Saturday, February 23

Signed certificate on the IBM IMM2

Yes, I know the pictures look silly and sticking out. Frankly, my dear, I don't give a damn.
The IBM ILO, the IMM (Integrated Management Module) v.2 supports signed certificates for it's https web UI. The get it, you will have to generate a CSR on it, then sign it off and upload the signed cert file back to the IMM2.
Now, this is not a big deal, but as IBM mentions, this only works with DER format.
The whole process, step-by-step:
  • Go to the IMM Management menu on the UI, and select Security.
  • Here, choose Generate a New Key and a Certificate Signing Request (CSR)
  • When it's done, choose Download Certificate Signing Request (CSR) and download the file.

  • Now, let's display it's contents: openssl req -in imm2.csr -inform DER -text -noout
  • It should display the request, thus the CSR is in DER format. OpenSSL likes PEM better...
  • Now, convert the DER file into PEM: openssl req -in imm2.csr -inform DER -out imm2-pem.csr
  • It is now possilbe to sign the CSR: openssl x509 -req -in imm2-pem.csr -CA myroot.crt -CAkey rui.key -CAcreateserial -out imm2-der.crt -days 3650 -outform DER note the -outform DER parameter in the end, IMM2 requires a DER format signed certificate to be uploaded!
  • You can now simply upload the file, choose Import a Signed Certificate to browse for it
  • Restarting IMM2 or it's https service will make use of the new certificate now!
Posted by at No comments:
Labels: , , ,

Thursday, February 14

vCloud Director 5.1.1 properly signed certificates - step-by-step

First, have an own root certificate :) - see my old post on this.
Then, generate a branch of new certs with signing requests on the vCloud Director.
The trick is: there are at least 2 "keytool" commands on a vCD server, one from the OS default (God knows what version) and one from the vCD installation, that should be used by us. Please note, that the "keystore" command version changes with vCD versions (as JRE version changes with it too), and of course the command syntaxes change too...
So, generate 2 certificates and their signing requests on the vCD node:
  • /etc/init.d/vmware-vcd stop
  • cd /opt/vmware/vcloud-director
  • jre/bin/keytool -keystore certificates.ks -storetype JCEKS -storepass mypasswd -genkey -keyalg RSA -alias http -validity 3650
  • jre/bin/keytool -certreq -keystore certificates.ks -storetype JCEKS -storepass mypasswd -alias http -file http.csr
  • jre/bin/keytool -keystore certificates.ks -storetype JCEKS -storepass mypasswd -genkey -keyalg RSA -alias consoleproxy -validity 3650
  • jre/bin/keytool -certreq -keystore certificates.ks -storetype JCEKS -storepass mypasswd -alias consoleproxy -file consoleproxy.csr
The "alias" names are mandatory to the 2 vCD IPs. When keystore asks "What is your first and last name?" the answer should be the IP addresses resolvable FQDN - 2 different FQDNs for the 2 IPs.
Now, copy the 2 .csr files over your signing machine, where the root certificate AND it's key file resides.
Sign the 2 signing requests, thus generating signed certificates.
  • openssl x509 -req -in http.csr -CA myroot.crt -CAkey rui.key -CAcreateserial -out http.crt -days 3650
  • openssl x509 -req -in consoleproxy.csr -CA myroot.crt -CAkey rui.key -CAcreateserial -out consoleproxy.crt -days 3650
Now, copy over the 2 newly generated certificates and the root certificate (not it's key!) to the vCD node.
Then, we should import the root certificate and the 2 signed certificated into the keystore:
  • cd /opt/vmware/vcloud-director
  • jre/bin/keytool -importcert -storetype JCEKS -storepass mypasswd -keystore certificates.ks -file myroot.crt -alias root
  • jre/bin/keytool -importcert -storetype JCEKS -storepass mypasswd -keystore certificates.ks -file http.crt -alias http
  • jre/bin/keytool -importcert -storetype JCEKS -storepass mypasswd -keystore certificates.ks -file consoleproxy.crt -alias consoleproxy
  • You can check if the keystore is all right (should be) with: jre/bin/keytool -storetype JCEKS -storepass mypasswd -keystore certificates.ks -list
  • Then, reconfigure vCD: /opt/vmware/vcloud-director/bin/configure - the store now should be at /opt/vmware/vcloud-director/certificates.ks
  • And finally, start the service: /etc/init.d/vmware-vcd start
This should be all!
Posted by at 2 comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)