PowerVault ME4: Installing And Removing Custom Certificates

Installing/Removing Custom Certificates on ME4

Installing the Certificate.
Viewing certificate information.
Removing Custom Certificates.
CLI Only Example using Linux and ME4 SSH session.
 

Installing the Certificate.

Perform the following steps to install a third-party or self-signed security certificate:

1. In the PowerVault Manager, prepare to use FTP or SFTP:

   1. Determine the network port IP addresses of the system controllers under ME4 System Settings > Network.

   2. Verify that the FTP or SFTP service is enabled on the system under the ME4 System Settings > Services. If using SFTP, record which port SFTP is set to use.

3. Verify that the user you plan to use has manage role permissions and FTP or SFTP interface permissions under ME4 System Settings > Manage Users.

2. Put your certificate file and key file in a directory that is accessible to the FTP client. The format of the certificate and key file must be PEM. If you use DER files, you can upload them, but they cannot be used when you restart the management on the controllers. Note: ME4 does support wild card certificates.

3. Open a Command Prompt (Windows) or a terminal window (UNIX) and go to the directory that contains the certificate files. You cannot use a UI like the Filezilla client because the put line requires command parameters after the file name.

(Note: Windows FTP cannot do passive FTP if the firewall is enabled. It may be able to log in to the ME4 array, but then errors out with a port connection issue when trying to send files. If you want to use the Windows command line FTP, you must disable the Windows firewall before starting.)

4. Type: sftp controller-network-address -P port or ftp controller-network-address. You must upload the files to both controllers for it to be used on both controllers.

For example: sftp 10.235.XXX.XXX -P 1022 or ftp 10.X.0.X X.

Log in as a user with manage role permissions and FTP or SFTP interface permissions. In these examples, I used the WinSCP FTP command line client but if you disable the Windows firewall, you can use the Windows FTP client. A Linux client can also be used.  

C:\Users\Administrator\Documents\SSLCerts\2048PEM>"c:\Program Files (x86)\WinSCP\WinSCP.com"
winscp> open ftp://100.85.XXX.X
Prompting for credentials...
Username: manage
Connecting to 100.85.XXX.X ...
Password:
Connected
Starting the session...
Session started.
Active session: [1] 100.85.XXX.X
winscp>

5. Type: put certificate-file-name cert-file where certificate file name is the name of the certificate file for your specific system. You may get a file error because the directory the certificate is put into is a hidden directory that the FTP user does not have permissions to modify.

winscp> put 2048b-rsa-example-cert.pem cert-file
2048b-rsa-example-cert.pe |           1 KB |    0.0 KB/s | binary | 100%
winscp>

6. Type: put key-file-name cert-key-file where key-file-name is the name of the security key file for your specific system.   

winscp> put 2048b-rsa-example-keypair.pem cert-key-file
2048b-rsa-example-keypair |           1 KB |    0.0 KB/s | binary | 100%
winscp>

7. Note if you do a directory listing on the array FTP site after uploading these files you will not see the files.  They are stored in hidden directories the FTP user cannot look at.

winscp> ls
D---------   0                           0              ..
Lrwxrwxrwx   0 0        0               12 Dec  2 13:19:33 2020 .banner ->
-rw-rw-rw-   0 0        10               0 Dec  2 14:46:49 2020 0
-rw-r--r--   0 0        0             8436 Dec  2 13:19:33 2020 README
winscp>

8. Repeat steps 4, 5, 6, and 7 for the other controller.

9. Restart both Management Controllers to have the new security certificate take effect. After the management controllers have restarted you should be able to view the certificate through the UI as shown below or via the SSH command “show certificate”.

Viewing certificate information.

By default, the system generates a unique SSL certificate for each controller. For the strongest security, you can replace the default system-generated certificate with a certificate issued from a trusted certificate authority.

The Certificate Information panel shows information for the active SSL certificates that are stored on the system for each controller. Tabs A and B contain unformatted certificate text for each of the corresponding controllers. The panel also shows one of the following status values as well as the creation date for each certificate:

• Customer supplied-Indicates that the controller is using a certificate that you have uploaded.

• System generated-Indicates that the controller is using an active certificate and key that were created by the controller.

• Unknown status-Indicates that the controller's certificate cannot be read. This most often occurs when a controller is restarting, the certificate replacement process is still in process, or you have selected the tab for a partner controller in a single-controller system.

