Start a Conversation

Solved!

Go to Solution

Closed

25 Posts

1457

June 21st, 2023 19:00

VNX 5300 Certificate has invalid Date???

Hello, trying to access a VNX5300, Looks like certificate expired? How can I get in?

What a Bear, just getting a Windows 8 server and the right version of Java and now this, what a Nightmare.

VNX-Cert.jpg



25 Posts

June 23rd, 2023 12:00

YOU are the MAN!

So I downloaded the windows version of naviseccli from the link you posted. After installed, I ran this from command prompt on the windows machine:

NaviSECCli.exe -address -User root -Password *** -Scope 0 security -SPcertificate -generate

Then on the cli of the NAS I ran this:

/nas/sbin/nas_ca_certificate –generate

Now I have all matching certs to expire in 2028

So, next question, the Settings for IP address and mask etc are all grey out still on Control Station and SPA and SPB. What to do?


Moderator

 • 

6.9K Posts

June 22nd, 2023 04:00

Hello jerryroy1,

Here is a link to a kb that maybe of assistance. https://dell.to/46j5ITT

Moderator

 • 

8.5K Posts

June 22nd, 2023 09:00

Instructions

How do I generate a self-signed certificate from Navisphere?
How do I generate a self-signed certificate from Unisphere?
 
To generate a self-signed certificate follow these steps:
  1. Open a new browser window.
     
  2. Type in the address bar:

    http: // https://dell.to/3pi8dW1

    Where https://dell.to/3JPASZN is the IP address of the storage processor (SP).
     
  3. When the screen has loaded, type in the Username and Password used to access Navisphere/Unisphere setup page (UI).
     
  4. Once logged in, click on Manage SSL/TLS Certificate.
     
  5. Click "Generate a Self-Signed Certificate."

You may also import a certificate and the associated private RSA key through SecureCLI.

naviseccli -h <SP_IP> security -pkcs12upload -file FILE [-passphrase PASSPHRASE]

Additional Information

When a Unisphere client connects to a Management Server for the first time, it is presented with a certificate from the server. The user can check the details of the certificate and decide to accept the certificate or reject it. If the user rejects the certificate, the communication with the server is stopped. If the user decides to accept the certificate, the communication continues and the certificate is stored in a certificate store. The next time when the client communicates with that server, the server   s certificate is verified with the certificate in the certificate store. The user is prompted the first time it communicates with a server. Once the certificate is stored, the certificate verification process will happen in the background.

 The following three options are presented to you when connecting for the first time to a server:

  1. Accept for session This accepts the certificate for your session so that you can manage the system. You are prompted with the certificate the next time you log in.
     
  2. Accept Always By selecting this option, the certificate is stored in the certificate store on the client. For subsequent communications the certificate is verified as a background task. You will not be prompted again.
     
  3. Reject If you not trust the certificate, you can opt to reject the certificate and the communication will be stopped. 

Unisphere and USM use the Java certificate store for storing certificates. The certificates store can be accessed using the Java Control Panel. Secure CLI and Unisphere Server Utility create a certificate store on the user directory of the client. Unisphere, USM, and Unisphere Server Utility will enforce certificate verification when connecting to the storage system. However, Secure CLI provides the option to bypass certificate verification. This option is provided during installation on a client. You are given the option to choose between two levels: Low (bypass certificate verification) and Medium (enforce certificate verification).

25 Posts

June 22nd, 2023 09:00

That Link takes me to that page, but there is another link on how to generate a self-sign certificate and it says I do not have permission.

https://www.dell.com/support/kbdoc/en-us/000011219

(Option 1)
Generate a self-signed certificate(See KB 000320471 for more detail <---This is not accessible to me
1. Click "Generate a Self-Signed Certificate".


25 Posts

June 22nd, 2023 12:00

VNX-Cert5.jpgVNX-Cert6.jpgVNX-Cert7.jpg

25 Posts

June 22nd, 2023 12:00

OK, I rolled the clock back to within the certificate window. Now I get pop-ups with different IP's and different cert date windows. I click reject and can get into the interface, but I still cannot get to the point where I can reset certs or create a Self Signed Cert. VNX-Cert2.jpgVNX-Cert3.jpgVNX-Cert4.jpg

Moderator

 • 

8.5K Posts

June 22nd, 2023 12:00

For the invalid date, https://dell.to/3PryThR and yes those IPs are your storage processors.

25 Posts

June 22nd, 2023 12:00

http: // https://dell.to/3pi8dW1

Where https://dell.to/3JPASZN

I am confused, do I append the url with this 3pi8dW1 ??? And if so, the second url has a different string 3JPASZN


Moderator

 • 

8.5K Posts

June 22nd, 2023 12:00

Use your IP addresses, it is just a random URL shortened link.

25 Posts

June 22nd, 2023 12:00

Are 192.168.50.62 and 192.168.50.63 considered my "Storage Processors"?

25 Posts

June 22nd, 2023 14:00

OK, I changed time so I can get into here 192.168.50.60, then I changed time so I can get to SPA's 192.168.50.62 and 63 and then I get this. HELP, This can't be that difficult? VNX-Cert9.jpg

25 Posts

June 22nd, 2023 16:00

OK, I was able to generate a Self Signed Certificate for both the SPA (.62) and SPB (.63) by going to the ip in the browser and adding setup to the end (https://192.168.50.62/setup) How can I change the IP address settings, all the fields are greyed out? 

Moderator

 • 

6.9K Posts

June 23rd, 2023 01:00

Hello jerryroy1,

Here is a link for changing youIP’s oon your SP’s.

https://dell.to/3XqRf4j

Moderator

 • 

8.5K Posts

June 23rd, 2023 08:00

Are you logged in when you open the link?
Here is the article:

naviseccli commands will not cause SPs to reboot.
Using the CLARiiON/Block setup page in GUI causes a  reboot
Any name change requires SP reboot.

Instructions to update the SPs IP addresses, netmask and gateway IPs is below:

Before you begin:
Check to be sure the array is not part of a storage domain
Check that all hosts have dual-Fibre connectivity and that failover software is working correctly

In Unisphere, Under Domains-> Local - for the array he logged into.
Next, clicked on local, only one array  should show up - the array the IPs are being change on


Connect to the Array via the naviseccli
Verify the current settings and record them.
Command to check the current SP settings:
CMD:
 naviseccli -h networkadmin -get
SAMPLE OUTPIT:
Storage Processor:                  SP A
Storage Processor Network Name:     A-IMAGE
Storage Processor IP Address:       10.241. xx.xx
Storage Processor Subnet Mask:      255. 255.xx.xx
Storage Processor Gateway Address:  10. 241.xx.xx

Repeat for SPB

Verify the new information before hitting
Once the new ipaddresses are set, if any mistakes were made, it may be necessary to attach directly to the array to correct via the service or serial port
SAMPLE:
 naviseccli -h networkadmin -set -address -subnetmask -gateway

At this point theCustomer's  network would need to be changed for the new array IP addresses.
Ping the new SP IP and be sure you are able to connect to it before proceeding to SPB.
Once the SPA is updated, contacted, and accessible, Complete changes on SPB

No Events found!

Top