HPE 3PAR SSMC SSL Certificate Change

So you have installed the HPE 3PAR SSMC web management software onto a server and you now want to secure this with a signed SSL certificate. You have read through the most thorough of user guides supplied by HPE on how to do this but have got lost at a few parts, well i did maybe i am just thick…

All the tools you need to complete this task are pretty well already on the server where you installed the SSMC software. If you left the install path as default the below will work for you, yes you could get funky and put in path variables into windows but hey most people get lost in there too so I did this without it.

I think from another post I read that when you upgrade the SSMC version this will over-write the certificate change and you will have to do this again, i have not tested this theory yet.

Make sure all the keytool commands are run from :  C:\Program Files\Hewlett Packard Enterprise\SSMC\ssmcbase\etc

This means steps are :

1. Rename keystore to keystore.original,
   • this gives you a roll back should you jam a finger in the door, also take a VM snapshot if you are running this on a VM.
2. Create new Keystore and CSR
   • Type the following command and substitute in the required details of IP, FQDN, OU, O,L,ST,C, these relate to Org Unit, Organisation, Location, State, Country;
     • C:\Program Files\Hewlett Packard Enterprise\SSMC\ssmcbase\etc>”C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\keytool” -genkeypair -keystore keystore -alias jetty -dname “CN=FQDN, OU=X, O=X, L=X, ST=X, C=X” -keyalg RSA -ext SAN=DNS:fqdn,ip:x.x.x.x
       • Substitute required info for FQDN and X and ip x.x.x.x

1. • Create the CSR
     • C:\Program Files\Hewlett Packard Enterprise\SSMC\ssmcbase\etc>”C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\keytool” -certreq -keystore keystore -alias jetty -ext SAN=dns:fqdn,ip:x.x.x.x -file newcert.txt

Noting the -ext to get the SAN into the cert req

Create the Certificate

1. Take the cert req data and get the cert signed from your CA
   • I wont go through these steps
2. Export the root ca and intermediate ca certificates and put these on the server in the ssmcbase\etc folder with the newly signed cert

Import the Certificates into the Keystore

1. Import certs into the keystore in the following order rootca, interca then the final certificate (if you don’t have a intermediate ca don’t run that one)
   • C:\Program Files\Hewlett Packard Enterprise\SSMC\ssmcbase\etc>”C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\keytool” -import -alias root -keystore keystore -trustcacerts -file rootcer.cer
   • C:\Program Files\Hewlett Packard Enterprise\SSMC\ssmcbase\etc>”C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\keytool” -import -keystore keystore -trustcacerts -file intca.cer
   • C:\Program Files\Hewlett Packard Enterprise\SSMC\ssmcbase\etc>”C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\keytool” -import -alias jetty -keystore keystore -trustcacerts -file newcert.cer
2. Create obfuscated psswd, you will need to look up the jetty version from jetty path.
   • C:\Program Files\Hewlett Packard Enterprise\SSMC\jetty\lib>”C:\Program Files\Hewlett Packard Enterprise\SSMC\jre\bin\java.exe” -cp jetty-util-9.4.6.v20170531.jar org.eclipse.jetty.util.security.Password YOURPASSWORD
     • The password is the password you entered when creating the keystore.

This will give you an OBF:JSKFJSKDFSDWIDJWMDMSIOSDJSO password, copy this including the OBF.

1. Copy and Rename the jetty-ssl-context to jetty-ssl-context.original
   • this gives you another recover point should something break
2. Edit jetty-ssl-context entering the obfuscated password into the KEYSTOREPASSWORD and KEYMANAGERPASSWORD, don’t change the Truststorepassword
3. Restart HPE SSMC service, wait about 5mins, check website, your new certifcate should be installed, if it does not or the services does not start you jammed a finger somewhere go back and try again.