No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Administrator Guide

OceanStor V3 Series V300R006

This document is applicable to OceanStor 2200 V3, 2600 V3, 5300 V3, 5500 V3, 5600 V3, 5800 V3, 6800 V3, 18500 V3, and 18800 V3. Routine maintenance activities are the most common activities for the storage device, including powering on or off the storage device, managing users, modifying basic parameters of the storage device, and managing hardware components. This document is intended for the system administrators who are responsible for carrying out routine maintenance activities, monitoring the storage device, and rectifying common device faults.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Can I Use Self-Signed Certificates to Fix the Privacy Error Displayed When I Attempt to Log In to DeviceManager?

How Can I Use Self-Signed Certificates to Fix the Privacy Error Displayed When I Attempt to Log In to DeviceManager?

Question

How can I use self-signed certificates to fix the privacy error displayed when I attempt to log in to DeviceManager?

Answer

You can replace the default security certificates of the DeviceManager server and user browser with self-signed security certificates and private key files to eliminate the privacy error displayed when you log in to DeviceManager. The configuration procedure is as follows:

  1. Prepare the OpenSSL environment.

    1. Prepare a Linux-based device where the OpenSSL tool is installed. (Generally, the OpenSSL tool has been pre-installed in a CentOS or Ubuntu system.) Run the openssl version command to verify that the OpenSSL tool version is 0.9.8j or later.
      CTU1000047802:~ # openssl version
      OpenSSL 0.9.8j-fips 07 Jan 2009
    2. Run the find / -name openssl.cnf command to identify the location of the openssl.cnf file.
      Generally, the openssl.cnf file is under /etc/ssl.
      CTU1000047802:/ # cd /etc/ssl
      CTU1000047802:/etc/ssl # ls
      ca.key  ca.pem  cacert.pem  cert.csr  certs  demoCA  openssl.cnf  private  private.key
    3. Open the openssl.cnf file and check the default CA directory.
      CTU1000047802:/etc/ssl # cat openssl.cnf

    4. Add the subjectAltName option to [v3_req] in the openssl.cnf file.

      The IP address is the management IP address of the storage system, XX.XX.109.96 in this example.

  2. Use the OpenSSL tool to generate CA private key and CA certificate files.

    1. Create directories and files related to certificate files.
      CTU1000047802:/ # mkdir new9
      CTU1000047802:/ # cd new9
      CTU1000047802:/new9 # mkdir demoCA
      CTU1000047802:/new9 # mkdir demoCA/csr demoCA/private demoCA/jks demoCA/newcerts
      CTU1000047802:/new9 # touch demoCA/index.txt
      CTU1000047802:/new9 # echo 03 > ./demoCA/serial
    2. Generate a CA private key file.
      CTU1000047802:/new9 # openssl genrsa -out ./demoCA/private/ca.key 1024
      Generating RSA private key, 1024 bit long modulus
      ........++++++
      ...............++++++
      e is 65537 (0x10001)
    3. Generate a CA certificate file.
      CTU1000047802:/new9 # openssl req -new -x509 -sha256 -extensions v3_ca -key ./demoCA/private/ca.key -out ./demoCA/newcerts/RootCA.crt -subj '/C=CN/ST=SiChuan/O=Huawei/L=ChengDu/CN=*.*.*.*/OU=IT Product Line' -days 5475

      CN is the common name for the CA certificate. To avoid certificate alarms, set this parameter to *.*.*.*.

  3. Generate certificate files for the DeviceManager server.

    1. Generate a key file.
      CTU1000047802:/new9 # openssl genrsa -out ./demoCA/private/deviceManager_key.pem 2048
      Generating RSA private key, 2048 bit long modulus
      .......+++
      ..............................................+++
      e is 65537 (0x10001)
    2. Generate a certificate request file.
      CTU1000047802:/new9 # openssl req -new -sha256 -extensions v3_req -key ./demoCA/private/deviceManager_key.pem -out ./demoCA/csr/deviceManager.csr -subj '/C=CN/ST=SiChuan/O=Huawei/L=ChengDu/CN=XX.XX.109.96/OU=IT Product Line' -days 3650

      CN is the common name for the DeviceManager server certificate. To avoid certificate alarms, set this parameter to the management IP address of the storage system, XX.XX.109.96 in this example.

