Virgil Sabas (Technical Resource Center Specialist) +1 800 446-0744 or Int +1 858 547-4526
Global Support Contact Numbers
DRAFT – Enabling HCS Device Manager HTTPS SSL Using Self-signed Certificates Purpose: To configure the HCS/Device Manager web address/URL accessible through HTTPS/SSL.
Convention: The certificate subject name used was the test server’s vs2k8hcs hostname and was also used to produce the certificates. When performing the steps outlined in this document, update the server name that reflects the actual server hostname.
Constraints: This document only applies to HCS services running on one server. End to end HTTPS/SSL between multiple HCS servers, and the use of Certificate Authority is beyond the scope of this document. Please consult appropriate documentation to enable multiple server’s end to end certificate exchange and/or Certificate Authority signed certificates. The steps in this document will interrupt production HCS due to the need to place the server in maintenance/shutdown mode. It is highly recommended to perform the process outlined in this document during a maintenance window.
Reference: Hitachi Command Suite Administrator Guide 8.x
Disclaimer: The use of this document does not bind Hitachi Data Systems and its employee to data loss as a result of individual performing the steps in this document. Responsibility rest on the person performing the actual steps. This person must have full understanding of steps taken in this document, and considerable knowledge of HPPTS/SSL/PKI.
Prerequisite: - Obtain the IP, hostname and Fully Qualified Name (FQDN) of the HCS server. - Ensure that the name resolution can be resolved properly using nslookup. - Update the Windows hosts file on the server with the proper name resolution. Note that the steps outlined are based on the following host information, specify parameters applicable to the environment: DN: CN=vs2k8hcs,CN=vs2k8hcs.vslab.local,CN=10.4.17.94,OU=hds,O=gsc,L=SanDiego,ST=CA,C=US Fully Qualified Domain Name: vs2k8hcs.vslab.local Hostname: vs2k8hcs IP: 10.4.17.94
Sections: 1.0 Create self-signed certificate on the HCS server 2.0 Configure Device Manager SSL 3.0 Verify HTTPS/SSL Connection 4.0 Configure Browser to Trust HCS Certificate 5.0 Conclusion
Configuration: 1.0 Configure Certificates 1.1 Generate self-signed certificate on the HCS server 1.1.1 Open command prompt as Administrator.
1.1.2 Create a folder named keystore on the root of C:\ drive.
1.1.3 Navigate to C:\Program Files\HiCommand\Base64\bin directory.
1.1.4 Run the following (all in one line command) to create keys: hcmds64ssltool /key C:\keystore\httpsdkey.pem /csr C:\keystore\httpsdcsr.pem /cert C:\keystore\httpsd.pem /certtext C:\keystore\httpsd.txt /validity 3650 /dname CN=vs2k8hcs,CN=vs2k8hcs.vslab.local,CN=10.4.17.94,OU=hds,O=gsc,L=SanDiego,ST=CA,C=US
1.1.6 The key generation command should produce key files (named as specified in hcmds64ssltool command previously) as shown:
1.1.7 Copy the keys generated keys to the C:\Program Files\HiCommand\Base64\uCPSB\httpsd\conf\ssl\server directory as illustrated:
1.2 Generate HCS Truststore 1.2.1 Open a command prompt as Administrator and navigate to the following directory: C:\Program Files\HiCommand\Base64\bin\ 1.2.2 From the same directory, enter the following command (all in one line) to import the self-signed certificate to the HCS truststore file jssecacerts and then press the Enter key: hcmds64keytool -import -alias hcscert -file C:\keystore\httpsd.pem -keystore C:\keystore\jssecacerts storepass changeit 1.2.4 Type yes when prompted and then press the Enter key as illustrated.
