NetApp: Change Virtual Storage Console (VSC) SSL Certificates

Glenn posited an interesting question this morning…how to change the SSL certificate that VSC uses to one that is signed by your CA so that the warning(s) would no longer appear. Turns out it’s significantly more difficult that it probably should be, but it is possible.

First, let me say that NetApp probably hates me doing this and will not support your VSC install in anyway should you modify the key. Also, keep in mind that any updates to VSC may over write the key, thus undoing any of this work. So, proceed at your own risk…

To begin, you will need to have the Java Developer’s Toolkit (JDK) installed. I have the newest version, 1.6.22, which you can get from here. Once installed you can proceed.

From the PC that you installed the JDK too, connect to the server that has VSC installed to it and browse to the C:Program FilesNetAppVirtual Storage Consolelib directory. Find the file nvpf.jar and copy it to someplace on your local PC. You need to extract the contents of this file using the jar executable…from my box the command I used was:

This will result in a large number of files being extracted, however you are only interested in one: nvpf.default. In that file, around lines 9 and 10 should be two passwords, one for the keystore and one for the key. For example, one of the lines may look like:

Keep those two passwords handy, because we’re going to need them in a minute. Now we need to create our key and certificate. I used openssl for this task. First create our key:

Now, create the Certificate Signing Request (CSR)…

You will have to answer the questions for the CSR and then send the request to your CA. Once the PEM encoded certificate is returned, place the certificate into it’s own file…I usually name it your.server.crt. Now we need to create a PKCS12 file for importing into the keystore.

The command will ask for a password (twice to verify). The password you need to use here is the “key” (http.ssl.key.password) password from the nvpf.default file. Ensure you enter it exactly as it is in the file.

The next step is to copy the newly created PKCS12 key/certificate file to your VSC server. You will need to create a keystore for Jetty to use. Login and open “Command Prompt” as an administrator (Right-Click -> “Run as Administrator”). After ensuring you have an admin command prompt, execute the following:

This will ask for three passwords. The first two should be the same, they are the keystore password. You must use the password found in nvpf.default for the line http.ssl.keystore.password. Enter the password for both prompts (“Enter destination keystore password:”, “Re-enter new password”) exactly as it appears in the config file.

The third password prompt is for the “source keystore”. This is the password that you used when creating the PKCS12 file above (the value from http.ssl.key.password). After entering all passwords you should see a result of…

With the new keystore created, backup the original…just in case. Browse to C:Program FilesNetAppVirtual Storage Consoleetc and backup the file nvpf.keystore. You can do this by copy->rename or simply rename it in-place to something else since we are going to move the newly created keystore in it’s place.

Once the backup is done, copy the created keystore (C:somelocationnvpf.keystore in the example above) to the location we just browsed to (C:Program FilesNetAppVirtual Storage Consoleetc).

Restart the “NetApp vSphere Plugin Framework” service. It will take a few seconds (30-60 for me), but you should be able to browse to the VSC server (try https://your.server:8143/Register.html) and it will use the certificate we just setup.

If you encounter problems during or after startup of the service, for example you are never able to get the Register.html page to load or the service starts then stops, check the wrapper.log and/or the nvpf.log, both located in C:Program FilesNetAppVirtual Storage Consolelog. You can roll back to the original cert by renaming the backup to nvpf.keystore and restarting the service.

2 thoughts on “NetApp: Change Virtual Storage Console (VSC) SSL Certificates”

  1. Nice! Worked a charm, although I think there is a typo in your pcks12 line (it didn’t work for me!)

    Also you might want to include how to get the entire chain as this was an issue for me – I resolved this for vSphere last week so I knew how to do it!

    In my org we have Windows PKI so just exported the cert with chain, p7b file format then converted this to a crt using

    openssl pkcs7 -print_certs -in netapp.p7b -out netapp.crt

    then was able to use the resulting crt in the convert to a PKCS12.

    Bingo.

    Allen

Leave a Reply