Workflow for externally signed security certificates
The system generates and signs self-signed certificates automatically when secure communication is enabled, and no user intervention is required. You can replace the certificates by an externally signed security certificate. A Certificate Authority (CA) uses the CSR (Certificate Signing Request) file to create an externally signed security certificate.
About this task
The workflow describes how to replace the certificates signed by an external CA for each MDM.
Steps
Log in to the primary MDM with a security or administrator user role:
The file
mdm-target_hostname.csr is created and saved to:
Linux:
/opt/emc/scaleio/mdm/cfg
Windows:
C:\Program Files\emc\scaleio\mdm\cfg
Send the generated CSR file to the CA for signing.
The CA returns the following files:
A certificate for each MDM.
A trusted/root certificate and its' intermediate certificate from the CA.
On each MDM, from the CLI, add the root and intermediate certificate to the truststore, using the
--add_certificate command. Refer to
PowerFlex CLI Reference Guide for more information.
Run the following commands using Java's keytool to import all the certificates to each of the following components' truststore. It is recommended to restart the machine after running the commands.
Windows (64 bit):
C:\Program Files\EMC\ScaleIO\Gateway\webapps\ROOT\WEBINF\classes\certificates\truststore.jks
PowerFlex presentation server
NOTE:Refer to "Update the certificate for the
PowerFlex presentation server" for detailed steps on how to import the certificate from the MDM to the
PowerFlex presentation server.
Windows:
C:\Users\[user_name]\AppData\Roaming\VMware\scaleio\certificates\truststore.jks or
C:\Windows\System32\config\systemprofile\AppData\Roaming\VMware\scaleio\certificates
Trust is now established.
Save the signed certificate for the MDM in
/opt/emc/scaleio/mdm/cfg.
Rename the MDM certificate file to
mdm_signed_certificate.pem.
From the MDM, remotely log in to the primary MDM with a security or administrator user role:
If the remote read-only feature is enabled on the MDM, add
--skip_cli_command to the command, and later, while logged in with user that has security permissions, run the command
scli --replace_mdm_security_files.
NOTE:This step changes the MDM certificate, and might cause a brief failure period (switch ownership).
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\