1.2.5 Copy the generated jssecacerts file from C:\keystore to the following directory: C:\Program Files\HiCommand\Base64\uCPSB\jdk\jre\lib\security 1.2.6 Navigate to C:\Program Files\HiCommand\Base64\bin directory and enter the hcmds64srv /stop command to stop the HCS services as illustrated:
1.2.7 Type hcmds64srv /status command and then press enter to ensure that the HCS services stopped.
1.2.8 Under the C:\Windows\System32\drivers\etc\ directory, edit the host file to contain the following (replace with the actual server name): 127.0.0.1 localhost 10.4.17.94 vs2k8hcs vs2k8hcs.vslab.local
1.3 Edit the user_httpsd.conf file 1.3.1 From the C:\Program Files\HiCommand\Base64\uCPSB\httpsd\conf\, create a copy of the file user_httpsd.conf to a file named user_httpsd.conf.orig on the same directory. 1.3.2 Edit the user_httpsd.conf to reflect the following: ServerName vsabaswin2k8-4 Listen 22015 #Listen [::]:22015 Listen 127.0.0.1:22015 SSLDisable Listen 22016 #Listen [::]:22016 ServerName vsabaswin2k8-4 SSLEnable SSLProtocol TLSv1 TLSv11 TLSv12 SSLRequiredCiphers AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA SSLRequireSSL SSLCertificateKeyFile "C:/Program Files/HiCommand/Base64/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem" SSLCertificateFile "C:/Program Files/HiCommand/Base64/uCPSB/httpsd/conf/ssl/server/httpsd.pem" # SSLCACertificateFile "C:/Program Files/HiCommand/Base64/uCPSB/httpsd/conf/ssl/cacert/anycert.pem" HWSLogSSLVerbose On 1.3.3 Save the file user_httpsd.conf file.
1.4 Configure HCS URL for HTTPS 1.4.1 Under the C:\Program Files\HiCommand\Base64\bin\ directory, type hcmds64srv /start command and then press enter to start the HCS services as illustrated:
1.4.2 Type hcmds64chgurl /print to list the current URL that HCS listen to as shown:
1.4.3 Type hcmds64chgurl /change http://vs2k8hcs:22015 https://vs2k8hcs:22016 command and then press the Enter key to configure the https url as illustrated:
1.4.4 Type hcmds64srv /stop command stop the HCS services. 1.4.5 Type hcmds64srv /start command start the HCS services.
1.5 Modify HCS Login Shortcut to HTTPS Connection 1.5.1 Navigate HCS login shortcut button >Start >All Programs >Hitachi Command Suite> Login – HCS as illustrated:
1.5.2 Right + Click the Login – HCS icon and select properties:
1.5.3 Modify the shortcut to reflect https://vs2k8hcs:22016/DeviceManagerWebService/index.jsp and then click the Apply button and then click the OK button.
2.0 Set Device Manager Server Security Level 2.1 Navigate to C:\Program Files\HiCommand\DeviceManager\HiCommandServer\ directory and then enter HiKeytool and press the Enter key to bring up the HiKeytool menu. 2.2 Type 1 to select the 1> SSL configuration for the Device Manager Server option. 2.3 Type 2 to select 2> Set Device Manager Server Security Level option. 2.4 Type x to exit HiKeytool.
2.5 Type hcmds64srv /stop command stop the HCS services. 2.6 Type hcmds64srv /start command start the HCS services.
3.0 Verify HTTPS/SSL Connection 3.1 Navigate to the HCS login button >Start >All Programs >Hitachi Command Suite> Login – HCS as illustrated:
3.2 Click the Continue to this website… link as highlighted below:
3.3 The https configured site should now come up as shown:
4.0 Configure Browser to Trust HCS Certificate 4.1 Click the certificate error once and then click the View Certificate as highlighted.
4.2 From the Certificate window, click the Install Certificate… button:
4.3 From the Certificate Import Wizard, click the Next button.
4.4 Select Pace all certificates in the following store radio button and then click the Browse button.
4.5 Select the Trusted Root Certification Authorities folder as illustrated and then click the OK button.
4.6 Click the Next button to continue.
4.7 Click the Finish button to complete the certificate import.
4.8 Click the Yes button to the Security Warning prompt to accept the certificate.
4.9 Click the OK button on the prompt.
4.10 Click the OK button on the Certificate window.
4.11 Close and exit the browser.
4.12 Open the browser again and navigate back to the website. The locked icon should now displayed.
4.13 Click the locked icon to display the Website Identification showing the connection to the server is encrypted as illustrated.
5.0 Conclusion 5.1
This document provided steps to enable HCS / Device Manager certificate and HTTPS/SSL configurations.
