Personas are used to provide an identity for a Data
Mover when it is acting as a server or a client. When negotiating a secure
connection with a client (such as the external policy and migration software
used with FileMover), the persona provides a private key and certificate to the
Data Mover (which is acting as a server). This certificate provides the means
by which the client can identify and authenticate the server. When negotiating
a secure connection with a server that is configured to require client
authentication, the persona provides the private key and certificate to the
Data Mover (which is acting as a client). The certificate provides the means by
which the server can identify and authenticate the client.
By default, each Data Mover is configured with a
single persona named default. To create the certificate that the persona
provides to the Data Mover, you first generate the persona’s public/private key
set. You must then request a signed certificate from a CA. Certificate requests
are generated in Privacy Enhanced Mail (PEM) format only.
NOTE:Currently, each Data Mover is allowed only one
persona. VNX for file does not support a mechanism to create additional
personas.
If you are using the Control Station as the CA, the
Control Station automatically receives the certificate request, generates and
signs the certificate, and returns the certificate to the Data Mover. The
Control Station can sign certificates for all the Data Movers in the cabinet.
It cannot be used to sign certificates for any external hosts.
If you are using an external CA, you must send the
certificate request manually. The request to sign the public key is generated
with the public/private key set. Display the persona’s properties to verify its
content. Obtain a copy of the certificate request and then send the request to
the CA through that company’s website or email.
When the CA returns a signed certificate, you must
import it to the Data Mover. To import the signed certificate, you can either
provide a path and import a file, or cut and paste the associated text. A file
can be in either Distinguished Encoding Rules (DER) or PEM format. You can cut
and paste text only in PEM format.
Each persona can be associated with up to two sets of
keys and certificates (current and next), to allow generating new keys and
certificates before the expiration of the current certificate. When the next
certificate (which is already valid) is imported, it and its associated key set
immediately become the current key set and certificate.
Because the next certificate is typically generated
when it is needed, you typically do not see a next certificate associated with
a persona. However, a next certificate may be waiting if there is a time
difference between the Data Mover and the CA (or the Control Station if it is
serving as the CA). For example, a CA might prepare a certificate in advance by
assigning it a future start date. Merging companies could set up such a
certificate to have it in place for the official merge date.
The next certificate becomes the current certificate
(and the current key and certificate are deleted) when the certificate becomes
valid (per Data Mover time), and one of the following happens:
The
persona is queried (by either the CLI or Unisphere).
The persona's key and certificate are requested
by a Data Mover function (such as SSL).
After a certificate expires, any attempt to use the
certificate results in a failure, typically a loss of connection or a failure
to reconnect. When a new certificate is available, PKI deletes the old
certificate and provides the new certificate when requested. However, if you
did not obtain a new certificate before the current certificate expires, the
certificate request will fail. PKI will not provide an expired certificate for
a persona.
There is no automated way to check for expired public
key certificates. You must check for expired certificates manually by listing
the personas and examining the expiration dates of the associated certificates.
You can then take action based on your organization’s business practices.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\