PowerVC generates a self-signed X.509 certificate to secure its web interface and REST APIs during installation. It is highly recommended that you replace the default certificate with a CA-signed certificate (signed by an internal or external CA) in a production environment. This blog describes how to replace that certificate with a CA-signed or self-signed certificate.1. Introduction - What is a certificate?
Certificates are used to strengthen the security of web-based applications. Such sites are accessed using the HTTPS protocol. Installing a certificate into the browser's trust store protects the website from malicious attacks. If the website is secured with a certificate, the information sent from the browser to the server hosting the application is encrypted using public key cryptography that is unreadable even if intercepted by an attacker. The browser matches the hostname of the website with that in the certificate and then proceeds to render the website's login page.
X.509 defines the format for public key certificates. A self-signed certificate is a public key certificate where the person/entity signing or requesting a certificate is the same as the person/entity issuing the certificate. A certificate authority (CA) issues digital certificates that certify or authenticate the identity of a system, person, or application to enable secure communication. A CA is a third-party entity that the owner and the party accepting the certificate trust. Certificates typically include information about the issuing authority, the system /owner’s public key, the validity period of the certificate, the standard algorithms used for data encryption during packet transfer, and some other details corresponding to the system/owner. To establish a certificate chain, the CA issues a certificate for itself that is commonly referred to as the trusted root certificate. Operating systems and browsers usually maintain a list of commonly trusted CA root certificates in their respective CA trust stores that they use to verify certificates signed by a CA.2. Background - How do I use certificates with PowerVC?
PowerVC generates a self-signed X.509 certificate (powervc.crt) to secure its web interface and REST APIs during installation. The below image shows the web browser security alert that arises during the first launch of PowerVC when it is configured with a self-signed certificate. You get this alert because this certificate is not verified by a trusted CA. Some clients may choose to abort this page for security reasons.
Figure 1. Example of browser security alert from self-signed certificate.
Follow these instructions to replace the existing certificate with a CA-signed or self-signed certificate. 3. Generate a certificate signing request (as input for a CA-signed certificate)
The first step is to generate a certificate signing request (CSR). The below example shows how a CSR can be generated for PowerVC, using OpenSSL library.
i) Connect to the PowerVC system or any other system via SSH and ensure that the system has the OpenSSL library installed. Create a new directory to save the newly created certificates. mkdir /home/newcerts
ii) A certificate (or CSR) needs an underlying key. This can either be an existing or new key. If you prefer to use the existing key available at /etc/pki/tls/private/powervc.key, you can skip this step. OpenSSL genrsa is a tool to generate RSA keys. 2048 specifies the key size. The below command generates a new key named pvc.key.openssl genrsa -out /home/newcerts/pvc.key 2048
iii) Create a config file by defining the required parameters for generating a certificate signing request (CSR). OpenSSL uses all the information in the custom config file [/home/newcerts/myopenssl.config] to compile an X.509 certificate and the key to generate the signature. The CSR must contain the ip address and the DNS resolvable hostname, so this must be defined in the subject alt name parameter in the config file.
The content of a sample openssl config file is shown below. Some of the parameters under the req_distinguished_name section are explained in step ii) of section 4.
[ req ]
echo "subjectAltName=IP:<VIP>" > altnames.txt
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
default_md = sha256
[ req_distinguished_name ]
C = IN
ST = KAR
L = BLR
O = IBM
OU = PVC
CN = ip198-51-100-0.pok.ibm.com
emailAddress = firstname.lastname@example.org
subjectAltName = @alt_names
DNS.1 = 198.51.100.0
DNS.2 = ip198-51-100-0.pok.ibm.com
iv) The key parameter can use the existing /etc/pki/tls/private/powervc.key or the new key generated in step ii.
Run the below command to generate a CSR using the custom openssl config file.openssl req -new -sha256 -nodes -out /home/newcerts/pvc.csr -key /etc/pki/tls/private/powervc.key -config /home/newcerts/myopenssl.config
Once the CSR has been generated, it can be sent across to the internal or external CA to be signed. However, if you wish to generate your own CA root certificate that can be used to sign your PowerVC certificate, read section 4 below, otherwise proceed to section 6.4. Generate a CA root certificate
There could be cases where you want to sign your PowerVC certificate (for example, in a temporary situation) with your own CA certificate. In such cases, you can use OpenSSL commands to generate your own CA certificate and use that to sign the PowerVC certificate. The steps below explain how a CA root certificate can be generated.
i) Generate a new RSA key for the CA called as RootCA.key. openssl genrsa -out /home/newcerts/RootCA.key 2048
ii) Generate a new CA certificate called RootCA.pem. The CA key will be used to sign the CA certificate. The subject field contains multiple parameters that are explained below. All these details are required to compile an X.509 certificate. The CA certificate will be generated in PEM format.
