Self-signed Certificates with FA/FB for PureStorage Unified Add-on
Overview
Lately, Splunk has made the secured connections (https protocol) between the Splunk instance and the client a requirement for the Splunk Add-on certification. Hence the Pure Storage Unified Add-on for Splunk adheres to this requirement and has eliminated the check-box option like "Verify SSL Certificate" when configuring the array using the technology add-on (TA). This means, it is not only required to have an SSL certificate at the array level but the certificate can be verified.
The Challenge
Configuring an array using the new TA is not an issue if you are using commercial SSL certificates for the FlashArray or FlashBlade as it is issued by a trusted Certificate Authority (CA) and Splunk includes various trusted CA root certificates as part of the Add-on builder.
What if you are not using commercial SSL certificates for your FlashArrays or FlashBlades but relying on the self-signed certificates created by the array itself as part of the installation?
You will run into an error message as follows when trying to configure an array on the Pure Storage Unified Add-on because the certificate cannot be verified against the list of trusted CA root certificates given this was self-signed.
Solution
This can be overcome by following the two-step process that will allow the self-signed certificates to work without any errors.
- Create a new self-signed certificate with the "Common Name" matching the Server Address that will be entered in the "Add Account" dialog box.
- Add the certificate into the cacert.pem file under the following directories.
$SPLUNK_HOME/etc/apps/TA-purestorage-unified/bin/ta_purestorage_unified/aob_py3/certifi/cacert.pem$SPLUNK_HOME/etc/apps/TA-purestorage-unified/bin/ta_purestorage_unified/aob_py2/certifi/cacert.pem
Creating a New Self-Signed Certificate
The self-signed certificate created by Pure Storage generally has the Common Name field as "Pure Storage" and hence if you export this certificate and add it to the cacert.pem file you will still encounter the following error message.
Here are the steps to generate a new self-signed certificate with the "Common Name" matching the Server Address.
The process is different between FlashArray and FlashBlade as FlashArray offers the option of generating a new self-signed certificate from the GUI but FlashBlade is yet to implement this functionality.
FlashArray
1. Select Create Self-Signed Certificate option from the SSL Certificate frame within the Settings=>System tab of the FlashArray GUI.
2. Enter all the fields that are blank and make sure the Common Name field matches the management IP address or FQDN of the array.
The entry you are providing against Common Name should resolve to the Array either through DNS or the hosts file on the Splunk server.
3. After providing all the details, click Create and select Yes to override the current certificate.
4. After five seconds, the FlashArray GUI is reloaded prompting you with the warning message about the certificate. Accept it to establish a new secured connection.
5. Export the certificate that was just created from the SSL Certificate frame under the Settings=>System tab.
6. Copy the certificate or download the certificate.
7. Open the $SPLUNK_HOME/etc/apps/TA-purestorage-unified/bin/ta_purestorage_unified/aob_py3/certifi/cacert.pemfile in an editor and paste the certificate at the end of the file.
Alternatively, if you have downloaded the certificate, you can concatenate the certificate file to the cacert.pem file. Make sure the certificate file is transferred to the Splunk instance where the PureStorage Unified Add-on is installed.
[root@vsplunk-app certifi]# ls cacert.pem core.py __init__.py __main__.py __pycache__ [root@vsplunk-app certifi]# cat /tmp/fa_pure.crt >> cacert.pem
FlashBlade
1. Generate a new self-signed certificate from a Unix host using the openssl command.
# openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out selfsigned-cert.pem -days 3650 # openssl rsa -in private_key.pem -out private_key_nocrypt.pem
Provide the details when prompted and ensure the Common Name matches the FQDN or the management IP address of the FlashBlade.
[root@vsplunk-app ~]# openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out selfsigned-cert.pem -days 3650 Generating a 4096 bit RSA private key ......................................................................................................................................++ .....................++ writing new private key to 'private_key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:CA Locality Name (eg, city) [Default City]:Mountain View Organization Name (eg, company) [Default Company Ltd]:Pure Storage Organizational Unit Name (eg, section) []:Pure Storage Common Name (eg, your name or your server's hostname) []:10.21.124.114 Email Address []:support@puretec.purestorage.com [root@vsplunk-app ~]# [root@vsplunk-app ~]# openssl rsa -in private_key.pem -out private_key_nocrypt.pem Enter pass phrase for private_key.pem: writing RSA key [root@vsplunk-app ~]#
Transfer the selfsigned-cert.pem and private_key_nocrypt.pem file to your laptop/server where you are accessing the FlashBlade GUI.
2. Import this new certificate along with the private key to the FlashBlade by choosing Import Certificate option under SSL Certificate under Settings=>System tab (Purity//FB <= 3.1.x) or Certificates under Settings=>Certificates=>Array Certificates (Purity//FB >= 3.2.x).
Purity//FB <= 3.1.x
Purity//FB >= 3.2.x
3. Provide the certificate files that were generated from step 1. Select the file selfsigned-cert.pem for Certificate field and private_key_nocrypt.pem for the Private Key field and click Import.
4. Refresh the FlashBlade GUI due to the change in the certificate. The SSL Certificate frame should show the certificate details.
5. Export the certificate that was just created from the SSL Certificate frame under the Settings=>System tab (for Purity//FB <= 3.1.x) or Certificates under Settings=>Certificates=>Array Certificates (Purity//FB >= 3.2.x).
6. Copy the certificate or download the certificate.
7. Open the $SPLUNK_HOME/etc/apps/TA-purestorage-unified/bin/ta_purestorage_unified/aob_py3/certifi/cacert.pemfile in an editor and paste the certificate at the end of the file.
Alternatively, if you have downloaded the certificate, you can concatenate the certificate file to the cacert.pem file. Make sure the certificate file is transferred to the Splunk instance where the Pure Storage Unified Add-on is installed.
[root@vsplunk-app certifi]# cat /tmp/fb_pure.crt >> cacert.pem
Workaround
Using the commercial certificate or self-signed certificate as described above are the suggested approaches to have a secured connection between the array and the Splunk instance. But in exceptional cases, if you would like to disable the SSL verification and do not go through generating self-signed certificates and updating the cacert.pem file, you can use the following workaround.
Please use the workaround at your own discretion as you have to edit a python script in the backend to disable the SSL verification. This is not Pure or Splunk's suggested approach. Never use this workaround in the production environment.
1. Navigate to the path $SPLUNK_HOME/etc/apps/TA-purestorage-unified/bin directory on the Splunk instance where the Add-on is installed.
2. Edit the file purestorage_unified_utils.py file and look for the following code immediately under the import statements.
VERIFY_SSL = True
3. Change the value from True to False to disable the SSL verification.
VERIFY_SSL = False # Change to False to disable SSL verification