current.crt (rm current.crt) then point a link to the new certificate:

# ln -s /nas/http/conf/ssl.crt/ssl_crt.<HOSTNAME_SHORT> /nas/http/conf/current.crt

9. Restart Apache Service:

# killall -HUP httpd

10. Create the new certificate request and save it to the /home/nasadmin directory:

# /usr/bin/openssl req -new -key /nas/http/conf/current.key -config /nas/http/conf/celerrassl.cnf -

out /home/nasadmin/<HOSTNAME_SHORT>_cert_request.csr

Submit this file to your CA for certificate creation and signing.

When you get your custom certificate back from your CA, perform the following:

1. Edit a new file in the /nas/http/conf/ssl.crt directory called <HOSTNAME_SHORT>.ssl_custom_cert.crt. Paste in the

certificate text exactly as it is shown from the Certificate Authority. Make sure to get everything, including the "BEGIN
CERTIFICATE" and "END CERTIFICATE" lines.

2. Change permissions on the new file

# chmod 644 ./<HOSTNAME_SHORT>.ssl_custom_cert.crt

3. Change directory to /nas/http/conf and delete the link to the existing certificate (current.crt). Create a link to the new
certificate:

# ln -s /nas/http/conf/ssl.crt/<HOSTNAME_SHORT>.ssl_custom_cert.crt /nas/http/conf/current.crt
 

4. The root CA chain needs to be rebuilt to include the root CA and any intermediate CAs in the chain you may need to trace
your certificate back to a root CA.  Your CA should provide you with your root cert; alternatively, when you connect to your CA
server (should your environment have one) you can download and save the root cert that the browser used to create the SSL
tunnel.  See your browser documentation if you need to do this.  The cert chain is stored in a PEM file, which is essentially a
concatenated certificate container file, starting from your certificate, any intermediate certificates, and ending with your root
certificate. If you have not been given a root CA chain file (usually in PEM format), you will have to create one manually. 
EIther way, do this:

1. Create a text file in the /tmp directory called ca_certificate.pem and edit it.  In this file, you need to copy and paste all
of the certificates in the chain, from your custom cert, any intermediate certs (if you have them), and finally the root
cert.  They must be in the file in that order, starting with the server-level cert and ending with the root cert.  If you have
a PEM file that you were provided, copy and paste its contents into this file.  The end result should look something like
this:

https://www.dell.com/support/kbdoc/en-us/print/334819/30 2/3
6/12/2020 How to replace VNX/eNAS Control Station self-signed SSL certificates with signed certificates from a local Certificate Authority. | Dell US

-----BEGIN CERTIFICATE-----
(Your custom SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate)
-----END CERTIFICATE-----

2. Delete the existing certificate and replace it with the file you just created.  There is no need to save the original root CA
chain, as the system will re-generate one should it need to rebuild self-signed certificates again.

# rm /nas/site/CA/ca_certificate.pem
# mv /tmp/ca_certificate.pem /nas/site/CA
# chmod 644 /nas/site/CA/ca_certificate.pem

5. Restart Apache for all the changes to take effect:

# killall -HUP httpd

Test the new certificate by connecting your browser to Unisphere.  Make sure you completely close all other open Unisphere
sessions and restart your browser before you attempt to re-connect.  When you do, you should no longer see a warning screen, and
your browser should show a lock icon to indicate that the SSL tunnel is secure and trusted.

Notes Each browser displays certificate information differently, but they should all show some indication that the connection is secure.

Attachments

Article Properties

First Published Fri Feb 05 2016 18:19:13 GMT

Primary Product VNX Series

Product VNX, VNX Series

https://www.dell.com/support/kbdoc/en-us/print/334819/30 3/3