Updating SSL certificates for the SVP and storage system in a batch

System Administrator Guide for VSP E990 and VSP G130, G/F350, G/F370, G/F700, G/F900

Version
88-08-0x
Audience
anonymous
Part Number
MK-97HM85028-11

If only one storage system is registered in the SVP, you can update the following SSL certificates in a batch:
  • Signed certificate for SSL communication between the SVP and the management client
  • Certificate for connecting to the SVP
  • Certificate for connecting to the web server on the storage system
Note: The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
  • BasicConstraints
  • KeyUsage
  • SubjectKeyIdentifier
  • subjectAltName
  • Ensure that only one storage system is registered in the SVP.
  • A private key for external communication between the SVP and the management client has been created.
  • A signed public key certificate for external communication between the SVP and the management client has been acquired.
  • A private key for internal communication for connecting to the SVP or web server and a signed public key certificate must be X509 PEM or X509 DER format.
  • All users must be logged out of Hitachi Device Manager - Storage Navigator.
  • You must have the Security Administrator (View & Modify) role and Support Personnel (User) role to perform this task.

Create the following parameter file (in JSON format) beforehand. Allowed characters when you specify the path to the certificate in the parameter file are alphanumeric characters, spaces, and symbols: - _ . \ / :.

  • "user": "user-name-of-the-account-registered-in-the-storage-system"
  • "password": "password-of-the-account-registered-in-the-storage-system"
  • "innerConnectionCertPath": "absolute-path-to-the-public-key-certificate-for-internal-communication"
  • "innerPrivateKeyPath": "absolute-path-to-the-private-key-for-internal-communication"
  • "outerConnectionCertPath": "absolute-path-to-the-public-key-certificate-for-external-communication"
  • "outerPrivateKeyPath": "absolute-path-to-the-private-key-for-external-communication"
{
"user": "someuser",
"password": "password123",
"innerConnectionCertPath": "c:\\sslcert\\innercert.crt",
"innerPrivateKeyPath": "c:\\sslcert\\innercert.key",
"outerConnectionCertPath": "c:\\sslcert\\outercert.crt",
"outerPrivateKeyPath": "c:\\sslcert\\outercert.key"
}
  1. On the SVP, start Windows command prompt as an Administrator.
  2. Move the current directory to the directory where the tool exists
    cd /d C:\Mapp\wk\Supervisor\MappIniSet
    Note:
    • C:\Mapp indicates the installation directory of the storage management software and the SVP software. When the installation directory other than C:\Mapp was specified, replace C:\Mapp with the specified installation directory.
    • If you specify --ignore-cert-verification, the signed certificate for SSL communication between the SVP and the management client is not verified when the certificate is updated. Specify this option immediately after you install HDvM - SN on the SVP or when the certificate has not been normally updated. (You must check the IP address of the GUM on the storage system beforehand.)
    • If you specify --delete, the parameter file is automatically deleted after the SSL certificate is updated.

  3. Run the following command:
    mappsslcertupdate.bat
            --file=name-of-the-parameter-file-created-beforehand
  4. A message appears indicating that the command finished, and then the GUM restarts automatically.
  5. Restart the SVP manually.