PowerVC

PowerVC

Connect, learn, share, and engage with IBM Power.

 View Only

  • 1.  Changing out the self signed cert for a publicly verified one

    Posted Wed March 15, 2023 05:02 PM

    Has anyone changed out the self signed cert for one from DigiCert, Thawte, or another cert company?

    I've run into a snag getting a proper Subject Alternative Name Cert from DigiCert.  Turns out none of the big cert companies will create a SAN cert that uses internal only IP addresses 10.x.x.x, 172.16.x.x. or 192.168.x.x.  They all got together back in 2011 and agreed not to do it for security reasons.  

    I think this might only affect PowerVC 2.1 from what I can see.  I did use our wildcard cert back with 2.0.0 and it worked then.  Seems the re-work to 2.1 has internal services using HTTPS URLs with the IP address for verifying things.  Those services fail when I try using our wildcard cert now.  Even the IBM docs state that you need a SAN cert that lists the IP addresses.

    Seeing that the URLs are built during installation or re-built when the IP changes, they must be stored someplace in config files.  Shouldn't be any reason not to store the FQDN instead.  

    Seeing that the Security Department here has plans by end of the year to require only publicly verifiable certificates be used, I'm under the gun to get this fixed up.



    ------------------------------
    Tom Komadowski
    Principal DevOps Engineer
    Fortra, LLC.
    Eden Prairie MN
    ------------------------------


  • 2.  RE: Changing out the self signed cert for a publicly verified one

    Posted Thu March 16, 2023 04:18 AM

    Hi Tom,

    I don't use certificates from the companies you mentioned, but from my experience with PowerVC 2.1 - yes, the certificate must have IP addresses in it. I don't see why your company would like to use external certificate providers for internal services, but in this case you must have public Internet IPs. 

    Or you can submit an idea to make PowerVC better - https://ibm-power-systems.ideas.ibm.com/ideas?project=PVC



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 3.  RE: Changing out the self signed cert for a publicly verified one

    Posted Thu March 16, 2023 06:18 AM

    I did that for my PVC 2.0.3 and 2.1.0 and I confirm you must include the IP addresses to make this work.

    In my case this is an internal PowerVC at IBM so I could include them while requesting to our internal CA.

     

     

    Unless otherwise stated above:

    Compagnie IBM France
    Siège Social : 17, avenue de l'Europe, 92275 Bois-Colombes Cedex
    RCS Nanterre 552 118 465
    Forme Sociale : S.A.S.
    Capital Social : 664 069 390,60 €
    SIRET : 552 118 465 03644 - Code NAF 6203Z



    Original Message


Related Content