- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Customer-Supplied Certificates for Control Station
To satisfy more stringent requirements, VNX users are allowed to install and configure their own X.509 certificate on the Control Station for HTTPS communication.
The form and content of customer-supplied X.509 certificates are up to the users. The certificate should be PEM-encoded and should not have an associated password. Otherwise, the Apache web server will not be able to start unattended which will interfere with failover and restart operations.
NOTE:See
Request and Install Customer-Supplied Certificates for Control Station for an example of how to request and install a customer-supplied certificate.
The customer-supplied private key should be copied to the directory /nas/http/conf/ssl.key and the certificate should be copied to /nas/http/conf/ssl.crt to avoid potential data loss after failover. When the new private key and certificate are in place, make sure the current key and certificate in the directory /nas/http/conf are updated to point to the newly installed private key and certificate, respectively.
NOTE:The private key must be owned by user root and have permissions set to 600 (-rw-------). The public certificate also needs to be owned by user root, but have permissions set to 644 (-rw-r--r--).
You must restart Apache after renewing the certificate and the private key to take the changes into effect. Refer to the last step in the Request and Install Customer-Supplied Certificates for Control Station example for instructions.
NOTE:You can verify the new server certificate by viewing the characteristics of the HTTPS connection after pointing the supported web browser to the Control Station.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\