- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Request and Install Customer-Supplied Certificates for Control Station
About this task
Steps
-
Create a new 2048-bit encrypted key.
/usr/bin/openssl genrsa -out /nas/http/conf/ssl.key/ssl_2048_key 2048
-
Ensure the key file is owned by user root and has permissions set to 600 (-rw-------):
chown root:root <filename>chmod 600 <filename>
-
Update the symbolic link of the current key to the new key:
rm -f /nas/http/conf/current.keyln -s /nas/http/conf/ssl.key/ssl_2048_key /nas/http/conf/current.key
-
Set the environment variables:
export IP_ADDR=`/bin/hostname -i`export HOSTNAME_SHORT=`/bin/hostname -s`export HOSTNAME_LONG=`/bin/hostname -f`
-
Create a certificate request using the new 2048-bit encrypted key and the environment variables:
/usr/bin/openssl req -new -key /nas/http/conf/current.key -config/nas/http/conf/celerrassl.cnf -out /home/nasadmin/cert_requestOutput (based on running cat command on file):
-----BEGIN CERTIFICATE REQUEST----- MIICzTCCAbUCAQAwgYcxKjAoBgNVBAoTIVZOWCBDb250cm9sIFN0YXRpb24gQWRt aW5pc3RyYXRvcjEXMBUGA1UEAxMOMTAuMTA4LjEyNS4xMDgxFzAVBgNVBAMTDmZp bGVzaW04MTYyY3MwMScwJQYDVQQDEx5maWxlc2ltODE2MmNzMC5kcm0ubGFiLmVt Yy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJSXomphOnn8cg PxL/YHUzWF8IDyp8Teee3zdvYa5sScsp76eO9oxKKb6/B+ihYSgctSApF2d5ciO+ P3Oe0HtU+YrVcjxbMT9I004PSDFJBum7Fhw/byvbrBVxNjOmjAt+8Wbdbi/3gIOv bSUG1j/x8UuBwMuy/C6K8Ojiz3OoatQkgn6qmqLN8S4CL/SD2eqD0sikvaubvVSX gA85V4fH95ZpshptKRx4e+0hLkIOdDVnn69u/Jdz2lFZ8XPp4CTv66FP/GOzWowB iPBLxNfs6PLWNhR4u/X1K2Wtb+cTVmjUGsJEPel2flzf3GmQtGChHAU1f5+mR08Q jRX0ACnFAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAl7IMNtFCLRaWbLv5mdkI 6/mkHkwutkZJlMDgw4p1I86uJOZH6OHQsZRRM6ZfF42e+4cdz6qUmZKDmiHyiqPo Gh/DgYwIBNh3BVuPNdM/of4n4/ZZVcWmmQj84arjogfHnfeUV6uTWSWv82HvVEc6 tyk9vYQ/MaOgvJ5c75KCpD+nmxDskVL97BuaondVKfCUR/ZT6q2N5pmlmPV6k7Jw g457pbBcYjaOqR3O6l8Fk4E5DgDwBAIfOmsCetqPklc+Dz7Fc3BLMbjqVhsC7gbh 0a40Kn2sjEasenqpuoV7QNeawSTW4zCpFuD1H0i0vd+ZxyZy6z30ynMt5kLphMwb lA== -----END CERTIFICATE REQUEST-----
-
Submit the certificate text that is enclosed by
BEGIN CERTIFICATE REQUEST and
END CERTIFICATE REQUEST from the file
cert_request to your local Certificate Authority:
cat /home/nasadmin/cert_request
-
Upload or install the CA-signed certificate you received to the same location on both Control Stations, CS0 and CS1. For example,
/etc/httpd/conf:
[root@virgil conf]# ll /etc/httpd/conf/virgil*-rw-r--r-- 1 root root 1904 Dec 19 13:42 /etc/httpd/conf/virgil.cer-rw-r--r-- 1 root root 887 Dec 19 13:36 /etc/httpd/conf/virgil.keyThis must be a base-64 encoded, PEM certificate. Also, ensure the public certificate is owned by user root and has permissions set to 644 (-rw-r--r--):chown root:root <filename>chmod 644 <filename>
-
Configure the Apache configuration file under
/nas/http/conf/httpd.conf
Load the custom certificate by modifying SSLCertificateFile and SSLCertificateKeyFile in /nas/http/conf/httpd.conf. Make it point to the custom crt file and key file, such as /etc/httpd/conf/xxx.crt and xxx.key:[root@virgil conf]# grep ^SSLCe /nas/http/conf/httpd.confSSLCertificateFile /etc/httpd/conf/virgil.cerSSLCertificateFile /etc/httpd/conf/virgil.cer
-
For a system with two Control Stations, copy the files in step 8 from the primary to the secondary Control Station:
[root@virgil /]# cd /etc/httpd/conf[root@virgil conf]# scp virgil* emcnasotherIPMICS_i3:/etc/httpd/confEMC VNX Control Station Linux release 3.0 (NAS 7.0.50)root@emcnasotheripmics_i3's password:virgil.cer 100% 1904 1.9KB/s 00:00virgil.key 100% 887 0.9KB/s 00:00
-
On the secondary Control Station, mount the local NAS partition to a mount point and edit the httpd.conf file to specify the same SSLCertificateFile/SSLCertificateKeyFile pair as that on the primary:
[root@virgilcs1 /]# mount /dev/hda5 /mnt/source/[root@virgilcs1 /]# vi /mnt/source/http/conf/httpd.conf[root@virgilcs1 /]# grep ^SSLCe /mnt/source/http/conf/httpd.confSSLCertificateFile /etc/httpd/conf/virgil.cerSSLCertificateKeyFile /etc/httpd/conf/virgil.key[root@virgilcs1 conf]# ll /etc/httpd/conftotal 60-rw-r--r-- 1 root root 33726 Jul 26 2011 httpd.conf-rw-r--r-- 1 root root 12958 Jul 26 2011 magic-rw-r--r-- 1 root root 1904 Jan 9 19:20 virgil.cer-rw-r--r-- 1 root root 887 Jan 9 19:20 virgil.key[root@virgilcs1 /]# umount /mnt/source/
-
Restart Apache on the primary Control Station (find the Apache process ID and then kill that process). Refer to the following example:
cat /nas/http/logs/start_apache.pid3224kill -9 3224NOTE:In case of any problems related to the new certificate, run the following command to generate a new Control Station CA certificate to change back to a standard self-signed certificate: /nas/sbin/nas_ca_certificate –generateNOTE:These instructions are provided for VNX users who need to use self-supplied certificates. There are no anticipated problems other than the potential issues listed below:
- If the server and key files are not stored in the /nas/httpd/conf/ directory, they may not be available after a Control Station failover.
- The information used to identify the server and added to the certificate is solely the users' responsibility.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\