No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


FusionStorage V100R006C20 Object Storage Service Security Maintenance 03

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing a Security Certificate for the Object Storage Service Compatible with Amazon S3 APIs

Replacing a Security Certificate for the Object Storage Service Compatible with Amazon S3 APIs

Data and services can be safeguarded by replacing a security certificate for the object storage service compatible with Amazon S3 APIs, and we suggest that the security certificate should be updated regularly.


If the SSH authentication mode for the node is only set to Public Key, the public and private key files of omsftp user need to be imported.

After the domain name is changed, you need to obtain and use a new certificate.


  1. Obtain the user-supplied certificate.

    1. Each region needs to apply for a Subject Alternative Name (SAN) certificate. The certificates for one region must be assigned by the same CA. The certificate describes the information about the global domain name and its subdomain name, region domain name and its subdomain name, and static website hosting domain name and its subdomain name.
      • obs.[company].com
      • obs.[region].[company].com
      • obs-website.[region].[company].com
      • *.obs.[company].com
      • *.obs.[region].[company].com
      • *.obs-website.[region].[company].com
    2. In a multi-region scenario, the clusters in one region must use the same certificate.
    3. If the user does not prepare certificates, refer to exception handing and use the object storage service certificate tool delivered with FusionStorage to create certificates.

  2. Log in to DeviceManager.
  3. Choose Settings > Storage Settings > Object Storage Service > Security Certificate.
  4. Click Import under Object-Based Storage Service HTTPS Certificate.
  5. Click Select to select the security certificate (.jks) that needs to be imported. Then, click Upload.
  6. Click OK and then Next.
  7. In the Password text box, enter the key password of the security certificate.
  8. Click Finish.
  9. Carefully read the contents of the dialog box and select I have read and understood the consequences associated with performing this operation. Click OK.
  10. Click Close.


    After importing the certificate, please wait 30 seconds to execute the business.

Exception Handling

  • If the user does not prepare certificates, use the object storage service certificate tool delivered with FusionStorage to create certificates.
    1. Start PUTTY and enter the management IP address to log in as account omuser to the cluster. The default password is Omuser@storage. Run ssh command to jump to the storage node deployed with object storage service (compatible with Amazon S3 APIs). xx.xx.xx.xx indicates the back-end IP address of the node. Run su - root and input a password to switch to root user.
    2. Run sh /opt/obs/scripts/certs/ -o output to generate a certificate.

      (Optional) -o: output specifies the name of and path to the new certificate. If this parameter is not specified, a certificate named as s3_service.jks will be generated in the current directory.

      During the command running, information informing you of entering the certificate password will be prompted twice. The password must be longer than six characters, consisting of at least two of the following: special characters, uppercase letters, lowercase letters, and digits.

      The following is a command example:

      sh /opt/obs/scripts/certs/ -o /home/s3_service.jks

      In this example, the certificate named as s3_service.jks is generated under directory /home.

      Cluster2-3:~ # sh /opt/obs/scripts/certs/ -o /home/s3_service.jks
      Enter the new keystore password: 
      Reenter the new keystore password: 
      Successfully generate key store file: /home/s3_service.jks
      Successfully generate CA certificate file: /home/ca.crt
    3. Use FTP to download the security certificate files .jks and ca.crt to the local PC.

      The security certificate with the name extension .jks is used for importing. The ca.crt file is the root certificate of the HTTPS request, and is held by the client. When the client initiates HTTPS requests, load this file according to the client tool requirements to realize the verification of the source socket of the server.

    4. You must import the same security certificate file (.jks) to clusters in the same region.
  • Please make a backup of the security certificate file (.jks) at the local maintenance terminal and can be used for the recovery of subsequent security certificate files.
Updated: 2019-02-01

Document ID: EDOC1100016657

Views: 5173

Downloads: 5

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next