NETAPP Cluster Mode: Installing a server certificate to authenticate the cluster using your internal (Active Directory) CA.

Posted on 4 gennaio 2016 di

0


Ecco i quattro passi necessari per autenticare tramite https il proprio Netapp Cluster (testato con 8.3P1) tramite la CA interna del vostro dominio windows.

N.B. per evitare l'alert del certificato da browser di system manager od altre applicazioni terze che si collegano tramite ip, il common-name sia in fase di richiesta (1) che di installazione (3) potrebbe essere sostituito da un Virtual IP (VIP) del cluster.

1) CREARE LA RICHIESTA SUL NETAPP PER LA NOSTRA CA INTERNA

cluster1::> security certificate generate-csr -common-name 
clustername.companyname.com -size 2048 -country US -state 
CA -locality Sunnyvale -organization IT -unit Software 
-email-addr web@companyname.com

Certificate Signing Request: 
-----BEGIN CERTIFICATE REQUEST-----
MIICrjCCAZYCAQMwaTEQMA4GA1UEAxMHcnRwLmNvbTELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAk5DMQwwCgYDVQQHEwNSVFAxDTALBgNVBAoTBGNvcmUxDTALBgNVBAsT
BGNvcmUxDzANBgkqhkiG9w0BCQEWADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
...
-----END CERTIFICATE REQUEST-----


Private Key:
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAMl6ytrK8nQj82UsWeHOeT8gk0BPX+Y5MLycsUdXA7hXhumHNpvF
C61X2G32Sx8VEa1th94tx+vOEzq+UaqHlt0CAwEAAQJBAMZjDWlgmlm3qIr/n8VT
PFnnZnbVcXVM7OtbUsgPKw+QCCh9dF1jmuQKeDr+wUMWknlDeGrfhILpzfJGHrLJ
...
-----END RSA PRIVATE KEY-----
 
Note: Please keep a copy of your private key and certificate request for future reference.

2) ESPORTARE (tasto destro > esporta) DALLA MMC CERTIFICATI 
DI UN PC WINDOWS DEL DOMINIO INTERESSATO LA CA SUL PROPRIO 
DESKTOP IN FORMATO BASE 64 ED EDITARE IL FILE PER COPIARE 
IL CERTIFICATO CHE ANDREMO A METTERE COME ROOT DELLA CATENA 
AL PUNTO SUCCESSIVO

caexport

3) POSSIAMO QUINDI INSTALLARE TUTTA LA CATENA 
(Certificato ridatoci dalla CA interna dopo la richiesta, 
chiave privata che ci siamo salvati nella prima fase di 
richiesta e la root CA) nel seguente modo:
cluster1::> security certificate install -vserver clustername
-type server

Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIB8TCCAZugAwIBAwIBADANBgkqhkiG9w0BAQQFADBfMRMwEQYDVQQDEwpuZXRh
cHAuY29tMQswCQYDVQQGEwJVUzEJMAcGA1UECBMAMQkwBwYDVQQHEwAxCTAHBgNV
BAoTADEJMAcGA1UECxMAMQ8wDQYJKoZIhvcNAQkBFgAwHhcNMTAwNDI2MTk0OTI4
...
-----END CERTIFICATE-----


Please enter Private Key: Press <Enter> when done
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAMl6ytrK8nQj82UsWeHOeT8gk0BPX+Y5MLycsUdXA7hXhumHNpvF
C61X2G32Sx8VEa1th94tx+vOEzq+UaqHlt0CAwEAAQJBAMZjDWlgmlm3qIr/n8VT
PFnnZnbVcXVM7OtbUsgPKw+QCCh9dF1jmuQKeDr+wUMWknlDeGrfhILpzfJGHrLJ
...
-----END RSA PRIVATE KEY-----


Please enter certificates of Certification Authorities (CA) which 
form the certificate chain of the server certificate. This starts 
with the issuing CA certificate of the server certificate and can 
range up to the root CA certificate.

Do you want to continue entering root and/or intermediate certificates {y|n}: y

Please enter Intermediate Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIE+zCCBGSgAwIBAgICAQ0wDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh
bGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIElu
Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
...
-----END CERTIFICATE-----


Do you want to continue entering root and/or intermediate certificates {y|n}: n

Note: You should keep a copy of your certificate and private key for future reference. 
If you revert to an earlier release, the certificate and private key are deleted.

4) Manca un ulteriore step per poter disattivare
il certificato self signed del cluster ed attivare 
invece quello della nostra internal CA poichè il nuovo 
certificato server è disabilitato mentre il vecchio 
ancora abilitato
 
security ssl show
 Serial Server Client
Vserver Number Common Name Enabled Enabled
--------- ------ --------------------------------------- ------- -------
ClusterName  - - false false
 Certificate Authority: -

ClusterName  
 3249234
 Clustername true false
 Certificate Authority: ClusterName
vstest01
 5592BF81
 vsbackup01 true false
 Certificate Authority: vsbackup01

vstest02
 55EEC183
 vsbackup02 true false
 Certificate Authority: vsbackup02

Dare il seguente comando per abilitare il nuovo:
security ssl modify -vserver Clustername -server-enabled true 
-client-enabled false -common-name Clustername.companyname.com 
-ca company -serial 60C3438704757435

Annunci
Posted in: Microsoft, netapp