About this task
By default, the Control Station utilizes 1024-bit encrypted certificate keys. 2048-bit encrypted certificate keys are used in the consideration of security at a higher level. The following example enables you to request and install a 2048-bit encrypted custom certificate on a VNX system with two Control Stations. You must run the following commands as user root.
-
Create a new 2048-bit encrypted key.
/usr/bin/openssl genrsa -out /nas/http/conf/ssl.key/ssl_2048_key 2048
-
Ensure the key file is owned by user root and has permissions set to 600 (-rw-------):
chown root:root
<filename>
chmod 600
<filename>
-
Update the symbolic link of the current key to the new key:
rm -f /nas/http/conf/current.key
ln -s /nas/http/conf/ssl.key/ssl_2048_key /nas/http/conf/current.key
-
Set the environment variables:
export IP_ADDR=`/bin/hostname -i`
export HOSTNAME_SHORT=`/bin/hostname -s`
export HOSTNAME_LONG=`/bin/hostname -f`
-
Create a certificate request using the new 2048-bit encrypted key and the environment variables:
/usr/bin/openssl req -new -key /nas/http/conf/current.key -config
/nas/http/conf/celerrassl.cnf -out /home/nasadmin/cert_request
Output (based on running cat command on file):
-----BEGIN CERTIFICATE REQUEST-----
MIICzTCCAbUCAQAwgYcxKjAoBgNVBAoTIVZOWCBDb250cm9sIFN0YXRpb24gQWRt
aW5pc3RyYXRvcjEXMBUGA1UEAxMOMTAuMTA4LjEyNS4xMDgxFzAVBgNVBAMTDmZp
bGVzaW04MTYyY3MwMScwJQYDVQQDEx5maWxlc2ltODE2MmNzMC5kcm0ubGFiLmVt
Yy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJSXomphOnn8cg
PxL/YHUzWF8IDyp8Teee3zdvYa5sScsp76eO9oxKKb6/B+ihYSgctSApF2d5ciO+
P3Oe0HtU+YrVcjxbMT9I004PSDFJBum7Fhw/byvbrBVxNjOmjAt+8Wbdbi/3gIOv
bSUG1j/x8UuBwMuy/C6K8Ojiz3OoatQkgn6qmqLN8S4CL/SD2eqD0sikvaubvVSX
gA85V4fH95ZpshptKRx4e+0hLkIOdDVnn69u/Jdz2lFZ8XPp4CTv66FP/GOzWowB
iPBLxNfs6PLWNhR4u/X1K2Wtb+cTVmjUGsJEPel2flzf3GmQtGChHAU1f5+mR08Q
jRX0ACnFAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAl7IMNtFCLRaWbLv5mdkI
6/mkHkwutkZJlMDgw4p1I86uJOZH6OHQsZRRM6ZfF42e+4cdz6qUmZKDmiHyiqPo
Gh/DgYwIBNh3BVuPNdM/of4n4/ZZVcWmmQj84arjogfHnfeUV6uTWSWv82HvVEc6
tyk9vYQ/MaOgvJ5c75KCpD+nmxDskVL97BuaondVKfCUR/ZT6q2N5pmlmPV6k7Jw
g457pbBcYjaOqR3O6l8Fk4E5DgDwBAIfOmsCetqPklc+Dz7Fc3BLMbjqVhsC7gbh
0a40Kn2sjEasenqpuoV7QNeawSTW4zCpFuD1H0i0vd+ZxyZy6z30ynMt5kLphMwb
lA==
-----END CERTIFICATE REQUEST-----
-
Submit the certificate text that is enclosed by
BEGIN CERTIFICATE REQUEST and
END CERTIFICATE REQUEST from the file
cert_request to your local Certificate Authority:
cat /home/nasadmin/cert_request
-
Upload or install the CA-signed certificate you received to the same location on both Control Stations, CS0 and CS1. For example,
/etc/httpd/conf:
[root@virgil conf]# ll /etc/httpd/conf/virgil*
-rw-r--r-- 1 root root 1904 Dec 19 13:42 /etc/httpd/conf/virgil.cer
-rw-r--r-- 1 root root 887 Dec 19 13:36 /etc/httpd/conf/virgil.key
This must be a base-64 encoded, PEM certificate. Also, ensure the public certificate is owned by user root and has permissions set to 644 (-rw-r--r--):
chown root:root
<filename>
chmod 644
<filename>
-
Configure the Apache configuration file under
/nas/http/conf/httpd.conf
Load the custom certificate by modifying
SSLCertificateFile and
SSLCertificateKeyFile in
/nas/http/conf/httpd.conf. Make it point to the custom crt file and key file, such as
/etc/httpd/conf/xxx.crt and
xxx.key:
[root@virgil conf]# grep ^SSLCe /nas/http/conf/httpd.conf
SSLCertificateFile /etc/httpd/conf/virgil.cer
SSLCertificateFile /etc/httpd/conf/virgil.cer
-
For a system with two Control Stations, copy the files in step 8 from the primary to the secondary Control Station:
[root@virgil /]# cd /etc/httpd/conf
[root@virgil conf]# scp virgil* emcnasotherIPMICS_i3:/etc/httpd/conf
EMC VNX Control Station Linux release 3.0 (NAS 7.0.50)
root@emcnasotheripmics_i3's password:
virgil.cer 100% 1904 1.9KB/s 00:00
virgil.key 100% 887 0.9KB/s 00:00
-
On the secondary Control Station, mount the local NAS partition to a mount point and edit the httpd.conf file to specify the same SSLCertificateFile/SSLCertificateKeyFile pair as that on the primary:
[root@virgilcs1 /]# mount /dev/hda5 /mnt/source/
[root@virgilcs1 /]# vi /mnt/source/http/conf/httpd.conf
[root@virgilcs1 /]# grep ^SSLCe /mnt/source/http/conf/httpd.conf
SSLCertificateFile /etc/httpd/conf/virgil.cer
SSLCertificateKeyFile /etc/httpd/conf/virgil.key
[root@virgilcs1 conf]# ll /etc/httpd/conf
total 60
-rw-r--r-- 1 root root 33726 Jul 26 2011 httpd.conf
-rw-r--r-- 1 root root 12958 Jul 26 2011 magic
-rw-r--r-- 1 root root 1904 Jan 9 19:20 virgil.cer
-rw-r--r-- 1 root root 887 Jan 9 19:20 virgil.key
[root@virgilcs1 /]# umount /mnt/source/
-
Restart Apache on the primary Control Station (find the Apache process ID and then kill that process). Refer to the following example:
cat /nas/http/logs/start_apache.pid
3224
kill -9 3224
NOTE:In case of any problems related to the new certificate, run the following command to generate a new Control Station CA certificate to change back to a standard self-signed certificate:
/nas/sbin/nas_ca_certificate –generate
NOTE:These instructions are provided for VNX users who need to use self-supplied certificates. There are no anticipated problems other than the potential issues listed below:
- If the server and key files are not stored in the
/nas/httpd/conf/ directory, they may not be available after a Control Station failover.
- The information used to identify the server and added to the certificate is solely the users' responsibility.