Skip to main content
SnapCenter software

Configure the CA Certificate for the NetApp supported plug-ins service on Windows host

PDFs

You should manage the password of the plug-ins keystore and its certificate, configure the CA certificate, configure root or intermediate certificates to the plug-ins trust-store, and configure CA signed key pair to plug-ins trust-store with SnapCenter plug-ins service to activate the installed digital certificate.

The plug-ins uses the file keystore.jks, which is located at C:\Program Files\NetApp\SnapCenter\Snapcenter Plug-in Creator\etc both as its trust-store and key-store.

Manage password for plug-in keystore and alias of the CA signed key pair in use

Steps

  1. You can retrieve plug-in keystore default password from plug-in agent property file.

    It is the value corresponding to the key KEYSTORE_PASS.

  2. Change the keystore password:

    keytool -storepasswd -keystore keystore.jks

    Note If the "keytool" command is not recognized on the Windows command prompt, replace the keytool command with its complete path.

    C:\Program Files\Java\<jdk_version>\bin\keytool.exe" -storepasswd -keystore keystore.jks

  3. Change the password for all aliases of private key entries in the keystore to the same password used for the keystore:

    keytool -keypasswd -alias "alias_name_in_cert" -keystore keystore.jks

    Update the same for the key KEYSTORE_PASS in agent.properties file.

  4. Restart the service after changing the password.

    Note Password for plug-in keystore and for all the associated alias password of the private key should be same.

Configure root or intermediate certificates to plug-in trust-store

You should configure the root or intermediate certificates without the private key to plug-in trust-store.

Steps

  1. Navigate to the folder containing the plug-in keystore C:\Program Files\NetApp\SnapCenter\Snapcenter Plug-in Creator\etc

  2. Locate the file 'keystore.jks'.

  3. List the added certificates in the keystore:

    keytool -list -v -keystore keystore.jks

  4. Add a root or intermediate certificate:

    keytool -import -trustcacerts -alias myRootCA -file /root/USERTrustRSA_Root.cer -keystore keystore.jks

  5. Restart the service after configuring the root or intermediate certificates to plug-in trust-store.

Note You should add the root CA certificate and then the intermediate CA certificates.

Configure CA signed key pair to plug-in trust-store

You should configure the CA signed key pair to the plug-in trust-store.

Steps

  1. Navigate to the folder containing the plug-in keystore C:\Program Files\NetApp\SnapCenter\Snapcenter Plug-in Creator\etc

  2. Locate the file keystore.jks.

  3. List the added certificates in the keystore:

    keytool -list -v -keystore keystore.jks

  4. Add the CA certificate having both private and public key.

    keytool -importkeystore -srckeystore /root/snapcenter.ssl.test.netapp.com.pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

  5. List the added certificates in the keystore.

    keytool -list -v -keystore keystore.jks

  6. Verify that the keystore contains the alias corresponding to the new CA certificate, which was added to the keystore.

  7. Change the added private key password for CA certificate to the keystore password.

    Default plug-in keystore password is the value of the key KEYSTORE_PASS in agent.properties file.

    keytool -keypasswd -alias "alias_name_in_CA_cert" -keystore keystore.jks

  8. Configure the alias name from CA certificate in agent.properties file.

    Update this value against the key SCC_CERTIFICATE_ALIAS.

  9. Restart the service after configuring the CA signed key pair to plug-in trust-store.

Configure certificate revocation list (CRL) for SnapCenter plug-ins

About this task
Steps

  1. You can modify and update the default directory in agent.properties file against the key CRL_PATH.

  2. You can place more than one CRL file in this directory.

    The incoming certificates will be verified against each CRL.