C = Country name
ST = State or province name
L = Locality name
O = Organization name
OU = Organizational Unit name
CN = Common Name
days = number of days the certificate is valid openssl x509 -req -extfile altnames.txt -in pvc.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out pvc.pem -days 1024 -sha256
The next section describes how you can use this newly generated CA certificate/key to sign a certificate.5. Create a CA-signed certificate with a CSR
Generate the CA-signed certificate pvc.pem for the PowerVC system.
in = The input file with PowerVC’s certificate signing request.
CA = The CA certificate file that will sign the PowerVC’s certificate.
Cakey = The CA key file that has signed the CA certificate file.
out = CA signed PowerVC certificate file in PEM format.
A file named RootCA.srl gets created that contains a unique serial number assigned by the CA to the certificate.openssl x509 -req -extfile altnames.txt -in /home/newcerts/pvc.csr -CA /home/newcerts/RootCA.pem -CAkey /home/newcerts/RootCA.key -CAcreateserial -out /home/newcerts/pvc.pem -days 1024 -sha256
The above step generates a certificate named pvc.pem that is signed (issued) by the root CA certificate given as input (RootCA.pem). 6. Appending the certificate with the certificate chain (only for CA-signed certificates)
PowerVC requires that the certificate used by PowerVC contains the entire certificate chain. The following step ensures that the final certificate contains the leaf certificate at the top and the root CA at the bottom.
Append the root CA certificate to the newly generated PowerVC system’s CA-signed certificate.cat /home/newcerts/RootCA.pem >> /home/newcerts/pvc.pem
There could be cases where the leaf certificate is signed by one or more intermediate certificate (which then is signed by the root certificate). In such cases, the final PowerVC certificate should consist of all the intermediate certificates in the following format:--------leaf certificate------ (on the very top)
--------intermediate certificate(s)--------(in the middle)
--------root certificate-------(at the very bottom)
The PowerVC system has now obtained a CA-signed certificate. The following sections describe how the old certificates can be replaced with the new certificates.
7. Generating new self-signed certificates
There would be cases where you want to replace the default self-signed certificates/keys with new self-signed certificates. The following steps can be used to generate these fresh:
Generate a new self-signed certificate for the PowerVC system using the config parameters from the openssl.conf file. This is a configuration file that PowerVC creates with default values at the time of installation. The values in this configuration file (esp. the values under the alt_names section) must be updated accordingly based on your system and organization’s details before generating a new self-signed certificate. The file is installed at /etc/pki/tls/certs/openssl.conf. The below command generates a new key[pvc.key] and a new self-signed certificate[pvc.pem].openssl req -new -x509 -batch -nodes -sha256 -days 1000 -subj /CN=PowerVCSystem -config /etc/pki/tls/certs/openssl.conf -out /home/newcerts/pvc.pem -keyout /home/newcerts/pvc.key
Note: It is recommended that the certificate subject alternate name consists of both the host name and IP address of the system so that the certificate works with both.8. Update old certificates with new certificates
i) SSH to the PowerVC system and take a backup of the default PowerVC key and certificate to the home directory or any other location that you prefer.cp /etc/pki/tls/private/powervc.key /home
cp /etc/pki/tls/certs/powervc.crt /home
ii) Replace the new certificates.echo yes | cp /home/newcerts/pvc.pem /etc/pki/tls/certs/powervc.crt
The next command can be skipped if the existing powervc.key was used to generate the CSR as stated in step iv of section 3.echo yes | cp /home/newcerts/pvc.key /etc/pki/tls/private/powervc.key
iii) If the certificate is CA-signed, update the OS’s CA trust store with the CA root and intermediate certificates. The below example shows how the trust store can be updated with the CA root certificate /bin/cp /home/newcerts/RootCA.pem /etc/pki/ca-trust/source/anchors
/bin/cp /home/newcerts/RootCA.key /etc/pki/CA/private
You can run man update-ca-trust
for more details.
iv) Restart PowerVC services by running powervc-services restart
v) On each registered NovaLink or KVM on Power host and the network node, replace the certificate at /etc/pki/tls/certs/powervc.crt with the new certificate generated in the previous steps [pvc.pem]. Restart PowerVC services on all those hosts by running powervc-services remote restart --node all
from the PowerVC management server. Restart the PowerVC services on the network node by running /opt/ibm/powervc/bin/powervc-services restart
Now your system is ready to use the new certificates. If you have any questions, feel free to post them below. And be sure to follow us on Facebook
, and Twitter
to get all the latest updates!References
: Archana Prabhakar, Divya K Konoor