- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Adding or changing a Storage Processor SSL certificate using openssl
Prerequisites
A system with openssl installed is required (easier on Linux including VNX control stations, which have openssl pre-installed, but can also be installed on any system including Windows).
Steps
-
If this is new setup, create a private key. (Optional to set a passphrase for the key. If set, it is important to remember at later steps. In this example, emcemc is the passphrase used with server.key, specified in passin option.)
Issue a command using the following syntax,
openssl genrsa -des3 -out <server.key> 2048
-
To request a CSR (C=Country, ST=State, L=Location, O=Orginaisation, CN=CommonName - all are optional except the CN which must match the SP IP):
Issue a command using the following syntax,
openssl req -new -sha1 -key <server.key> -out <request.csr> -days <1825-5 years> -passin pass:emcemc -subj '/C=US/ST=Florida/L=Sarasota/O=MyCust/CN=10.0.0.1/'
-
When using an external CA, do the following, otherwise go to Step 4:
- Get the contents from request.csr certified by a CA.
- Have a copy of the CA signed certificate and go to step 6.
-
When using a self-signed certificate, do the following, otherwise go to Step 5:
-
Issue a command using the following syntax, then go to step 6:
openssl x509 -in <request.csr> -out <signed_cert.crt> -req -signkey server.key -days 1825
-
Issue a command using the following syntax, then go to step 6:
-
When using a private key obtained from a CA and sign. (This is a rare situation since a CA's private key usually will not be shared.)
-
Issue a command using the following syntax, then go to step 6:
openssl ca -cert <ca.cert> -keyfile <caprivate.key> -in <request.csr> -out <signed_cert.crt>
-
Issue a command using the following syntax, then go to step 6:
-
Pack the signed certificate and private key generated at step 1 (passout is for passphrase for the saved pfx file) using the following syntax:
openssl pkcs12 -export -out <cert_with_key.pfx> -inkey server.key -in <signed_cert.crt> -passin pass:emcemc -passout pass:emcout
-
Import the PFX file on the Storage Processor using the following syntax:
# naviseccli -h <SP_IP> -user <admin_user> -scope 0 -password <admin_password> security -pkcs12upload -file <cert_with_key.pfx> -passphrase <emcout> -descert
If the above command reports any errors, corresponding action is required. Whole steps can be tried for SPB (and Control Station). For VNX Control Station, the certificate is stored in /nas/http/conf/ - the private key without password should be in ssl.key and ssl.crt is the signed certificate.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\