Highlighted
hudson8
2 Bronze

replace the SSL certificate in Dell OMSA 7.2

Jump to solution

My university is requiring me to replace the Dell SSL certificate in OMSA with a certificate from a CA.  We are using InCommon.

I generated a certificate request using Microsoft IIS,.  InCommon generated the certificate and  sent me back links to a variety of formats.

Tags (3)
0 Kudos
1 Solution

Accepted Solutions
hudson8
2 Bronze

Re: replace the SSL certificate in Dell OMSA 7.2

Jump to solution

OK.  I have an answer.

As far as I can tell, the Dell OMSA interface itself does not work for importing intermediate certificates (returns an error) and can't be used to create a useful CSR (signing request) because you can't specify your own institutional parameters. Our CA would not authenticate the CSR request generated by the Dell OMSA interface, even if it would import new certificates (which it appears to fail at).

The easiest approach is to generate a CSR in Windows IIS, receive the authenticated certificate back from your CA, then export everything to a .pfx file (private key, end-entity certificate, intermediate and root certificates, extended attributes).

Use IBM's tool called keyman (download from www.ibm.com/developerworks).  Use the Windows version.

This can convert a .pfx file into an apache keystore in 3 easy steps.  1. Create a new keystore

2. Import the .pfx file 3.save the keystore.

Hints on the internet suggest keeping all the passwords the same-- pfx export, keystore, key, etc.

Edit the server.xml file in the apache server to use your new passwords.

Only downside is that your password will be text readable in the server.xml file.  In the original server.xml file Dell used system or java tools to hide the passwords.

6 Replies
Moderator
Moderator

Re: replace the SSL certificate in Dell OMSA 7.2

Jump to solution

The certificates need to be in Base64 format.  To leverage a certificate from their CA, they will need to create a CSR from within the OMSA web interface.  This can be accessed through the Preference home page, then click the General Settings, click the Web Server tab, and then click on X.509 Certificate.

To create a CSR, leverage the Certificate Maintenance wizard.  Once the CSR has been created and submitted to the CA, the issued cert can be imported using the Import a certificate chain option.  This will ask for the issued certificate and a certificate for the issuing CA.

There  is a brief explanation of the X.509 Certificate Management options on Page: 39 of the OpenManage Server Administrator 7.2 User’s Guide, found here:

ftp://ftp.dell.com/Manuals/all-products/esuprt_electronics/esuprt_software/esuprt_ent_sys_mgmt/dell-...

Regards,

Geoff P
Dell | Social Outreach Services - Enterprise


Download the Dell Quick Resource Locator app today to access PowerEdge support content on your mobile device!
(iOS, Android, Windows)

0 Kudos
hudson8
2 Bronze

Re: replace the SSL certificate in Dell OMSA 7.2

Jump to solution

OK.  I have my certificate.  I looked at the documentation you referenced.  It is not helpful.  p24 (the reference to SSL certificates) seems to apply to remote enablement-- I'm not using that.   In fact, when I run the prerequisites for the OMSA install, it says that HTTPS listener is not installed, and asks if I want to install.  I say yes, but nothing happens.

But this does not affect OMSA

OMSA works fine, and is using a self-signed certificate which I'm trying to replace.

There are two available formats for Base64 encoded certificate that I can download from InCommon.

Certificate only, and Intermediate/root only.  I am logged in as local administrator.  I've tried both, but they both give me

an error.

ERROR! Import of dell.cer failed. Try again.

As a test, I exported the existing self-signed certificate, and tried to import that.  As root certificate and then as chain certificate.

Same error.  Also exported a working certificate from IIS on this server (.pfx format)

That would not import either.

Doesn't the inability to import the existing certificate imply that something is wrong with the interface for certificate management?  Have you actually succeeded in this.

Do you know how to do this using OpenSSL at the level of the Apache server?

Or where the error log is for OMSA certificate management.

Thank you.

0 Kudos
hudson8
2 Bronze

Re: replace the SSL certificate in Dell OMSA 7.2

Jump to solution

OK.  I have an answer.

As far as I can tell, the Dell OMSA interface itself does not work for importing intermediate certificates (returns an error) and can't be used to create a useful CSR (signing request) because you can't specify your own institutional parameters. Our CA would not authenticate the CSR request generated by the Dell OMSA interface, even if it would import new certificates (which it appears to fail at).

The easiest approach is to generate a CSR in Windows IIS, receive the authenticated certificate back from your CA, then export everything to a .pfx file (private key, end-entity certificate, intermediate and root certificates, extended attributes).

Use IBM's tool called keyman (download from www.ibm.com/developerworks).  Use the Windows version.

This can convert a .pfx file into an apache keystore in 3 easy steps.  1. Create a new keystore

2. Import the .pfx file 3.save the keystore.

Hints on the internet suggest keeping all the passwords the same-- pfx export, keystore, key, etc.

Edit the server.xml file in the apache server to use your new passwords.

Only downside is that your password will be text readable in the server.xml file.  In the original server.xml file Dell used system or java tools to hide the passwords.

Triplecrown
1 Copper

RE: replace the SSL certificate in Dell OMSA 7.2

Jump to solution

I have just installed the OpenManage application and am also having trouble with SSL based hw monitoring.  Initially the certificate generated during installation specified the local machine name rather than the external domain name, although I was able to generate a new certificate once logged into OpenManage.  However, I cannot seem to find many browsers that will cooperate ; only some versions of IE8.  It would be nice if the OpenManage web UI would be compatible with Safari or Firefox also, not just IE.

0 Kudos
hudson8
2 Bronze

RE: replace the SSL certificate in Dell OMSA 7.2

Jump to solution
Right. We gave up importing the correct certificates into OMSA every time we updated the version- the process is too complicated. I can't remember, now, back to when it worked. Is the issue related to using an IP address instead of a URL for the machine that is running the Apache web server? You've probably looked at that, so I guess that is not the problem.
Tags (1)
0 Kudos
Triplecrown
1 Copper

RE: replace the SSL certificate in Dell OMSA 7.2

Jump to solution

Actually, I am finding that the very limited browser support is far more problematic than SSL certificate issues (SSL certificate issues can usually be worked around with various browser combos, that in this case, are not an option).

0 Kudos