No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

OceanStor 9000 V300R006C00 Security Maintenance 07

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing a Security Certificate for Toolkit

Replacing a Security Certificate for Toolkit

You can replace a security certificate for Toolkit when necessary.

Prerequisites

A new security certificate has been prepared.

Context

A security certificate is a statement with a digital signature from an entity or an issuer. It is used to authenticate identities of both parties that intend to communicate with each other.

The Toolkit certificate provided with the system is not trusted by browsers of users. Therefore, you are advised to replace the security certificate with a trusted one and update the security certificate periodically.

Procedure

  1. Start PUTTY and enter the management IP address to log in as account omuser to the cluster. The default password is Omuser@storage.

    Run the su - root command to switch to user root. The default password is Root@storage.

  2. Use the File Transfer Protocol (FTP) tool to upload the security certificate prepared by the user to the storage node.
  3. Run the script to import the security certificate to the storage node.

    sh /opt/Runtime/bin/replace_cert.sh

    cd /opt/Runtime/bin/  #### Enter a directory where the script resides.
    sh replace_cert.sh   #### Import the security certificate to the storage node.
    Please input certificate file:/opt/Runtime/xxxx.keystore   #### Enter a path for saving the security certificate. The path can be a relative path or full path.
    Please input secret key:   #### Enter the password of the security certificate. 
    Please input secret key again: ####Enter the password of the security certificate again.
    You are about to replace the web certificate. This operation will restart the ISM service automatically. Are you sure you want to continue? (Input Y/y to continue, or any other to exit) 
    Y      ####Confirm the replacement of security certificate.
    Replace certificate file successfully!   ####The security certificate is successfully imported and the Toolkit tomcat service is restarted automatically.
    

  4. Run the following scripts to check the security certificate import and replacement.

    cd /opt/Runtime/

    export PATH=$PATH:/opt/Runtime/jre/bin/

    cd /opt/Runtime/tomcat7/conf/

    keytool -list -keystore /xxx/xxxx.keyStore -storetype $storetype -v

    The command parameters are described as follows:

    storetype: type of the security certificate. This parameter is optional. The default value is JKS.

  5. Run scp commands to copy the security certificate to other nodes or C72 controller modules.

    The nodes or C72 controller modules whose security certificates need to be replaced are the management nodes or C72 controller modules whose Independent management port is Yes in the software installation configuration file. For example, if the security certificate of the current node is located in /xxx/xxxx.keystore and the back-end IP addresses of other nodes or C72 controller modules are 10.16.0.10 and 10.16.0.11 respectively, run the following commands:

    scp /xxx/xxxx.keystore omuser@10.16.0.10:/xxx/  ####The user omuser has write permission for the /xxx directory. 
    scp /xxx/xxxx.keystore omuser@10.16.0.11:/xxx/

  6. Perform 3 and 4 to replace the security certificates of other nodes or C72 controller modules.
  7. In the browser of the terminal, verify that the security certificate is successfully replaced.

    NOTE:

    This section uses the Windows operating system and Internet Explorer 9.0 as examples.

    Make sure that the Toolkit service is enabled. Log in to DeviceManager and choose Setting > Enable Toolkit.

    1. In the address box, enter https://management IP address:8098 to log in to Toolkit.
    2. When you are prompted with There is a problem with this website's security certificate, select Continue to this website (not recommended).
    3. On the right of the address box, click Certificate Error. In the dialog box that is displayed, click View Certificates.
    4. In the Certificate dialog box, view information about security certificate.

      Confirm that the certificate issuer and validity period are updated to those in the user's security certificate.

Example

NOTE:

Use the following only as an example. The parameters in commands are alterable based on site requirements.

linux5:~ # cd /opt/Runtime/bin/
linux5:/opt/Runtime/bin # sh replace_cert.sh 
Please input certificate file:/opt/Runtime/server.keystore
Please input secret key:
Please input secret key again:
You are about to replace the web certificate. This operation will restart the ISM service automatically. Are you sure you want to continue? (Input Y/y to continue, or any other to exit)
y
Replace certificate file successfully!
linux5:/opt/Runtime/bin # cd /opt/Runtime/
linux5:/opt/Runtime # export PATH=$PATH:/opt/Runtime/jre/bin/ 
linux5:/opt/Runtime # cd /opt/Runtime/tomcat7/conf/
linux5:/opt/Runtime/tomcat7/conf # keytool -list -keystore server.keystore -storetype pkcs12 -v
Enter keystore password:  

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: server.keystore
Creation date: Dec 18, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=xxx.xxx.xxx.xxx, OU=xxx.xxx.xxx.xxx, O=xxx.xxx.xxx.xxx, L=xxx, ST=xxx, C=xxx
Issuer: CN=xxx.xxx.xxx.xxx, OU=xxx.xxx.xxx.xxx, O=xxx.xxx.xxx.xxx, L=xxx, ST=xxx, C=xxx
Serial number: 48a0f69d
Valid from: Thu Dec 18 10:41:23 CST 2014 until: Wed Mar 18 10:41:23 CST 2015
Certificate fingerprints:
	 MD5:  31:16:B8:77:67:E7:23:40:F7:46:15:60:53:E0:E6:F6
	 SHA1: 60:D6:77:D0:7B:43:EB:12:E8:5B:DB:01:6E:73:15:1D:9C:39:A4:EA
	 SHA256: F4:13:25:48:F8:4F:6E:17:82:B6:B9:F2:11:A4:EE:3D:35:3D:3D:12:72:D1:C8:67:60:01:2E:AD:F1:9E:2A:65
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 10.10.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D3 BA 01 20 A6 00 41 55   6F FF B4 19 EF 33 B1 02  ... ..AUo....3..
0010: 9C DA 29 B0                                        ...
]
]



*******************************************
*******************************************

Translation
Download
Updated: 2019-04-28

Document ID: EDOC1000122530

Views: 12733

Downloads: 41

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next