DFM/Data Fabric Manager/OnCommand Unified Mgr 5.2 uses two different sets of SSL certificates.

dirkschmiedt · ‎2014-07-04

(Sometimes you detect things, you didn't really want to know...)

Please correct me if I'm wrong, but my current impression is:

"dfm ssl setup" and the other "dfm ssl" commands only have an impact on the httpd(= Apache) HTTPS configuration,

but not on the dfmserver (=NMC=NetApp Management Console) HTTPS login..

Question:

=> Is there any receipe "How to exchange the dfmserver SSL certificate for port 8488" ?

Reason: It is signed by NetApp and will expire in 2016.

I am explicitely not talking about the httpd/Apache 8443 SSL certificates managed by "dfm ssl ..." and stored in DFM_BASE/conf/server.key.

The port 8443 Apache certificate is are already signed by my customer and it is working fine.

History:

Customer installed a new DFM version 5.2 as a replacement of the old DFM.

It's running on Windows: E:\Program Files\NetApp\DataFabric Manager\DFM\conf\...

OLD DFM> dfm backup create

NEW DFM> dfm backup restore BACKUP.ndb

Result 1: After new installation of DFM and "dfm backup restore":

The SSL certificate of the Apache wasn't the customers certificate.

Action 1)

Someone knew something about the DFM_BASE/conf/keys/... directories and copied his own server*.pem to DFM_BASE/conf/keys/... ( !!! DON'T DO THIS !!! )

This ended up in some confusion ... and some enlightment after some debugging later 😉

Action 2)

This sequence "Enabling secure communication between the DataFabric Manager server and Data ONTAP"

from the "Installation and Setup Guide For Use with Core Package 5.2 and Host Package 1.3 "

lists all necessary steps to use the customers certificate for HTTPS Webbrowser login to Apache "Operations Manager".

https://library.netapp.com/ecmdocs/ECMP1222478/html/GUID-90DB68AE-677D-40A7-A0D4-C25A5DD7A065.html

(You may skip this paragraph if you like)

Initialize the DataFabric Manager server private key and generate a self-signed certificate by running the following command and following the prompt:

a dfm ssl server setup -f

Restart the HTTP service by running the following commands:

dfm service stop http

dfm service start http

Enable HTTPS by running the following command:

dfm option set httpsEnabled=Yes

Request for a signed certificate from a well-known CA by running the following command:

b dfm ssl server req -f -o server.csr

The server.csr file should be signed by a CA.

Import the signed certificate to the DataFabric Manager server by running the following command:

c dfm ssl server import server.crt

Restart the HTTP service by running the following commands:

dfm service stop http

dfm service start http

Enter the certificate information for a CA setup by running the following command and following the prompt:

d dfm ssl self setup -f

The CA is ready to sign requests.

If the DataFabric Manager server is running a private CA, perform the following steps:

Run the following command to allow certificate signing requests:

dfm ssl self sign -f -o server.crt server.csr

Import the signed certificate to the DataFabric Manager server by running the following command:

dfm ssl server import server.crt

Change the communication options by running the following commands:

dfm service stop http

dfm option set httpsEnabled=yes

dfm option set httpEnabled=no

dfm option set httpsPort=8443

dfm option set hostLoginProtocol=ssh

dfm option set hostAdminTransport=https

dfm option set perfAdvisorTransport=httpsOk

dfm service start http

Verify that secure communication is enabled with the host by running the command:

dfm host diag hostID_or_hostIP

You should be able to connect to the OnCommand console by using the following URL: https://DataFabric_Manager_server_IP_or_hostname:httpsPort/

During the debugging - on the test-DFM number 3 - I tracked which step generates which file in DFM_BASE\conf

(a) generates or touches..

04.07.2014 10:10 1.024 openssl.rnd

04.07.2014 10:10 1.521 server.crt

04.07.2014 10:10 1.704 server.key

(b) generates a "server.csr" file for a signing request

(c) stores the signed server.crt in DFM_BASE/conf/..

04.07.2014 10:28 1.436 server.crt

(d) dfm ssl self setup

04.07.2014 11:19 1.428 ca.crt

04.07.2014 11:19 916 ca.key

04.07.2014 11:19 1.024 openssl.rnd

Result 2:

The Webbrowser usin HTTPS to Apache is using the customers SSL certificate,

but using HTTPS from the Java GUI "NetApp Management Console" (NMC) to Port 8488 of DFM was still broken. 😞

NMC: Port 8088 was fine also, but Port 8488 still was broken.

cd %DFM_BASE%\log

find "8488" *.log

---------- DFMSERVER.LOG

Jul 03 12:37:27 [dfmserver:ERROR]: [8524:0x1698]: Failed to create the encoded key-cert for port 8488

Further Analysis/Solution::

We set up a third DFM and used "dfm ssl ... " to install our customers certificates there.

Result 3 (on test-DFM):

All four incoming ports (8080,8443,8088,8488) are usable, but ...

checking the SSL certificates on ports 8488 and 8443 by using a webbrowser delivers two different certificates:

8443 (OpsMgr= apache ) SSL certificate by Customer

8488 (NMC = dfmserver) SSL certificate by NetApp

=>

httpd 8080 (HTTP) + 8443 (HTTPS) and uses the SSL certificate stored in DFM_BASE/conf/server.crt

dfmserver 8088 (HTTP) + 8488 (HTTPS) and uses the SSL certificate(s) stored in DFM_BASE/conf/keys/...

