Start a Conversation

Solved!

Go to Solution

1 Rookie

 • 

63 Posts

278

September 8th, 2023 10:17

Data Domain - How do I replace the DD Boost Certificate? (Reposted to Data Domain Community)

I am testing with DDVE 7.12.0.0-1053185 and I am following the procedure given here to replace the DD Boost certificate, but it isn't working for me.

I have managed to replace the management UI certificate without any issue.

The new DD Boost certificate is accepted and shows in the UI, but when I query the certificate details on https port 3009, I still get the default 'Valued Datadomain Customer' certificate returned even after waiting 30 mins (and even after a DDVE appliance reboot).

C:\Source\TestSSLServer>TestSSLServer2.exe 10.1.1.29 3009
Connection: 10.1.1.29:3009
SNI: 10.1.1.29
  TLSv1.2:
     server selection: uses client preferences
     3f- (key:  RSA)  DHE_RSA_WITH_AES_128_GCM_SHA256
     3f- (key:  RSA)  DHE_RSA_WITH_AES_256_GCM_SHA384
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_GCM_SHA256
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_GCM_SHA384
=========================================
+++++ SSLv3/TLS: 1 certificate chain(s)
+++ chain: length=2
names match:        yes
includes root:      yes
signature hash(es): SHA-256
+ certificate order: 0
thumprint:  1FBA6126DC9B36A67E9631433A89768B752099B7
serial:     02
subject:    CN=mc-ddve-v-202.momusconsulting.com,O=Valued DataDomain customer,ST=CA,C=US
issuer:     CN=mc-ddve-v-202.momusconsulting.com,O=Valued Datadomain Customer,L=Santa Clara,ST=CA,C=US
valid from: 2023-07-13 14:10:41 UTC
valid to:   2024-08-12 14:10:41 UTC
key type:   RSA
key size:   2048
sign hash:  SHA-256
server names:
   mc-ddve-v-202.momusconsulting.com
+ certificate order: 1
thumprint:  C4A8C40237B61D512344FECAE8BE4ED9B65B212D
serial:     00
subject:    CN=mc-ddve-v-202.momusconsulting.com,O=Valued Datadomain Customer,L=Santa Clara,ST=CA,C=US
issuer:     CN=mc-ddve-v-202.momusconsulting.com,O=Valued Datadomain Customer,L=Santa Clara,ST=CA,C=US
valid from: 2022-08-13 14:10:40 UTC
valid to:   2028-08-11 14:10:40 UTC
key type:   RSA
key size:   2048
sign hash:  SHA-256
(self-issued)
=========================================
Server compression support: no
Server sends a random system time.
Secure renegotiation support: yes
Encrypt-then-MAC support (RFC 7366): no
SSLv2 ClientHello format (for SSLv3+): yes
Minimum DH size: 2048
DH parameter reuse:  no
Minimum EC size (no extension):   256
Minimum EC size (with extension): 256
ECDH parameter reuse:  no
Supported curves (size and name) ('*' = selected by server):
  * 256  secp256r1 (P-256)
=========================================
No warning.

I am testing this in a lab environment, so I do not have ant support entitlement, so I cannot open a case.

Any thoughts or suggestions will be appreciated.

Cheers

M

1 Rookie

 • 

63 Posts

September 27th, 2023 08:10

Solved.

1) the leaf certificate needs both ‘Server Authentication’ & ‘Client Authentication’ Extended Key Usage set. (I was missing Client Auth initially - this is OK for https, but not ddboost)

2) scp the certificates (leaf & CA's) into /ddr/var/certificates/

3) use the command line adminaccess certificate import to add the certificates (leaf & CA's) as system-management , https and ddboost .

4) if you don't add the leaf & CA certs as system-management then the ddboost port 3009 still responds with the self-signed cert, despite having a valid enterprise signed certificate configured.

If anyone from the DDVE dev team is lurking, please improve the way the Web UI to handles certificates in general and especially kick back an error if a cert is missing a required Extended Key Usage setting. Also, your adminaccess certificate show command does not correctly return a 'Valid Until' date for my RootCA certificate, which expires in December 2050 - it reports it as Feb 2024.

2 Intern

 • 

137 Posts

September 19th, 2023 19:53

what does it show when you connect to port 2049, which is the port used for ddboost connectivity (instead of DD management port 3009)?

1 Rookie

 • 

63 Posts

September 25th, 2023 12:49

Hi @bbeckers1 

Thank you for your suggestion. I've just tested port 2049 and it does not respond with an SSL/TLS handshake.

C:\Source\TestSSLServer>TestSSLServer2.exe 10.1.1.29 2049
System.Exception: Could not initiate a handshake (not SSL/TLS?)
   at FullTest.Run() in c:\Users\Administrator\Downloads\TestSSLServer-master\TestSSLServer-master\Src\FullTest.cs:line 426
   at TestSSLServer.Process(String[] args) in c:\Users\Administrator\Downloads\TestSSLServer-master\TestSSLServer-master\Src\TestSSLServer.cs:line 286
   at TestSSLServer.Main(String[] args) in c:\Users\Administrator\Downloads\TestSSLServer-master\TestSSLServer-master\Src\TestSSLServer.cs:line 52

C:\Source\TestSSLServer>

Do you have a DD/DDVE that responds with a certificate to a SSL/TLS request on port 2049 and/or have you been able to replace this cert on any of your DD/DDVE's with an enterprise CA signed one?

Cheers,

M

No Events found!

Top