No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionStorage V100R006C20 Object Storage Service Security Maintenance 03

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing a Security Certificate for DeviceManager

Replacing a Security Certificate for DeviceManager

You can replace a security certificate for DeviceManager when necessary.

Prerequisites

A new security certificate has been prepared.

Context

A security certificate is a statement with a digital signature from an entity or an issuer. It is used to authenticate identities of both parties that intend to communicate with each other.

The security certificate for DeviceManager is a self-signed certificate that is not trusted by the user's browser. You are advised to replace the security certificate with a trusted one and update the security certificate periodically.

Procedure

  1. Start PUTTY and enter the management IP address to log in as account omuser to the cluster. The default password is Omuser@storage.

    Run the su - root command to switch to user root. The default password is Root@storage.

  2. Use the File Transfer Protocol (FTP) tool to upload the security certificate to the storage node and copy to /opt/deviceManager/bin folder.
  3. Run the script to import the security certificate to all nodes.

    cd /opt/deviceManager/bin

    sh importKey.sh

    NOTE:
    When prompt to enter the certificate file name and private key file name, enter the absolute path. For example, enter certificate file name /opt/deviceManager/bin/cert_en.pem.
    During the script execution, you can restart DeviceManager of the node.
    • After DeviceManager of the node is successfully restarted, log in to other nodes and run the following script to restart DeviceManager.

      cd /opt/deviceManager/bin

      sh startSystem.sh

    • If DeviceManager of the node failed to be restarted, check whether the certificate, private key, and password are correct.

    • If you choose not to restart DeviceManager during the script execution, run the following script on all nodes to restart DeviceManager.

      cd /opt/deviceManager/bin

      sh startSystem.sh

  4. If an error is displayed, the security certificate fails to be replaced for a storage node in the cluster. Run the script to replace the security certificate for the node separately.
    1. Log in to the node using the IP address displayed in the error information through PuTTY.
    2. Run the script to replace the security certificate for the node separately.

      cd /opt/deviceManager/bin

      sh importKey.sh

  5. In the browser of the terminal, verify that the security certificate is successfully replaced.

    NOTE:

    This section uses the Windows operating system and Internet Explorer 8.0 as examples.

    1. In the address box, enter https://management IP address: 8088 to log in to DeviceManager.
    2. When you are prompted with There is a problem with this website's security certificate, select Continue to this website (not recommended).
    3. In the System Prompt page, click Ignore and Continue.
    4. On the right of the address box, click Certificate Error. In the dialog box that is displayed, click View Certificates.
    5. In the Certificate dialog box, view information about security certificate.

      Confirm that the certificate issuer and validity period are updated to those in the user's security certificate.

Example

NOTE:

Use the following only as an example. The parameters in commands are alterable based on site requirements.

Liunx104:/opt/deviceManager/bin # openssl req -x509 -sha256 -days 1800 -newkey rsa:2048 -keyout key_en.pem -out cert_en.pem
Generating a 2048 bit RSA private key
................+++
..........................................................+++
writing new private key to 'key_en.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:SC
Locality Name (eg, city) []:CD
Organization Name (eg, company) [Internet Widgits Pty Ltd]:huawei
Organizational Unit Name (eg, section) []:DeviceManager
Common Name (eg, YOUR name) []:iBase
Email Address []:w3@huawei.com

Liunx104:/opt/deviceManager/bin # ll *.pem
-rwx------ 1 root root 1586 Nov 21 11:20 cert_en.pem
-rwx------ 1 root root 1751 Nov 21 11:20 key_en.pem

Liunx104:/opt/deviceManager/bin # sh importKey.sh
You are replacing the certificate and private key files used by DeviceManager.
After they are replaced, DeviceManager must be restarted for the new files to take effect.
DeviceManager only supports the pem file format. Please confirm that the files are .pem files.
If the certificate file is incorrect or the certificate does not match the private key, Apache will fail to work properly.
Are you sure that you want to replace the files? [y/]
y
Please enter the name of the encrypted private key file:
/opt/deviceManager/bin/key_en.pem                           ## Please note that the absolute path is entered here

Please enter the certificate file name:
/opt/deviceManager/bin/cert_en.pem                          ## Please note that the absolute path is entered here
Please enter the passphrase of the encrypted private key file:
You need to restart DeviceManager for the certificate file to take effect.
Do you want to restart? [y/]:
y
Starting Device Manager...please wait.
Succeeded in starting Device Manager.

The certificate, private key, and password files of DeviceManager are about to be synchronized.
Synchronizing key_en.pem to 192.168.100.104...
Synchronizing cert_en.pem to 192.168.100.104...
Synchronizing pkt_en.dat to 192.168.100.104...
Synchronizing key_en.pem to 192.168.100.105...
Synchronizing cert_en.pem to 192.168.100.105...
Synchronizing pkt_en.dat to 192.168.100.105...
DeviceManager is successfully restarted on this node. You must manually restart DeviceManager on other nodes.

Exception Handling

If the user does not prepare certificates, use the openssl tool delivered with FusionStorage to create certificates.

The preceding script is used to generate the security certificate. This certificate is in the format of pem, and its password is manually set during the execution of the script.

NOTE:

The security certificate generated using the script is also a self-signed certificate and is not trusted by the user's browser. This certificate generation method provided here is for reference only.

  1. Start PUTTY and enter the management IP address to log in as account omuser to the cluster. The default password is Omuser@storage.

    Run the su - root command to switch to user root. The default password is Root@storage.

  2. Use the openssl tool to generate an encrypted private key naming key_en.pem.
    Liunx103: # openssl genrsa -des3 -out key_en.pem 2048
    Generating RSA private key, 2048 bit long modulus
    ...................................................................................+++
    ........................+++
    e is 65537 (0x10001)
    Enter pass phrase for key_en.pem:   ##Enter the password for the private key.
    Verifying - Enter pass phrase for key_en.pem:   ##Enter the password for the private key again.
    
  3. Run the following script to generate a certificate, where the private key file is named as cert_en.pem.
    Liunx103: # openssl req -x509 -sha256 -days 1800 -newkey rsa:2048 -keyout key_en.pem -out cert_en.pem
    Generating a 2048 bit RSA private key
    ..............+++
    ..............................................................................................+++
    writing new private key to 'key_en.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:SC
    Locality Name (eg, city) []:CD
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:huawei
    Organizational Unit Name (eg, section) []:DeviceManager
    Common Name (eg, YOUR name) []:iBase
    Email Address []:w3@huawei.com
Translation
Download
Updated: 2019-02-01

Document ID: EDOC1100016657

Views: 5220

Downloads: 5

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next