Issue:
- This article walks you through how to create security certificates on a VPLEX Local, and on a VPLEX Metro/Geo with vendor signed web certificate.
- The user has security policies that all web base SSL encryption must be signed by a third party software
Resolution:
- Generate the certificate signing request/CSR file from VPlex in order to generate SSL certificates to import vendor specific web-host certificates. This command auto generates two files after the user fills in the required attributes (The output of OpenSSL command along with each of the files output are shown at the bottom of this page)
service@ManagementServer:/> openssl req -new -newkey rsa:2048 -nodes -keyout <KeyFileName.key> -out <KeyFileName.csr>
- The user is to use the content in the CSR file <KeyFileName.csr> and submit to the vendor for a signed SSL certificate.
- At this point the user should have the following files (NOTE: The file naming could be different. The file name given here is following the example of this KB. The output of each file is zipped and attached to this KB (see the Attachments section at the bottom of this KB "All_Cert_files.rar"):
- KeyFileName.key: is the private key generated by the openssl command in step 1.
- vendor_sign_key.cer: is the signed certificate from the "issuer/vendor" base on the information provided in the KeyFileName.csr. This is the signed certificate for the vplex web service issued by vendor
- web_cacert.cer: is key that the vendor used to signed the vendor_sign_key.cer certificate
- The file content of the vendor signed certificate "vendor_sign_key.cer" may not be in the proper UNIX format.
- Run dos2unix vendor_sign_key.cer command to convert this file into UNIX format.
- Open the vendor_sign_key.cer file with vi Editor and add a newline at the bottom of the file.
service@ManagementServer:/tmp/vendor_certificates> vi vendor_sign_key.cer
- At the end of last line, press <enter>.
- Press <delete> in the new line (ensure nothing is there in the last empty line), save, and quit, :wq!.
- Once steps a and b are done, run 'cat vendor_sign_key.cer'
The last lines in output should look similar to this example:
TLIHGKoNeQtGbfmAVcX3b9s1gUs1ZR5gD+GcdHLpKq8P2BdKSqXQzP1u9Dp46/Xf
dA6Xl6cxJ7jorJFaBx/9FJwjbbYzTR833SntFMzZecJ5NlDkIxRrw17yMBEiKWjn
sdafsdafdfddfsdf=
-----END CERTIFICATE-----
- Before re-creating the VPN security certificates, delete all the existing certificates including CA, host, and web host on the VPLEX management server(s). At the VPlexcli prompt for a Local or Metro/Geo cluster, run these commands:
- vpn stop(Skip if VPLEX Local)
- security delete-ca-certificate
- security delete-host-certificate
- security delete-host-certificate -o webServerHostCertFile.pem -f webServerHostkeyFile.pem
Note: For Metro and Geo systems, repeat step 5 on the peer cluster.
- From the VPlexcli, run the following command to import the vendor signed certificates provided to configure web:
security configure-certificates -w vendor_sign_key.cer -k KeyFileName.key -p web_cacert.cer
Note: If you run this command and receive an error about certificates already existing, 'exit' to the management-server prompt and remove the old stale certificates with the command as follows, then re-try step 6:
rm /etc/ipsec.d/*/*pem*
- On Both clusters in VPlexcli, run below command to configure the IPsec for VPlex, cluster-1 first, then cluster-2 (Skip if VPLEX Local):
security ipsec-configure -i <ip address of remote management server>
- On the Metro and Geo configurations only, run the ''vpn status" command to ensure the VPN is up and running.
Sample output with cluster-witness configured:
vpn start
VPlexcli:/> vpn status
Verifying the VPN status between the management servers...
IPSEC is UP
Remote Management Server at IP Address x.x.x.x is reachable
Remote Internal Gateway addresses are reachable
Verifying the VPN status between the management server and the cluster witness server...
IPSEC is UP
Cluster Witness Server at IP Address 128.221.254.3 is reachable
- If, after following the steps above and you run 'vpn status', the VPN is still not established, contact Dell EMC Customer Support and mention this article number.