Skip to main content
SnapCenter Software 6.0

Configure two-way SSL communication on Linux host

Contributors netapp-soumikd
PDFs

You should configure the two-way SSL communication to secure the mutual communication between SnapCenter Server on Linux host and the plug-ins.

Before you begin

  • You should have configured the CA certificate for Linux host.

  • You must have enabled two-way SSL communication on all the plug-in hosts and the SnapCenter Server.

Steps

  1. Copy certificate.pem to /etc/pki/ca-trust/source/anchors/.

  2. Add the certificates in the trust list of your Linux host.

    • cp root-ca.pem /etc/pki/ca-trust/source/anchors/

    • cp certificate.pem /etc/pki/ca-trust/source/anchors/

    • update-ca-trust extract

  3. Verify if the certificates were added to the trust list. trust list | grep "<CN of your certificate>"

  4. Update ssl_certificate and ssl_certificate_key in the SnapCenter nginx file and restart.

    • vim /etc/nginx/conf.d/snapcenter.conf

    • systemctl restart nginx

  5. Refresh the SnapCenter Server GUI link.

  6. Update the values of the following keys in SnapManager.Web.UI.dll.config located at _ /<installation path>/NetApp/snapcenter/SnapManagerWeb_ and SMCoreServiceHost.dll.config located at /<installation path>/NetApp/snapcenter/SMCore.

    • <add key="SERVICE_CERTIFICATE_PATH" value="<path of certificate.pfx>" />

    • <add key="SERVICE_CERTIFICATE_PASSWORD" value="<password>"/>

  7. Restart the following services.

    • systemctl restart smcore.service

    • systemctl restart snapmanagerweb.service

  8. Verify that the certificate is attached to the SnapManager web port. openssl s_client -connect localhost:8146 -brief

  9. Verify that the certificate is attached to the smcore port. openssl s_client -connect localhost:8145 -brief

  10. Manage password for SPL keystore and alias.

    1. Retrieve SPL keystore default password assigned to the SPL_KEYSTORE_PASS key in SPL property file.

    2. Change the keystore password. keytool -storepasswd -keystore keystore.jks

    3. Change the password for all the aliases of private key entries. keytool -keypasswd -alias "<alias_name>" -keystore keystore.jks

    4. Update the same password for the key SPL_KEYSTORE_PASS in spl.properties.

    5. Restart the service.

  11. On plug-in Linux host, add the root and intermediate certificates in SPL plug-in's keystore.

    • keytool -import -trustcacerts -alias <any preferred alias name> -file <path of root-ca.pem> -keystore <path of keystore.jks mentioned in spl.properties file>

    • keytool -importkeystore -srckeystore <path of certificate.pfx> -srcstoretype pkcs12 -destkeystore <path of keystore.jks mentioned in spl.properties file> -deststoretype JKS

      1. Check the entries in keystore.jks. keytool -list -v -keystore <path to keystore.jks>

      2. Rename any alias if required. keytool -changealias -alias "old-alias" -destalias "new-alias" -keypass keypass -keystore </path/to/keystore> -storepass storepas

  12. Update the value of SPL_CERTIFICATE_ALIAS in spl.properties file with the alias of certificate.pfx stored in keystore.jks and restart the SPL service: systemctl restart spl

  13. Verify that the certificate is attached to the smcore port. openssl s_client -connect localhost:8145 -brief