No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

OceanStor 9000 V300R006C00 Security Maintenance 07

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Disabling TLS v1.0

Disabling TLS v1.0

The Transport Layer Security (TLS) protocol version 1.0 (TLS v1.0) has severe security vulnerabilities. You are advised to disable TLS v1.0.

Toolkit and DeviceManager supports TLS v1.0, TLS v1.1, and TLS v1.2. However, TLS v1.0 has severe security vulnerabilities (risks of BEAST attack). You are advised to disable TLS v1.0 to avoid security risks.

Users can disable the TLS1.0 protocol by setting the browser, to ensure that the use of DeviceManager and Toolkit is safe. Using Internet Explorer 9 for example, choose Tools > Internet Options, choose Advanced page, make sure Use TLS1.0 has not been selected.

Users can modify configuration files to change versions of the TLS protocol supported by DeviceManager and Toolkit. Before modification, check which version of the TLS protocol is supported by the browser and ensure that the browser supports the version to be configured. For example, a certain browser version supports only TLS v1.0. If TLS v1.0 is disabled, you cannot access DeviceManager or Toolkit using the browser.
NOTE:
If you must use TLS1.0 due to compatibility reasons, security risks may arise.

After modifying the configuration files, restart DeviceManager and Toolkit for configuration to take effect. Before restart, ensure that no users are using DeviceManager and Toolkit to perform business operations.

Perform the following steps to disable TLS v1.0 on each node. Use an example of a node's back-end address 10.99.1.2.
  1. Use PuTTY to connect to the management IP.
  2. Run ssh omuser@10.99.1.2 and enter the omuser user password to go to the node.
  3. Run su - root and enter the root user password to switch to the root user.
  4. Modify the configuration file /opt/deviceManager/apache/conf/extra/httpd-ssl.conf.
    1. Run vi /opt/deviceManager/apache/conf/extra/httpd-ssl.conf to open the configuration file.
    2. Press I to go to the editing mode.
    3. Search for the configuration item SSLProtocol and modify the default configuration SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 to SSLProtocol +TLSv1.2 +TLSv1.1.
    4. Press Esc and enter :wq!.
  5. Run sh /opt/deviceManager/bin/restart.sh to restart DeviceManager.
  6. Modify the configuration file /opt/Runtime/tomcat7/conf/server.xml.
    1. Run vi /opt/Runtime/tomcat7/conf/server.xml to open the configuration file.
    2. Press I to go to the editing mode.
    3. Search for the configuration item sslEnabledProtocols and modify the default configuration TLSv1,TLSv1.1,TLSv1.2 to TLSv1.1,TLSv1.2.
    4. Press Esc and enter :wq!.
  7. Run sh /opt/Runtime/bin/restart.sh to restart Toolkit.
The object storage service and the account management of the object storage service (compatible with Amazon S3 APIs) supports HTTPS. HTTPS supports TLS v1.0, TLS v1.1, and TLS v1.2. You are advised to use TLS v1.2 rather than TLS v1.0 and TLS v1.1 for security purposes.
  1. Use SSH to remotely log in to the management storage node as user omuser. (The IP address of the management storage node is the same as that of the OceanStor 9000.)
  2. Run the cli_start -u admin to log in to CLI.
  3. Run the change object_storage_compatible_s3_osc_service tls tlsv1.2 and change object_storage_compatible_s3_poe_service tls tlsv1.2 to set the earliest version of TLS supported by the Object Storage Service Controller service and Provisioning Orchestration Engine service to TLS v1.2.
Translation
Download
Updated: 2019-04-28

Document ID: EDOC1000122530

Views: 10972

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next