Robbie Cannings

Uploading custom SSL certificates to EMC Unity

Robbie Cannings -

By default, the EMC Unity uses self-signed certificates for its management portal and various other connectivity (e.g. vCenter)

This generally results in certificate errors when accessing the web UI (as the certificate is untrusted).

To upload your own certificates,

1) Generate the certificates. Ensure you have the following Base-64 files available (example company names have been used, replace these names with the appropriate FQDN of your storage)

  • fqdn.company.com.pk     (Private Key file)
  • fqdn.company.com.crt     (Signed Certificate file)

2) use the CLI. Login as 'service' user (using the administrator account). 

[user@localhost ~]$ ssh -l service emcunity
The authenticity of host 'emcunity (192.168.0.1)' can't be established.
RSA key fingerprint is SHA256:fPWth36tCDh+-r6e555+D4H43a44Iy4F4YMNfABCDefg.
RSA key fingerprint is MD5:8d:43:00:d3:ad:b3:3f:fg:62:2h:55:11:28:1e:aa:22.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'emcunity,192.168.0.1' (RSA) to the list of known hosts.
 
Welcome to EMC Unity
 
Password:
22:35:09 service@(none) spb:~>

3) Create two files in the current directory (homedir of 'service' user), place the contents of the Private Key in the fqdn.company.com.pk file and the contents of the signed certificate in the fqdn.company.com.crt file

22:37:29 service@(none) spb:~> vim fqdn.company.com.pk
22:38:00 service@(none) spb:~> vim fqdn.company.com.crt
  • Note - only one certificate is supported, do not include the certificate chain (as this will result in errors when configuring the web service certificates), such as

4) Apply the new certificate

22:41:26 service@(none) spb:~> svc_custom_cert fqdn.company.com fqdn.company.com
Successfully installed custom certificate files.
Restarting web server ...

Common Errors

Certificate Chain not supported

If you include the certificate chain in the .crt file, it returns with an error about not supporting multiple certificates (I didn't capture the error unfortunately). Only include the Unity certificate.

Only relative pathnames supported

If you store the certs anywhere except the current directory ('service' account's homedir), it will be unable to open/copy the files. The utility only supports relative pathnames

22:40:45 service@(none) spb:~> svc_custom_cert /tmp/fqdn.company.com.pk /tmp/fqdn.company.com.crt
cp: cannot stat '/tmp/fqdn.company.optiver.com.pk.pk': No such file or directory
cp: cannot stat '/tmp/fqdn.company.optiver.com.pk.crt': No such file or directory

Don't specify file extensions

If you specify a filename extension, it fails. The utility only supports the filename without the extension- this seems more of a bug rather than a feature...

22:39:13 service@(none) spb:~> svc_custom_cert fqdn.company.com.pk fqdn.company.com.crt
cp: cannot stat '/home/service/fqdn.company.com.pk.pk': No such file or directory
cp: cannot stat '/home/service/fqdn.company.com.pk.crt': No such file or directory