You can use your own certificates by uploading them through FTP or SFTP or by using the contents parameter of the create certificate CLI command to create certificates with your own unique certificate content. For a new certificate to take effect, you must first restart the management controller for it.

To verify that the certificate replacement was successful and the controller is using the certificate that you have supplied, make sure the certificate status is customer-supplied, the creation date is correct, and the certificate content is the expected text. 

View Certificate Information:

1. In the banner, click the system panel and select Show Certificate Information. The Certificate Information panel opens.

2. After you have finished viewing certificate information, click Close.

Prior to installing a certificate, the information looks as follows – System Generated:
 

After installing your own certificate, it will identify as Customer Supplied:

Removing Custom Certificates.

To restore the system generated certificate and remove the custom certificate from both controllers, log in to each controller and run the command:

# create certificate restore

To make the certificate change take effect, you must restart Management Controller on all controllers you did the command on. 

CLI Only Example using Linux and ME4 SSH session.

1. Create the certificate and put the PEM .cer and .key on your Linux machine. 

2. From an SSH session on the Linux box transfer the files using FTP to the array and then open an SSH session to the array to restart both controllers on the ME4. It takes about two minutes after restarting the ME4 management controllers before you are able to log back in to the ME4 and show the new certificate. Note: One controller may take longer to come up than the other so until both controllers are fully up, you may see one controller on a system certificate and one on a customer certificate.

In the example below, the ME4 controller IPs are:

A:  100.85.XXX.X
B:  100.85.XXX.XX8

You must upload the cert and key file to both controllers using FTP and then restart the management controller on both controllers for both controllers to have the certificate.

[grpadmin@hitle18 certs]$ pwd
/home/grpadmin/Documents/certs
[grpadmin@hitle18 certs]$ ls
2048b-rsa-example-cert.pem  2048b-rsa-example-keypair.pem  put
[grpadmin@hitle18 certs]$ ftp 100.85.239.3
Connected to 100.85.239.3 (100.85.239.3).
220-Welcome to Pure-FTPd.
220-You are user number 1 of 5 allowed.
220-Local time is now 23:29. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (100.85.239.3:grpadmin): manage
331 User manage OK. Password required
Password:
230-OK. Current restricted directory is /.
.
.
230-Instructions for loading security certificate files:
230-    1. The security certificate files will consist of a pair of files.
230-       You will have a certificate file and a key file.
230-    2. Log in with a user name and password.
230-    3. Type 'put <certificate-file-name> cert-file'
230-        where <certificate-file-name> is the name of the certificate file
230-        for your specific system.
230-    4. Type 'put <key-file-name> cert-key-file'
230-       where <key-file-name> is the name of the security key file for
230-        your specific system.
230-    5.  Restart both Management Controllers to have the new security
230-        certificate take effect.
230-
230
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put 2048b-rsa-example-cert.pem cert-file
local: 2048b-rsa-example-cert.pem remote: cert-file
227 Entering Passive Mode (100,85,239,3,127,0)
150 Accepted data connection
226-File Transfer Complete. Starting Operation: (2020-12-10 17:40:12)
STATUS: Loading security certificate file
226-
226 Operation Complete. (2020-12-10 17:40:18)
1050 bytes sent in 9.4e-05 secs (11170.21 Kbytes/sec)
ftp> put 2048b-rsa-example-keypair.pem cert-key-file
local: 2048b-rsa-example-keypair.pem remote: cert-key-file
227 Entering Passive Mode (100,85,239,3,204,57)
150 Accepted data connection
226-File Transfer Complete. Starting Operation: (2020-12-10 17:40:37)
STATUS: Loading security certificate file
Verifying uploaded certificate and key.

