ONTAP Discussions

How can I add a wildcard cert for OnCommand browser management.

G30rg3
3,473 Views

Hi guys,

We recently deployed a AFF 200A filer running ontap 9.3 and when using the browser, we get ssl errors from the self signed certs.  Obviously this is expected behaviour.  I would like to add our wildcard cert for our internal domain to get rid of this nusance as we do with any other vendor's web based management portal.  I did some googling and found this article but it seemed it was geared for renewing the self signed certs for various components like SVMs and controllers https://kb.netapp.com/app/answers/answer_view/a_id/1032196 

 

I have my pub, priv and ca chain in pem format and just need some documentation to point me to the right direction.  PS I have a support case open since yesterday with no help besides being asked for screenshots of the broswer error (WTF?) case 2007441219

 

Any support from the community would be greatly appreciated.

4 REPLIES 4

GidonMarcus
3,427 Views

Hi

 

i will first mention that using the same certificate everywhere is a bad bad practice. if a device get compromised and the certificate stolen - first you won't know where it laked from. second you will not be able to revoke it until it changed everywhere, and last, in order to replace it you sometime need to trust this very same stolen certificate, how would you know that you providing your credentials on secure channel ?

 

The OCUM manual specifically state: " The file that you upload and install must be a signed version of the existing self-signed certificate"

 

the certificate is saved in at least two java key stores. there's a few batch files in the programfiles folder to import certs to the various Jave keystores that the app using.

just make sure you take snapshot of the VM and DB copy before you play with it. as some of the certificates use for internal process to talk to each other and you might break them and prevent services from starting,

 

i suspect some of these BAT files are also not recently updated and can maybe break some components in the app that changed in the last few years. i'm pretty sure that it's also completely unsupported to use them.

 

G

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

aborzenkov
3,420 Views

@G30rg3 wrote:

I have my pub, priv and ca chain in pem format and just need some documentation to point me to the right direction.


Have you tried "security certificate install" command?

GidonMarcus
3,417 Views

when posting my last reply i was sure @G30rg3 was referring to the OnCommand Unified Manager. but now realized its for system manager. anyhow. my comment in that reply about reusing the same cert still valid....

 

 

For system manager the command @aborzenkov mentioned is right. will also add the commands to activate it:

 

use:

security certificate install -type server 

<follow the wizard>

 

 

and activate with:

 

security certificate show

ssl modify -vserver <vserver> -ca L<taken from above> -serial <taken from above>


 

delete the old one

security certificate delete -serial <cert serial taken from the show command> *
Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

G30rg3
3,348 Views

Thank you!

Public