PowerStore: How to renew internal certificates of a PowerStore cluster

Table of Contents

• Background
• How to download a certificate renewal package
• How to upload a certification renewal package
  • Known Issues
    • Multiple Appliance cluster configurations with expired certificates
  • Pre-Requisites
  • Steps
  • Concluding Steps
• Compatibility matrix for the certification renewal packages
• Customer expectations
• How to confirm

Background

PowerStore CA first-party certificates and other third-party certificates are used for secure communications among various components of a PowerStore system.

The certificates installed on a PowerStore system are:

• Replication HTTP, Management HTTP (Internal and External), VASA HTTP, and Encrypt HTTP - All listed in the PowerStore Managers Certificates report.
• SDNAS Internal CA Cert, SDNAS Cluster Cert, SDNAS Node-A Cert, SDNAS Node-B Cert, SDNAS Trident Signed Client Cert - All not listed in PowerStore Manager; Can only be found in cluster log files.

There is no alerting to the user when a PowerStore certificate is signed, or when certificates are nearing expiration. This may result in certificate expiration and subsequent failures in PowerStore cluster functionality. This may also lead to a Data Unavailability (DU) condition on the affected cluster. Also, there is no auto-renewal mechanism for PowerStore CA first-party certificates that adds further risk. Some examples of the impact of expired certificates are:

• Inability to manage the array
• Inability to add remote clusters for replication
• Failure of inter-appliance connections

Certificate renewal is critical because the PowerStore CA first-party certificates expire in May 2025 (for systems installed in 2020). Customers must renew the certificates before this date. If certificate renewal is not done, critical PowerStore functionality may be affected, rendering the PowerStore non-operational and unable to be managed, configured, or serviced.

The certificate renewal thin packages allow the renewal of PowerStore CA first-party certificates that have either not yet expired, or expired.

How to download a certificate renewal package

The PowerStore certificate renewal packages are available for download from the Dell Technologies Support site alongside PowerStoreOS, drive firmware, language packs, and Health Check packages. The certificate renewal packages can only be accessed when logged into Support using an account that is associated with the PowerStore cluster.

To download a certificate renewal package:

1. Open a browser and go to the Dell Technologies Support site.
2. Sign into your support account that is associated with the PowerStore cluster.
3. Go to the product page for your system, and then go to Drivers & Downloads.
4. Identify the applicable PowerStore certificate renewal package to download by carefully reading the package description. For further details, see the Compatibility Matrix for the certification renewal packages section in this article.
5. Click Download to download the PowerStore certificate renewal package.

How to upload a certification renewal package

Use PowerStore Manager to upgrade the internal certificates on the cluster.

Note: This procedure is performed once for the whole cluster from the primary appliance.

Known Issues

This sub-section lists the known issues with the steps to upload a certificate renewal package. Review this section before performing the steps listed in this section.

curl -s -k -u "<user account>:<user account password> " -X 'POST' "https://<IP address of PowerStore cluster>/api/rest/x509_certificate/reset" \
        -H 'Accept: application/json' \
        -H 'Content-Type: application/json' \
        -H 'Dell-Visibility: Internal' \
        -d "{ \"service\": \"Encrypt_HTTP\" }"

Pre-requisites

Before starting the certificate upgrade, run the System Health Check under the Monitoring tab to ensure the health of the array.

Note: As a best practice, always install the latest available Health Check packages for your current PowerStoreOS version before starting the certificate renewal procedure. See PowerStore: How to Check the Health of the Cluster Before Software Upgrade Using Pre-Upgrade Health Check and System Check for more information about the latest available Health Check packages.

Steps

1. Follow the below instructions to upload the certificate renewal package to PowerStore Manager:
   1. Open PowerStore Manager.
   2. In PowerStore Manager, go to Settings > Upgrades.
   3. Under Software Packages, select More Actions > Upload Package.
      
   4. In the file explorer, select the certificate renewal package to upload and select Open
      
      Note: Do not close or refresh the browser while the certificate package is uploaded to PowerStore Manager. When the certificate upgrade package finishes uploading, it is displayed in the Software Packages table.
2. Follow the below instructions to upgrade the certificate on the cluster using the certificate renewal package that was uploaded to PowerStore Manager in step 1 of this procedure:
   1. Open PowerStore Manager
   2. Select the Settings icon, and then select Upgrades in the Cluster section.
   3. Select the certificate renewal package in the Software Packages table, and select Upgrade.
      
   4. Refresh the PowerStore Manager tab to see changes after completion of the certificate upgrade.

Concluding steps

After completing the certificate upgrade, run the System Health Check under the Monitoring tab to ensure the health of the array.

Compatibility Matrix for the certification renewal packages

Customer Expectations

How long does the certificate renewal package take to upload?

It takes about 4-7 minutes per appliance to upload a certificate renewal package.

How are the expiration dates of first-party certificates expected to change after uploading the certificate renewal package?

Notes regarding the VASA_HTTP certificate:

• Unlike all other first-party certificates, the VASA_HTTP first-party certificate is only extended by one year when uploading the certificate renewal package.
• The VASA_HTTP certificate is special because it can also be a third-party certificate (signed by VMware) for vSphere. In such a case, the certificate renewal package skips the VASA_HTTP certificate renewal. Customers are responsible for the renewal of such third-part certificate.
• In addition, with PowerStoreOS version 3.5 or later, a “vasa_retain” user configurable flag was introduced for the customer to indicate that this third-party certificate is used. If this flag is set, the certificate renewal package also skips the VASA_HTTP certificate renewal

Is the package applied non-disruptively to a cluster?

Yes, a certificate renewal package can be applied non-disruptively to a cluster.

Must Support Notifications be disabled/enabled?

No, Support Notifications do not require to be disabled during a certificate upgrade.

Are any alerts or events raised following a certificate upgrade?

No alerts are raised following a certificate upgrade.

Several events are raised during this upgrade:

How to confirm

Follow the below instructions to confirm that the certificate renewal package was successfully applied to the PowerStore cluster:

1. Open PowerStore Manager
2. In PowerStore Manager, go to Settings > Security > Certificates.
3. From the displayed list of certificates installed on the cluster, check the expiration date for the Replication HTTP, Management HTTP (Internal and External), VASA HTTP, and Encrypt HTTP certificates:
   • For each certificate, click the certificate name to display a View Certificate Chain panel on the right with the expiration date of the certificate.

NOTICE:
The following certificates are also installed on the cluster yet that are not visible in the PowerStore Manager Certificates section:

• SDNAS Internal CA Cert, SDNAS Cluster Cert, SDNAS Node-A Cert, SDNAS Node-B Cert, SDNAS Trident Signed Client Cert, and Encrypt HTTP.

Information on these certificates can only be seen on the cluster log files.