Create a CA-signed client certificate for SCMB

The following procedure describes how to generate a CA-signed client certificate that can be used to connect to the State Change Message Bus (SCMB).

Prerequisites
  • An environment with OpenSSL installed, or equivalent.

  • Access to a commercial or custom certificate authority (CA) for signing requests.

Procedure
  1. Create a new key pair for the client certificate.
    This command generates a new private key with a file name of cert.key with 3072-bit encryption:
    openssl genrsa -out cert.key 3072

    2048-bit encryption will also work in generating a key pair, but the resulting client certificate will not work when HPE OneView is in CNSA mode.

  2. Using the new key pair, create a Certificate Signing Request (CSR) for the client certificate.
    This command creates a CSR using data input via interactive prompts:
    openssl req -new -key cert.key -out cert.csr

    The Common Name for this command must be set to "rabbitmq_readonly", since the SCMB server is configured to accept connections from this user. For the other prompts, provide appropriate inputs for your organization.

  3. Create a client certificate that will be used to connect to the SCMB server, using the signing method that corresponds to your relationship with the CA.
    1. If the CA is provided by a commercial entity or other organization, follow the instructions provided by the CA for signing a client certificate.
    2. If direct access to a CA root certificate and key is available, create a configuration file (openssl.cnf) with the necessary options for an operational client certificate.
      For example:
      [ client ]
      basicConstraints = CA:FALSE
      keyUsage = digitalSignature, keyEncipherment, dataEncipherment
      extendedKeyUsage = clientAuth, msSmartcardLogin
      nsCertType = client
      subjectAltName = @alt_names
      
      [ alt_names ]
      email = .

      The basicConstraints, extendedKeyUsage:clientAuth, and nsCertType fields are all required to specify a client certificate. An OpenSSL expert can apply other settings, according to organizational requirements and an understanding of the effects. Please refer to the OpenSSL documentation for more information.

    3. Use the resulting configuration file to sign the CSR and generate a client certificate.
      For example:
      openssl x509 -req -CA ca.pem -CAkey ca.key -in 
      cert.csr -out cert.pem -days 365 -set_serial 1 
      -extfile openssl.cnf -extensions client
  4. Ensure the CA root certificate, as well as any intermediate CA used to sign the SCMB client certificate, is trusted by the appliance. The SCMB server on the appliance will accept a client certificate only if it trusts the CA that signed the certificate. If this trust is not already established, do so now.
    NOTE:

    The intermediate CA certificates that signed the client should be added to the client program and not to the appliance.

    1. Go to Security Settings > Manage Certificate Authority Certificates and add the CA to the appliance.

      Any active connections to the SCMB server will break and need to be reestablished as a result.

  5. Using a client program of your choice, connect to the SCMB server on the appliance. A successful connection requires the key pair created in Step 1, the client certificate created in Step 3, and a CA certificate file containing the root certificate for the CA that signed the SCMB server certificate and any intermediate CA certificates used in signing the client certificate.
  6. If you are still unable to connect to the SCMB server, follow these troubleshooting steps.