The uploaded SSL certificate and key have been installed. Reboot the controller to apply.
226-
226 Operation Complete. (2020-12-10 17:40:45)
1679 bytes sent in 8.5e-05 secs (19752.94 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (100,85,239,3,189,193)
150 Accepted data connection
-rw-rw-rw-    1 0          users               0 Dec 10 17:40 0
-rw-r--r--    1 0          0                8436 Dec  2 20:39 README
226-Options: -l
226 2 matches total
ftp> bye
221-Goodbye. You uploaded 3 and downloaded 0 kbytes.
221 Logout.
[grpadmin@hitle18 certs]$ ftp 100.85.238.178
Connected to 100.85.238.178 (100.85.238.178).
220-Welcome to Pure-FTPd.
220-You are user number 1 of 5 allowed.
220-Local time is now 23:30. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (100.85.238.178:grpadmin): manage
331 User manage OK. Password required
Password:
230-OK. Current restricted directory is /
.
.
.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put 2048b-rsa-example-cert.pem cert-file
local: 2048b-rsa-example-cert.pem remote: cert-file
227 Entering Passive Mode (100,85,238,178,126,144)
150 Accepted data connection
226-File Transfer Complete. Starting Operation: (2020-12-11 23:30:22)
STATUS: Loading security certificate file
226-
226 Operation Complete. (2020-12-11 23:30:28)
1050 bytes sent in 4.7e-05 secs (22340.42 Kbytes/sec)
ftp> put 2048b-rsa-example-keypair.pem cert-key-file
local: 2048b-rsa-example-keypair.pem remote: cert-key-file
227 Entering Passive Mode (100,85,238,178,200,227)
150 Accepted data connection
226-File Transfer Complete. Starting Operation: (2020-12-11 23:30:40)
STATUS: Loading security certificate file
Verifying uploaded certificate and key.

The uploaded SSL certificate and key have been installed. Reboot the controller to apply.
226-
226 Operation Complete. (2020-12-11 23:30:47)
1679 bytes sent in 5.2e-05 secs (32288.46 Kbytes/sec)
ftp> bye
221-Goodbye. You uploaded 3 and downloaded 0 kbytes.
221 Logout.
[grpadmin@hitle18 certs]$ ssh manage@100.85.239.3
Password:

DELL EMC ME4024
System Name: NDC-ME4
System Location: NDC
Version: GT280R008-01
# restart mc both
During the restart process you will briefly lose communication with the specified Management Controller(s).
Do you want to continue? (y/n) y
Info: Restarting the local MC (A)...
Success: Command completed successfully. - Both MCs were restarted. (2020-12-11 23:31:26)
# Killed
Connection to 100.85.239.3 closed.
.
.  Will take about 2 minutes for you to be able to log back into the array to
.  see the certificates
.
[grpadmin@hitle18 certs]$ ssh manage@100.85.239.3
Password:

DELL EMC ME4024
System Name: NDC-ME4
System Location: NDC
Version: GT280R008-01
# show certificates
Error: The command was not recognized. (2020-12-11 23:36:35)
# show certificate
Certificate Status
------------------
Controller: A
Certificate Status: Customer-supplied
Time Created: 2020-12-11 23:29:29
Certificate Text: Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 3580 (0xdfc)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, L=Chuo-ku, O=Frank4DD, OU=WebCert Support, CN=Frank4DD Web CA/emailAddress=support@frank4dd.com
        Validity
            Not Before: Aug 22 05:27:41 2012 GMT
            Not After : Aug 21 05:27:41 2017 GMT
        Subject: C=JP, ST=Tokyo, O=Frank4DD, CN=www.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b4:cf:d1:5e:33:29:ec:0b:cf:ae:76:f5:fe:2d:
                    c8:99:c6:78:79:b9:18:f8:0b:d4:ba:b4:d7:9e:02:
                    52:06:09:f4:18:93:4c:d4:70:d1:42:a0:29:13:92:
                    73:50:77:f6:04:89:ac:03:2c:d6:f1:06:ab:ad:6c:
                    c0:d9:d5:a6:ab:ca:cd:5a:d2:56:26:51:e5:4b:08:
                    8a:af:cc:19:0f:25:34:90:b0:2a:29:41:0f:55:f1:
                    6b:93:db:9d:b3:cc:dc:ec:eb:c7:55:18:d7:42:25:
                    de:49:35:14:32:92:9c:1e:c6:69:e3:3c:fb:f4:9a:
                    f8:fb:8b:c5:e0:1b:7e:fd:4f:25:ba:3f:e5:96:57:
                    9a:24:79:49:17:27:d7:89:4b:6a:2e:0d:87:51:d9:
                    23:3d:06:85:56:f8:58:31:0e:ee:81:99:78:68:cd:
                    6e:44:7e:c9:da:8c:5a:7b:1c:bf:24:40:29:48:d1:
                    03:9c:ef:dc:ae:2a:5d:f8:f7:6a:c7:e9:bc:c5:b0:
                    59:f6:95:fc:16:cb:d8:9c:ed:c3:fc:12:90:93:78:
                    5a:75:b4:56:83:fa:fc:41:84:f6:64:79:34:35:1c:
                    ac:7a:85:0e:73:78:72:01:e7:24:89:25:9e:da:7f:
                    65:bc:af:87:93:19:8c:db:75:15:b6:e0:30:c7:08:
                    f8:59
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         40:cb:fe:04:5b:c6:74:c5:73:91:06:90:df:ff:b6:9e:85:73:
         fe:e0:0a:6f:3a:44:2f:cc:53:73:16:32:3f:79:64:39:e8:78:
         16:8c:62:49:6a:b2:e6:91:85:00:b7:4f:38:da:03:b9:81:69:
         2e:18:c9:49:96:84:c2:eb:e3:23:f4:eb:ac:68:4b:57:5a:51:
         1b:d7:eb:c0:31:6c:86:a0:f6:55:a8:f8:10:d0:42:06:1e:94:
         a5:e0:68:a7:9f:b6:f3:9c:d0:e1:22:3b:ab:85:3d:a1:27:9b:
         50:32:62:b8:ec:7a:fa:d6:7d:2b:29:e6:ad:b2:69:4d:28:b4:
         f8:13


