Enhanced Support for Console SSL Certificates in 2.2.3.0 and higher

Posted byHendrik van RunPosted inIBM Cloud Pak System, IBM Developer blog

Originally posted on IBM Developer blog “Exploring PureApplication System, Software Service and more”  by Richard Stacy on 1 August 2017 (5710 visits)

Clients have been able to configure their own SSL certificate since version 2.0.0.0. This allows administrators use certificates that have been signed by a Certificate Authority (CA) that complies with their established security standards and policies. It also assures end-users of the PureApplication console that their connections are secured and that they are connected to the actual PureApplication console.

Like in previous versions, 2.2.3.0 comes with a self-signed certificate from IBM installed by default, however IBM has introduced additional options regarding the type of SSL certificates and private keys that can be imported into PureApplication in 2.2.3.0 and higher:

  • The certificate and private key files should be in PEM format, as described in the Knowledge Center.
  • The private key associated with the server certificate may now be encrypted with a passphrase. The use of a passphrase is often standard practice when creating and managing certificates. Administrators will no longer need to remove the passphrase from the private key prior to importing it into the PureApplication server.
  • A certificate chain file, containing one or more intermediate certificates issued by the Certificate Authority, may now be imported along with the server certificate.
    • Without the intermediate certificates on the server, the client (browser) must explicitly have those intermediate certificates in its trust store. That is not always the case and in many cases, users cannot import certificates into the trust store of their browser.
    • Sometimes intermediate certificates are stored together with the certificate in the same .pem file. However PureApplication does not support this.

The process for clients to import their own SSL certificate via the console is similar to previous releases, although the interface has been enhanced to provide support for the private key passphrase and certificate chain file. The import process is outlined in the Knowledge Center here.

The PureApplication Command Line Interface (CLI) has also been enhanced in order to support the additional certificate options. This is documented within the Knowledge Center here.

Validation of the certificate and key files has also been improved to ensure that correct files are being imported. PureApplication Events will be raised to indicate the success or failure of the import process.

  • The first step in the import process is to upload the files to the PureApplication server. In all scenarios, both the server certificate and private key files are required, with the certificate chain file being optional.

    If one or both of the required files are missing or empty, one of the following messages will be displayed in the console:
CWZIP8579E New certificate content is missing from the request
CWZIP8608E New private key content is missing from the request

In the event of an unexpected error that prevents the successful upload of the files, the following message will be displayed. Such an error may require investigation within the ipas.server trace logs, which can be found in the Management log collection set.

CWZIP8580E An error occurred while trying to update the SSL certificate
  • Upon successful upload of the files, a message will appear in the console indicating that the settings were successfully changed. However, the uploaded files must still be validated before they can be applied to the server and the import process completed.
    If any of the uploaded files cannot be validated, one of the following events will be raised to notify the administrator that the SSL certificate was not changed.
CWZIP8609E Certificate and private key do not match

The uploaded files are not a valid pair; Ensure that the correct server certificate and private key files are being uploaded

CWZIP8610E Passphrase is not valid for private key

The provided passphrase is incorrect for the given private key file; Ensure that the correct passphrase is provided during when initiating the import process

CWZIP8611E Certificate chain of trust cannot be verified

The given chain file was not used to sign the server certificate file and therefore the chain of trust is not valid; Ensure the correct chain file is being uploaded

  • Once successfully validated, an attempt to apply the certificate will occur. Should a rare, unexpected error occur, the following event will be raised. Such an error may require investigation within the ipas.server trace logs, which can be found in the Management log collection set.
CWZIP8612E Unable to apply imported console certificate
  • When the SSL certificate has been validated and applied to the PureApplication server, the following event will be raised indicating success and completion of the import process. This confirms that the certificate has been installed on both PureApplication System management nodes (PSMs):
CWZIP8613I Console certificate has been successfully applied

Note:    The imported SSL certificate will be persistent across future firmware upgrades of the PureApplication server.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Design a site like this with WordPress.com
Get started