No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionStorage V100R006C20 Object Storage Service Security Maintenance 03

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Disabling TLS v1.0

Disabling TLS v1.0

The Transport Layer Security (TLS) protocol version 1.0 (TLS v1.0) has severe security vulnerabilities. You are advised to disable TLS v1.0.

Operation & Maintenance Tool andDeviceManager supports TLS v1.0, TLS v1.1, and TLS v1.2. However, TLS v1.0 has severe security vulnerabilities (risks of BEAST attack). You are advised to disable TLS v1.0 to avoid security risks.

Users can disable the TLS1.0 protocol by setting the browser, to ensure that the use of DeviceManager and Operation & Maintenance Tool is safe. Using Internet Explorer 9 for example, choose Tools > Internet Options, choose Advanced page, make sure Use TLS1.0 has not been selected.

Users can modify configuration files to change versions of the TLS protocol supported by DeviceManager and Operation & Maintenance Tool. Before modification, check which version of the TLS protocol is supported by the browser and ensure that the browser supports the version to be configured. For example, a certain browser version supports only TLS v1.0. If TLS v1.0 is disabled, you cannot access DeviceManager or Operation & Maintenance Tool using the browser.
NOTE:
If you must use TLS1.0 due to compatibility reasons, security risks may arise.

After modifying the configuration files, restart DeviceManager and Operation & Maintenance Tool for configuration to take effect. Before restart, ensure that no users are using DeviceManager and Operation & Maintenance Tool to perform business operations.

Perform the following steps to disable TLS v1.0 on each node. Use an example of a node's back-end address 10.99.1.2.
  1. Use PuTTY to connect to the management IP.
  2. Run ssh omuser@10.99.1.2 and enter the omuser user password to go to the node.
  3. Run su - root and enter the root user password to switch to the root user.
  4. Modify the configuration file /opt/deviceManager/apache/conf/extra/httpd-ssl.conf.
    1. Run vi /opt/deviceManager/apache/conf/extra/httpd-ssl.conf to open the configuration file.
    2. Press I to go to the editing mode.
    3. Search for the configuration item SSLProtocol and modify the default configuration SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 to SSLProtocol +TLSv1.2 +TLSv1.1.
    4. Press Esc and enter :wq!.
  5. Run sh /opt/deviceManager/bin/restart.sh to restart DeviceManager.
  6. Modify the configuration file /opt/Runtime/tomcat7/conf/server.xml.
    1. Run vi /opt/Runtime/tomcat7/conf/server.xml to open the configuration file.
    2. Press I to go to the editing mode.
    3. Search for the configuration item sslEnabledProtocols and modify the default configuration TLSv1,TLSv1.1,TLSv1.2 to TLSv1.1,TLSv1.2.
    4. Press Esc and enter :wq!.
  7. Run sh /opt/Runtime/bin/restart.sh to restart Operation & Maintenance Tool.
The object storage service supports HTTPS. HTTPS supports TLS v1.0, TLS v1.1, and TLS v1.2. You are advised to use TLS v1.2 rather than TLS v1.0 and TLS v1.1 for security purposes.
  1. Use SSH to remotely log in to the management storage node as user omuser. (The IP address of the management storage node is the same as that of the Object Storage Service.)
  2. Run the cli_start -u admin to log in to CLI.
  3. Run the change object_storage_compatible_s3_osc_service tls tlsv1.2 and change object_storage_compatible_s3_poe_service tls tlsv1.2 to set the earliest version of TLS supported by the Object Storage Service Controller service and Provisioning Orchestration Engine service to TLS v1.2.
Translation
Download
Updated: 2019-02-01

Document ID: EDOC1100016657

Views: 5170

Downloads: 5

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next