No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

OceanStor 9000 V300R006C00 Security Maintenance 07

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing the Management Interface Service Certificate and Private Key of a Storage Cluster

Replacing the Management Interface Service Certificate and Private Key of a Storage Cluster

The replacement of the encryption certificate and private key can ensure the secure system operating. The encryption certificate and private key on each node must be replaced according to the procedure listed in this section.

Context

The management interface service and private key of a storage cluster is used for SMI-S provider to communicate with OceanStor 9000. For security purposes, users are advised to replace and regularly update the management interface service certificate and private key of a storage cluster.

You need to perform the following operations on each node to replace the encryption certificate and private key.

Procedure

  1. Back up the original certificate of each node.
    1. Start PUTTY and enter the management IP address to log in as account omuser to the cluster. The default password is Omuser@storage.
    2. Run the following commands to go to the node.

      ssh omuser@xxx.xxx.xxx.xxx

      xxx.xxx.xxx.xxx indicates the back-end IP address of a non-primary node.

      Enter and the omuser user password.

    3. Run the su - root command and enter the password of user root to switch to user root.
    4. Run the following commands to back up the certificate and private key.

      cd /opt/huawei/snas/etc

      cp sslcert.pem sslcert.pem_bak

      cp sslkey.pem sslkey.pem_bak

  2. Use Filezilla to upload the certificate and private key to the node where the management IP address resides.
    1. In Host, enter sftp://xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx is the management IP address. In Username, enter omuser. In Password, enter the password. Keep the defaults for other settings. Then, click Quickconnect.
    2. In the navigation tree on the left, select a directory where the file you want to upload resides. In the navigation tree on the right, select a directory to which you want upload the file. (/home/omuser by default.) Then, drag the file on the left to the directory on the right.

      The file name must be sslcert.pem sslkey.pem in Privacy Enhanced Mail (pem) format. Set a password for sslkey.pem.

      NOTE:
      The password must be 8 to 32 characters in length and contains at least two types of lowercase letters, uppercase letters, digits, and special characters.

  3. Copy the certificate and private key to the /opt/huawei/snas/etc directory of other nodes.
    1. Start PUTTY and enter the management IP address to log in as account omuser to the cluster. The default password is Omuser@storage.
    2. Run the following commands to copy the certificate and private key.

      scp /home/omuser/sslcert.pem omuser@xxx.xxx.xxx.xxx:/home/omuser/

      scp /home/omuser/sslkey.pem omuser@xxx.xxx.xxx.xxx:/home/omuser/

      xxx.xxx.xxx.xxx indicates the back-end IP address of a non-primary node.

      Enter and the omuser user password.

    3. Run ssh omuser@xxx.xxx.xxx.xxx and enter the omuser user password to go to the node.
    4. Run su - root and enter the password of root to switch to the user root.
    5. Run the following commands to replace the encryption certificate and private key.

      cp /home/omuser/sslcert.pem /opt/huawei/snas/etc/sslcert.pem

      cp /home/omuser/sslkey.pem /opt/huawei/snas/etc/sslkey.pem

  4. Run the following commands to make the new certificate and private key take effect.
    1. Run the sh /opt/huawei/snas/script/updateCertificate.sh command.
    2. Enter the password for sslkey.pem as prompted.
  5. Perform 1 to 4 to replace the encryption certificate and private key on other node.
Translation
Download
Updated: 2019-04-28

Document ID: EDOC1000122530

Views: 11181

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next