    3. Use the CA certificate to sign the key.
      CTU1000047802:/new9 # openssl ca -batch -in ./demoCA/csr/deviceManager.csr -cert ./demoCA/newcerts/RootCA.crt -keyfile ./demoCA/private/ca.key -out ./demoCA/newcerts/deviceManager_cert.pem -days 3650 -md sha256 -extensions v3_req
      Using configuration from /etc/ssl/openssl.cnf
      Check that the request matches the signature
      Signature ok
      Certificate Details:
              Serial Number: 3 (0x3)
              Validity
                  Not Before: Jul 30 02:42:35 2018 GMT
                  Not After : Jul 27 02:42:35 2028 GMT
              Subject:
                  countryName               = CN
                  stateOrProvinceName       = SiChuan
                  organizationName          = Huawei
                  organizationalUnitName    = IT Product Line
                  commonName                = XX.XX.109.96
              X509v3 extensions:
                  X509v3 Basic Constraints: 
                      CA:FALSE
                  X509v3 Key Usage: 
                      Digital Signature, Non Repudiation, Key Encipherment
                  X509v3 Subject Alternative Name: 
                      IP Address:XX.XX.109.96
      Certificate is to be certified until Jul 27 02:42:35 2028 GMT (3650 days)
      Write out database with 1 new entries
      Data Base Updated

  4. Replace certificates.

    1. Use an FTP tool (such as FileZilla) to connect to the Linux environment where the OpenSSL tool is located and export the generated certificates and key file to the local PC.
      • RootCA.crt
      • deviceManager_cert.pem
      • deviceManager_key.pem
      NOTE:
      • The RootCA.crt and deviceManager_cert.pem files are stored in the newcerts folder.
        CTU1000047802:/new9/demoCA/newcerts # ls
        03.pem  RootCA.crt  deviceManager_cert.pem
      • The deviceManager_key.pem file is stored in the private folder.
        CTU1000047802:/new9/demoCA/private # ls
        ca.key  deviceManager_key.pem

      In this example, the three files are exported to F:\replace.

    2. Use an FTP server tool to share the three exported files.

      Specify the user, password, and port number of the FTP server. Set the share path to the directory where the three exported files are saved, F:\replace in this example. Set the IP address to the IP address of the local computer, XX.XX.117.211 in this example.

    3. Import the generated self-signed certificates to the storage system.

      Log in to the storage system using the CLI. Run the import ssl_certificate command to import the shared certificate and key files, deviceManager_cert.pem and deviceManager_key.pem in this example.

      admin:/>import ssl_certificate ip=XX.XX.117.211 user=admin password=********* cert_file=deviceManager_cert.pem key_file=deviceManager_key.pem port=32 protocol=SFTP
      DANGER: You are about to use an unencrypted SSL certificate to replace the current SSL certificate. Security risks may exist in the unencrypted certificate. This operation will cause DeviceManager automatically to restart, interrupting services. The certificate you are about to import has the following security risks: a certificate loading error (the certificate fails to be loaded, the certificate key fails to be obtained, certificate public information fails to be obtained, the certificate signature algorithm fails to be obtained).
      Suggestion:
      1. Use an encrypted certificate to replace the current certificate.
      2. Before running the command, confirm that you want to replace the SSL certificate.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      Command executed successfully.
    4. Restart DeviceManager.
      admin:/>change user_mode current_mode user_mode=developer
      DANGER: You are about to switch to the developer view. Commands in this view must be run under the guidance of R&D engineers. You can choose whether to run this command. If you run this command to switch to the developer view, it means that you know risks of running commands in the developer view. Device vendors are not responsible for any loss or damage caused to the user or others by running commands in the developer view.
      1. Running the command in the developer view may cause system reset, restart, offline, service interruption, data loss, and data inconsistency.
      2. Running the command in the developer view may cause the performance to decrease.
      3. Running the command in the developer view to delete or remove configurations may have impact on the service and data.
      4. Running the command in the developer view may cause system alarms.
      Suggestion: Run this command under the guidance of R&D engineers.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      developer:/>reboot ism
      DANGER: You are about to restart the DeviceManager for the storage system. This operation causes the DeviceManager unavailable temporarily.
      Suggestion: Before performing this operation, ensure that all users have exit the DeviceManager.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      Command executed successfully.
    5. Import the certificate file to the browser.
      The following uses Google Chrome (67.0) as an example.
      NOTE:

      For details about how to replace the security certificates of other browsers, see section "Importing a Security Certificate" in the DeviceManager Online Help.

      1. Open Google Chrome and choose Settings > Advanced > Manage Certificate > Trusted Root Certification Authorities > Import. The Certificate Import Wizard dialog box is displayed.
      2. Select and import the certificate file (RootCA.crt in this example) as prompted.
      3. Restart the browser after the certificate is successfully imported.
      4. Log in to the storage system again. No privacy error is generated.

Download
Updated: 2019-07-12

Document ID: EDOC1000138854

Views: 36432

Downloads: 2052

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next