IBM Support

How to configure SSL certificates on the BMC of the 7063-CR2 HMC

How To


Summary

This document describes how to install the various SSL certificates supported on the BMC of the 7063-CR2 HMC.

Objective

Educate the user on the types of SSL certificates available on the BMC of the 7063-CR2 HMC, and how to configure, install, and manage them.

Environment

7063-CR2 HMC

Steps

The Baseboard Management Controller (BMC) on the 7063-CR2 HMC, supports one instance of each of three types of SSL certificates:
  • HTTPS Certificate (for browser sessions)
  • LDAP Certificate (for communication with the LDAP server)
  • CA Certificate (the root CA used in combination with the LDAP certificate to communicate with the LDAP server)
For either the HTTPS or LDAP certificates, it is required to first generate a Certificate Signing Request (CSR).
Generating the CSR:
NOTE: If the CSR will specify alternate names, or if there is a problem with the CSR generated by this UI task, use the Alternate Method of Generating the CSR in the "Additional Information" section instead.
1) Start by accessing the BMC web UI though a browser (Ex. https://<bmc IP or hostname>)
2) Log in to the BMC with a user with administrator privilege
3) Click Access Control
4) Click SSL certificates
5) Click Generate CSR to open the Certificate Signing Request form
6) In the GENERAL section, under CERTIFICATE TYPE, select either HTTPS Certificate or LDAP Certificate
7) Continue filling out the form. At a minimum, all the required fields, marked with an asterisk, must be filled.
8) In the PRIVATE KEY section, under KEY PAIR ALGORITHM, select an algorithm
For EC, select a KEY CURVE ID
For RSA, select a KEY BIT LENGTH
9) Click Generate CSR
10) The CSR is displayed. Click Copy or Download. The download produces a csrCode.txt file.
11) Provide the CSR to the certificate signing authority who will in turn, provide you with the SSL certificate file
Adding a certificate:
1) Start by accessing the BMC web UI though a browser (Ex. https://<bmc IP or hostname>)
2) Log into the BMC with a user with administrator privilege
3) Click Access Control
4) Click SSL certificates
5) Click Add new certificate
6) Under CERTIFICATE TYPE, select LDAP Certificate or CA Certificate depending on which one is to be added
NOTE: It is not possible to "Add a new certificate" for HTTPS because a default HTTPS certificate issued by testhost is automatically created by the BMC. Given that only one instance of each certificate is supported, this default certificate can only be replaced (see Replacing a certificate.)
7) Under CERTIFICATE FILE, click on Choose file
8) Locate the LDAP or CA certificate file and click Open
9) Click Save
Replacing a certificate:
1) Start by accessing the BMC web UI though a browser (Ex. https://<bmc IP or hostname>)
2) Log in to the BMC with a user with administrator privilege
3) Click Access Control
4) Click SSL certificates
5) Locate the currently installed certificate to be replaced (HTTPS, LDAP, or CA)
6) Click the file replacement icon on the right side of the row listing the certificate to open the file selection menu.
In this example image, we are replacing the HTTPS Certificate. The process is similar for other certificates.
Click file icon to open replace menu
7) Click Choose file and locate the replacement certificate
8) Click Open
9) Click Replace
In this example image, we are replacing the HTTPS Certificate. The process is similar for other certificates.
Select new file and click Replace

Additional Information

Alternate Method of Generating the CSR
  1. ssh to the BMC and sign in as root
    Example:
    ssh root@<bmc ip>
     
  2. Locate the current BMC private key and use scp to transfer it to your workstation or a remote server where it can be retrieved. The BMC private key is in /etc/ssl/certs/https listed as privkey.pem
    scp /etc/ssl/certs/https/privkey.pem  youruser@x.x.x.x:yourbmc-key.pem
    where: 
                youruser - is the username on the remote server
                x.x.x.x - is the IP of the remote server

    NOTE: If the server's private key (privkey.pem) is not found in /etc/ssl/certs/https/ then follow the steps to generate it.
    In addition to a private key, these steps generate a CSR file. Complete the steps and discard the CSR file generated.
       a) Start by accessing the BMC web UI though a browser (Ex. https://<bmc IP or hostname>)
       b) Log in to the BMC with a user with administrator privilege
       c) Click Access Control
       d) Click SSL certificates
       e) Click Generate CSR to open the Certificate Signing Request form
       f) In the GENERAL section, under CERTIFICATE TYPE, select either HTTPS Certificate or LDAP Certificate
       g) Continue filling out the form. At a minimum, all the required fields, marked with an asterisk, must be filled.
       h) In the PRIVATE KEY section, under KEY PAIR ALGORITHM, select an algorithm
           For EC, select a KEY CURVE ID
           For RSA, select a KEY BIT LENGTH
       i) Click Generate CSR
       j) The CSR is displayed. Click Copy or Download. The download produces a csrCode.txt file. Discard the file
       k) The private key file, /etc/ssl/certs/https/privkey.pem should now be available in the BMC

    NOTE: If there are problems with the private key file (privkey.pem), for example, if you are told you cannot reuse a previously used key, then instead of using the privkey.pem file on the BMC, generate your own key using openssl, as follows:
    openssl genrsa -out privkey.pem 2048
     
  3. Create a configuration file (text file called yourbmc.cfg). 

    At a minimum, customize all the fields in red.
     
    Example yourbmc.cfg file:
     
    ------------------------------------------------
    [ CA_default ]
     default_md    = sha256
     
    [ req ]
     default_bits = 2048
     distinguished_name = req_distinguished_name
     encrypt_key = no
     prompt = no
     string_mask = nombstr
     req_extensions = v3_req
     
    [ v3_req ]
     basicConstraints = CA:FALSE
     keyUsage = digitalSignature, keyEncipherment, dataEncipherment
     extendedKeyUsage = serverAuth
     subjectAltName = @alt_names
     
    [alt_names]
     DNS.1 = BMC1
     DNS.2 = BMC1.ad.companyname.com
     
    [ req_distinguished_name ]
     countryName = GB
     stateOrProvinceName = London
     localityName = London
     0.organizationName = companyname Corporation
     organizationalUnitName = IT Services
     commonName = BMC1.ad.companyname.com
     emailAddress = IT.Helpdesk@companyname.com
    ------------------------------------------------
  4. Create a CSR using the BMC private key and the openssl command, and pass in the config file (yourbmc.cfg).
    You can run openssl command on any OS that supports it, for example, the remote server where the private key was copied.
    C:\OpenSSL\bin>openssl.exe req -out yourbmc.csr -key privkey.pem -new -config yourbmc.cfg
    or
    openssl req -new -key privkey.pem -out yourbmc.csr -config yourbmc.cfg
  5. Provide the CSR (yourbmc.csr) to the certificate signing authority (CA) who will in turn, provide you with the SSL certificate file.
    NOTE: The certificate received, should be in .pem format. If received in another format, convert it to .pem using openssl.
    Example: Converting from DER to PEM format:
    openssl x509 -inform der -in yourbmccert.der -out yourbmccert.pem
  6. Continue with the steps under "Adding a certificate" to add the received SSL certificate, to the BMC.
Certificate Chains Support
The BMC does not support certificate chains. 
As an alternative, check with your security team if importing any intermediate and root certificates that are part of the chain, into the browser's certificate store of the endpoint, is allowed.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"7063-CR2","label":"Hardware Management Console (7063-CR2)"},"ARM Category":[],"ARM Case Number":[],"Platform":[{"code":"PF025","label":"Platform Independent"}]}]

Document Information

Modified date:
21 November 2024

UID

ibm16489627

Page Feedback