- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Import a CA-signed certificate
About this task
You can import a signed certificate when the next signed certificate associated with the persona is available for download. As soon as the certificate is imported, it becomes the current certificate (assuming that the date is valid).
NOTE: This task is not required if you are using the Control Station to sign the certificate. The Control Station automatically returns the signed certificate to the Data Mover.
Steps
- Obtain the signed certificate (for example, cert.pem) from the CA.
-
Query all Data Movers to determine which personas are waiting for a signed certificate:
$ server_certificate ALL -persona -list
Output:
server_2 : id=1 name=default next state=Request Pending request subject = CN=name;CN=1.2.3.4 server_3 : id=1 name=default next state=Request Pending request subject = CN=test;CN=5.6.7.8
- To determine to which persona to import the certificate, match the certificate’s subject with the value of the Request Subject field for those personas whose Next State is Request Pending.
-
Import the signed certificate to the waiting persona by using this command syntax:
$ server_certificate <movername> -persona -import {<persona_name>|id=<persona_id>}
where:
<movername> = name of the physical Data Mover with which the persona is associated.
<persona_name> = name of the persona.
<persona_id> = ID of the persona. The ID is generated when the persona is created.
NOTE: The signed certificate can be in either DER or PEM format. You can only paste text in PEM format at the command prompt. If you specify -filename and provide a path, you can import a CA-signed certificate in either DER or PEM format.Example:
To import the signed certificate, type:
$ server_certificate server_2 -persona -import default
Output:
server_2 : Please paste certificate data. Enter a carriage return and on the new line type ‘end of file’ or ‘eof’ followed by another carriage return.
NOTE: After the certificate text is pasted correctly, the system prompt is displayed. -
Verify that the certificate has been imported successfully by using this command syntax:
$ server_certificate<movername>-persona -info{-all| <persona_name>| id=<persona_id>}
where:
<movername> = name of the physical Data Mover with which the persona is associated.
<persona_name> = name of the persona.
<persona_id> = ID of the persona. The ID is generated when the persona is created.
Example:
To verify that the certificate for the default persona has been imported successfully, type:
$ server_certificate server_2 -persona -info default
Output:
server_2 id=1 name=default next state=Not Available Current Certificate: id = 1 subject = CN=name;CN=1.2.3.4 issuer = O=Celerra Certificate Authority;CN=eng173100 start date = 20070606183824Z end date = 20070706183824Z serial number = 05 signature alg. = sha1WithRSAEncryption public key alg. = rsaEncryption public key size = 4096 version = 3
NOTE: Typically, after a certificate is imported, it immediately becomes the current key set and certificate, and the Next State field is shown as Not Available. If the imported certificate is not valid (for example, its time stamp is several minutes or more ahead of the Data Mover), the imported key set and certificate remain the next key set and certificate, and the Next State field is shown as Available until such time as the key set and certificate become valid.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\