A nice feature that’s made it’s way into HPE Nimble Storage with the GA release of NimbleOS 5.2 is enhanced security & SSL certificate management. With the huge increase of cybersecurity problems, man-in-the-middle hacks, ransomware and other malicious attempts at customer datasets – ensuring your certificate handling is secure and complete is of high importance.
Historically, Nimble users were able to replace or import SSL certificates (or CSR) on a Nimble array – but it was pretty hard to do as it was mostly CLI based only (see blog examples here and here on how it’s done).
Firstly, browse to Administration->Security. Here, you’ll notice a new sub-menu selector for “SSL Certificate“, and inside you’ll see the self-generated security settings for your array, but crucially “Trusted = NO” for the certificates that exist.
Clicking the “+” button, we are then greeted with a series of options around creating, importing or managing certificates. We’re going to Import a trusted certificate.
We’re now offered three ways to import a trusted certificate. We can upload the certificate chain, load the certificate chain directly from the authority via SSL/TLS, or you can manually paste the chain (which is the long list of random characters you normally copy and paste in notepad).
An easy way here is to use the SSL connection, which is what we’re going to do. We created a name of “ca” and pointed to the certificate authority:
Once saved, we can acknowledge the new trusted certificate added within main SSL Certificate page.
You can click the new entry and “validate” the connection. You also may want to copy the PEM text into notepad/textedit (or another tool of your choice). The PEM text will come in handy later…
Gotcha: make sure you have the final carridge return after —END CERTIFICATE—
Next – we need to create a Certificate Signing Request. Ensure you enter the full details for your Nimble array group with FQDN and IP addresses, as well as the correct Nimble group name you’ve assigned.
Hitting “Generate” will give you a confirmation screen – as well as the ability to copy that PEM text we saw beforehand.
Now we can see the custom CSR generated.
Jump across into your certificate authority server (here we’re using Active Directory Certificate Services), and request an advanced certificate.
Here, you’ll paste the PEM text from a step ago (WITH the carridge return as you can see), and you can use the Certificate Template of Web Server.
Once submitted, we can download the signed certificate from the certificate authority. Ensure that you have “Base 64 encoded”.
Inspecting the certificate, you can see the new PEM text given for the new signed certificate. This is what we need to complete the process within the Nimble GUI.
Head back into the Nimble group GUI, and this time select “Install a CA Signed Certificate“, and paste in the two PEM text certificates we have; the top is where you paste the first PEM text, the below is where you paste the second PEM text from Active Directory (in our case).
If all goes well (and no reason why it wouldn’t) you should get the prompt to let you know the custom certificate was installed and is now in place:
To validate – logout of the array UI & shut the browser window, then reconnect to the array FDQN or IP address. You should now spot that the certificate is valid and our web browser no longer complaints about insecure connections 🙂
There we have it – very simple and straightforward process to ensure you secure your shiny Nimble environment and keep the bad people out.
Want to give a shout-out to UK Storage Architect Stuart Morley who produced the environment for screenshots to form the basis of this blog.
Cheers for now – Stay Nimble!