Certificate Status
------------------
Controller: B                        Certificate Status: Customer-supplied
Time Created: 2020-12-11 23:30:22
Certificate Text: Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 3580 (0xdfc)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, L=Chuo-ku, O=Frank4DD, OU=WebCert Support, CN=Frank4DD Web CA/emailAddress=support@frank4dd.com
        Validity
            Not Before: Aug 22 05:27:41 2012 GMT
            Not After : Aug 21 05:27:41 2017 GMT
        Subject: C=JP, ST=Tokyo, O=Frank4DD, CN=www.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b4:cf:d1:5e:33:29:ec:0b:cf:ae:76:f5:fe:2d:
                    c8:99:c6:78:79:b9:18:f8:0b:d4:ba:b4:d7:9e:02:
                    52:06:09:f4:18:93:4c:d4:70:d1:42:a0:29:13:92:
                    73:50:77:f6:04:89:ac:03:2c:d6:f1:06:ab:ad:6c:
                    c0:d9:d5:a6:ab:ca:cd:5a:d2:56:26:51:e5:4b:08:
                    8a:af:cc:19:0f:25:34:90:b0:2a:29:41:0f:55:f1:
                    6b:93:db:9d:b3:cc:dc:ec:eb:c7:55:18:d7:42:25:
                    de:49:35:14:32:92:9c:1e:c6:69:e3:3c:fb:f4:9a:
                    f8:fb:8b:c5:e0:1b:7e:fd:4f:25:ba:3f:e5:96:57:
                    9a:24:79:49:17:27:d7:89:4b:6a:2e:0d:87:51:d9:
                    23:3d:06:85:56:f8:58:31:0e:ee:81:99:78:68:cd:
                    6e:44:7e:c9:da:8c:5a:7b:1c:bf:24:40:29:48:d1:
                    03:9c:ef:dc:ae:2a:5d:f8:f7:6a:c7:e9:bc:c5:b0:
                    59:f6:95:fc:16:cb:d8:9c:ed:c3:fc:12:90:93:78:
                    5a:75:b4:56:83:fa:fc:41:84:f6:64:79:34:35:1c:
                    ac:7a:85:0e:73:78:72:01:e7:24:89:25:9e:da:7f:
                    65:bc:af:87:93:19:8c:db:75:15:b6:e0:30:c7:08:
                    f8:59
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         40:cb:fe:04:5b:c6:74:c5:73:91:06:90:df:ff:b6:9e:85:73:
         fe:e0:0a:6f:3a:44:2f:cc:53:73:16:32:3f:79:64:39:e8:78:
         16:8c:62:49:6a:b2:e6:91:85:00:b7:4f:38:da:03:b9:81:69:
         2e:18:c9:49:96:84:c2:eb:e3:23:f4:eb:ac:68:4b:57:5a:51:
         1b:d7:eb:c0:31:6c:86:a0:f6:55:a8:f8:10:d0:42:06:1e:94:
         a5:e0:68:a7:9f:b6:f3:9c:d0:e1:22:3b:ab:85:3d:a1:27:9b:
         50:32:62:b8:ec:7a:fa:d6:7d:2b:29:e6:ad:b2:69:4d:28:b4:
         f8:13


Success: Command completed successfully. (2020-12-11 23:36:41)
#