Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000157813

VPLEX: How to create web vendor signed certificate for the VPN security certificates

Article Content

Instructions

Issue:

  •  This article walks you through how to create security certificates on a VPLEX Local, and on a VPLEX Metro/Geo with vendor signed web certificate. 
  • The user has security policies that all web base SSL encryption must be signed by a third party software

Resolution:

  1. Generate the certificate signing request/CSR file from VPlex in order to generate SSL certificates to import vendor specific web-host certificates. This command auto generates two files after the user fills in the required attributes (The output of OpenSSL command along with each of the files output are shown at the bottom of this page)

service@ManagementServer:/> openssl req -new -newkey rsa:2048 -nodes -keyout <KeyFileName.key> -out <KeyFileName.csr> 

  1. The user is to use the content in the CSR file <KeyFileName.csr> and submit to the vendor for a signed SSL certificate. 
  2. At this point the user should have the following files (NOTE: The file naming could be different. The file name given here is following the example of this KB. The output of each file is zipped and attached to this KB (see the Attachments section at the bottom of this KB "All_Cert_files.rar"):   
  • KeyFileName.key: is the private key generated by the openssl command in step 1. 
  • vendor_sign_key.cer: is the signed certificate from the "issuer/vendor" base on the information provided in the KeyFileName.csr. This is the signed certificate for the vplex web service issued by vendor
  • web_cacert.cer: is key that the vendor used to signed the vendor_sign_key.cer certificate
  1. The file content of the vendor signed certificate "vendor_sign_key.cer" may not be in the proper UNIX format.
    1. Run dos2unix vendor_sign_key.cer command to convert this file into UNIX format.
    2. Open the vendor_sign_key.cer file with vi Editor and add a newline at the bottom of the file.

service@ManagementServer:/tmp/vendor_certificates> vi vendor_sign_key.cer 

  1. At the end of last line, press <enter>. 
  2. Press <delete> in the new line (ensure nothing is there in the last empty line), save, and quit, :wq!. 
  3. Once steps a and b are done, run 'cat  vendor_sign_key.cer

The last lines in output should look similar to this example:     
                    TLIHGKoNeQtGbfmAVcX3b9s1gUs1ZR5gD+GcdHLpKq8P2BdKSqXQzP1u9Dp46/Xf 

dA6Xl6cxJ7jorJFaBx/9FJwjbbYzTR833SntFMzZecJ5NlDkIxRrw17yMBEiKWjn 

sdafsdafdfddfsdf= 
-----END CERTIFICATE----- 

  1. Before re-creating the VPN security certificates, delete all the existing certificates including CA, host, and web host on the VPLEX management server(s).  At the VPlexcli prompt for a Local or Metro/Geo cluster, run these commands:     
  • vpn stop(Skip if VPLEX Local)
  • security delete-ca-certificate    
  • security delete-host-certificate    
  • security delete-host-certificate -o webServerHostCertFile.pem -f webServerHostkeyFile.pem    

Note: For Metro and Geo systems, repeat step 5 on the peer cluster.

  1. From the VPlexcli, run the following command to import the vendor signed certificates provided to configure web:    

security configure-certificates -w vendor_sign_key.cer -k KeyFileName.key -p web_cacert.cer

Note: If you run this command and receive an error about certificates already existing, 'exit' to the management-server prompt and remove the old stale certificates with the command as follows, then re-try step 6:

  rm /etc/ipsec.d/*/*pem*

  1. On Both clusters in VPlexcli, run below command to configure the IPsec for VPlex, cluster-1 first, then cluster-2 (Skip if VPLEX Local):    

security ipsec-configure -i <ip address of remote management server>

  1. On the Metro and Geo configurations only, run the ''vpn status" command to ensure the VPN is up and running.

Sample output with cluster-witness configured:    

vpn start

VPlexcli:/> vpn status
Verifying the VPN status between the management servers...
IPSEC is UP
Remote Management Server at IP Address x.x.x.x is reachable
Remote Internal Gateway addresses are reachable

Verifying the VPN status between the management server and the cluster witness server...
IPSEC is UP
Cluster Witness Server at IP Address 128.221.254.3 is reachable

  1. If, after following the steps above and you run 'vpn status', the VPN is still not established, contact Dell EMC Customer Support and mention this article number.

Article Properties

Affected Product

VPLEX Series

Product

VPLEX Series

Last Published Date

23 Nov 2020

Version

2

Article Type

How To

Back to Top