DFM_BASE/conf/httpd.conf references to DFM_BASE/conf/server.crt

b.t.w. Every "dfm service start http" generates a new DFM_BASE/conf/httpd.conf by using the template DFM_BASE/conf/httpd.conf.tmpl

@@HTTPS_BEGIN@@

Listen @@HTTPS_PORT@@

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl .crl

...

SSLCertificateFile "@@INSTALLDIR@@/conf/server.crt"

=> "dfm ssl setup" and the other "dfm ssl" commands only have impact on the httpd(= Apache) configuration,

but not on dfmserver (=NMC) HTTPS login..

This brings me back to the initial question:

Is there any receipe "How to exchange the NMC -> dfmserver SSL certificate for Port 8488" ?

conf/keys/...

certs/...

private_keys/...

truststore/...

How did we finally resolve our problem?

Our fault was: Copy only the customers *.pem file in the DFM_BASE/conf/keys/...-tree. This action had broken the NetApp NMC certification files in DFM_BASE/conf/keys/...

and therefore port 8488 was "illegal"= "Failed to create the encoded key-cert for port 8488" message in DFMSERVER.LOG

We stopped the productive DFM, copied the DFM_BASE/conf/keys/...-tree from the new "Test-DFM" to the "productive DFM" and restartet the productive DFM.

=> dfmserver HTTPS = 8488 = NMC was using the original NetApp certificates (expiring in 2016) again. Hurray!

And now we know, we are facing the 2016 certificate HTTPS expiration date ...

I haven't done any further inquiries on DFM_BASE/conf/keys/... content yet.

So any hints, references, ... are welcome!

Workaround:

To be prepared for the next DFM transfer, we created two zip-Archives named SSL_KEYS_APACHE_OPSMGR_8443.zip and SSL_KEYS_DFMSERVER_MGNT_CONSOLE_8488.zip

and stored them in one of the DFM auto backup directories (we chose "script plugin"). (s.a. dfm backup diag )

SSL_KEYS_APACHE_OPSMGR_8443.zip:

...

COPY_THIS/ca.crt

COPY_THIS/ca.key

COPY_THIS/ca.srl

COPY_THIS/openssl.rnd

COPY_THIS/server.crt

COPY_THIS/server.csr

COPY_THIS/server.key

COPY_THIS/DFMSERVERNAME.FQDN DATE.cer anonimized name for customers certificate

COPY_THIS/CUSTOMER-ca-proc-06.cer anonimized name for customers certificate

COPY_THIS/CUSTOMER-CA-ROOT-04.cer anonimized name for customers certificate

SSL_KEYS_DFMSERVER_MGNT_CONSOLE_8488.zip

...

keys/certs/

keys/certs/dfmcert.pem

keys/dfmenc.keys

keys/private_keys/

keys/private_keys/dfmcertkey.pem

keys/private_keys/dfmkey.pem

keys/private_keys/dfmvimcrtkey.pem

keys/truststore/

keys/truststore/dfmcacert.pem

keys/truststore/dfmvimca.pem

The filename extensions are explained here:

http://en.wikipedia.org/wiki/X.509

.pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"

.cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)

Do I have to or May I use OpenSSL to set up my own "keys-tree" certificate for the 8488 dfmserver port?

Regards

Dirk Schmiedt

P.S. Some more background informations found in the net, but not tested:

Migrating certificates, keys, and truststores manually

During DataFabric Manager server database backups, the directories containing certificates, keys, and truststores for both cloud service clients and host service clients are not backed up. If you want to restore database backups to a different DataFabric Manager server, you must manually migrate the certificates, keys, and truststore directories or the restore fails.

About this task

This procedure is not required when you back up and restore the database to the same DataFabric Manager server.

Steps

On the DataFabric Manager server you want to migrate, back up the database.

On the DataFabric Manager server you just backed up, copy the following three folders from the \DataFabric Manager install directory\conf\keys\ directory:

certs

private_keys

truststore

Restore the database to the new DataFabric Manager server.

Copy the three folders from the original DataFabric Manager server to the same directory on the destination DataFabric Manager server.

Perform one of the following actions, depending on which type of clients you are migrating:

If you migrate clients in a cloud infrastructure, after the migration, generate a new DataFabric Manager server certificate on the destination DataFabric Manager server by entering dfm ssl service setup, and then load the new certificate by entering dfm ssl service reload

Note: If you do not generate a new certificate, the new DataFabric Manager server will load the certificate that was migrated from the original DataFabric Manager server causing DataFabric Manager server hostname validation to fail on cloud service clients.

If you are migrating host service clients, after the migration, unregister the host service and then register the new host service from the Host Services tab in the OnCommand console.

Parent topic: Certificate-based authentication

Related tasks

Verifying that a host service is registered with the DataFabric Manager server (7-Mode environments only)

Creating self-signed certificates in the DataFabric Manager server

You can generate self-signed certificate from the command-line interface (CLI) of the DataFabric Manager server. You can set up the DataFabric Manager server as a Certificate Authority (CA), and generate self-signed certificates.

Steps

Log into the DataFabric Manager server as the DataFabric Manager server administrator.

From the command-line interface, enter the following command:

dfm ssl server setup

Enter the following information when prompted:

Key Size

Certificate Duration

Country Name

State or Province

Locality Name

Organization Name

Organizational Unit Name

Common Name

Email Address

Result

The DataFabric Manager server SSL server is now initialized with a self-signed certificate and the private key, server.key file is placed in the following DataFabric Manager server directory: c:\Program Files\NetApp\DataFabric Manager\DFM\conf\.

DFM/Data Fabric Manager/OnCommand Unified Mgr 5.2 uses two different sets of SSL certificates.

Get ready to power on