Enhanced Security & SSL Certificates for HPE Nimble Storage with NimbleOS 5.2

Keeping the bad guys out with Nimble Storage

A nice feature that’s made it’s way into HPE Nimble Storage with the GA release of NimbleOS 5.2 is enhanced security & SSL certificate management. With the huge increase of cybersecurity problems, man-in-the-middle hacks, ransomware and other malicious attempts at customer datasets – ensuring your certificate handling is secure and complete is of high importance.

This is what we DON’T want to see for enterprise IT!

Historically, Nimble users were able to replace or import SSL certificates (or CSR) on a Nimble array – but it was pretty hard to do as it was mostly CLI based only (see blog examples here and here on how it’s done).

In NimbleOS 5.2 and above performing SSL certificate management with your certificate authority is now available directly in the GUI, and is VERY easy to do for administrators.

Firstly, browse to Administration->Security. Here, you’ll notice a new sub-menu selector for “SSL Certificate“, and inside you’ll see the self-generated security settings for your array, but crucially “Trusted = NO” for the certificates that exist.

New SSL Certificate page in NimbleOS

Clicking the “+” button, we are then greeted with a series of options around creating, importing or managing certificates. We’re going to Import a trusted certificate.

We’re now offered three ways to import a trusted certificate. We can upload the certificate chain, load the certificate chain directly from the authority via SSL/TLS, or you can manually paste the chain (which is the long list of random characters you normally copy and paste in notepad).

An easy way here is to use the SSL connection, which is what we’re going to do. We created a name of “ca” and pointed to the certificate authority:

Enter in the IP address of your root certificate authority here

Once saved, we can acknowledge the new trusted certificate added within main SSL Certificate page.

You can click the new entry and “validate” the connection. You also may want to copy the PEM text into notepad/textedit (or another tool of your choice). The PEM text will come in handy later…

Gotcha: make sure you have the final carridge return after —END CERTIFICATE—

Copy the PEM text WITH the carridge return complete after END CERTIFICATE

Next – we need to create a Certificate Signing Request. Ensure you enter the full details for your Nimble array group with FQDN and IP addresses, as well as the correct Nimble group name you’ve assigned.

Hitting “Generate” will give you a confirmation screen – as well as the ability to copy that PEM text we saw beforehand.

Now we can see the custom CSR generated.

Jump across into your certificate authority server (here we’re using Active Directory Certificate Services), and request an advanced certificate.

Here, you’ll paste the PEM text from a step ago (WITH the carridge return as you can see), and you can use the Certificate Template of Web Server.

generating the new signed certificate using the PEM text from before

Once submitted, we can download the signed certificate from the certificate authority. Ensure that you have “Base 64 encoded”.

download the certificate to your local machine

Inspecting the certificate, you can see the new PEM text given for the new signed certificate. This is what we need to complete the process within the Nimble GUI.

Head back into the Nimble group GUI, and this time select “Install a CA Signed Certificate“, and paste in the two PEM text certificates we have; the top is where you paste the first PEM text, the below is where you paste the second PEM text from Active Directory (in our case).

If all goes well (and no reason why it wouldn’t) you should get the prompt to let you know the custom certificate was installed and is now in place:

To validate – logout of the array UI & shut the browser window, then reconnect to the array FDQN or IP address. You should now spot that the certificate is valid and our web browser no longer complaints about insecure connections 🙂

We have a valid certificate!

There we have it – very simple and straightforward process to ensure you secure your shiny Nimble environment and keep the bad people out.

Want to give a shout-out to UK Storage Architect Stuart Morley who produced the environment for screenshots to form the basis of this blog.

Cheers for now – Stay Nimble!

Nick

Leave a Reply

Your email address will not be published. Required fields are marked *