No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00 Maintenance Guide 07

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Do I Set the Connection Protocol for Remote Backup to FTPS

How Do I Set the Connection Protocol for Remote Backup to FTPS

Question

Before using FTPS to connect to a remote server for backup, you need to obtain the identity certificate and trust certificate of the client and set related information. How do I do?

NOTE:
  • The maintenance tool FTPS client supports only the implicit security mode of the FTPS client.
  • The maintenance tool FTPS client does not support TLS session resumption. You must set the FTPS client yourself.

Answer

NOTE:

For the Veritas HA system, perform the operations on both the active and standby servers. For the OMMHA two-node cluster, perform the operations only on the active server.

  1. Apply certificates for the client from a certificate authority (CA). The certificates include a trust certificate and an identity certificate.
  2. Upload the certificates to eSight installation directory/mttools/etc/certificate.
  3. Configure the client certificates.

    1. Open the configuration file eSight installation directory/mttools/etc/sysconf/ftpsconfig.xml.
    2. Set key-store-path to the name of the identity certificate. The certificate must be in JKS format. For details about certificate formats, see Security Certificates.
        <key-store-path>iemp.keystore.ftps</key-store-path>     
    3. Set key-store-password to the ciphertext password of the identity certificate.
        <key-store-password>@0102000000005a4d0cf128ae01a82d44e990bf91f16bfe9d124103026c498bbdbe0d49625828</key-store-password>
      NOTE:

      This password must be encrypted by an encryption tool.

      • In the Windows operating system, the tool eSight installation directory/mttools/tools/bmetool/encrypt/encrypt.bat must be used to encrypt the key.
      • On Linux, the tool eSight installation directory/mttools/tools/bmetool/encrypt/encrypt.sh must be used to encrypt the store password.
    4. Set trust-store-path to the name of the trust certificate. The certificate must be in JKS format. For details about certificate formats, see Security Certificates.
      <trust-store-path>iemp.truststore.ftps</trust-store-path>     
    5. Set trust-store-password to the ciphertext password of the trust certificate.
        <trust-store-password>@010223223220005a4d0cf128ae01a82d44e990bf91f16bfe9d124103026c498bbdbe0d49828</trust-store-password>
      NOTE:

      This password must be encrypted by an encryption tool.

      • In the Windows operating system, the tool eSight installation directory/mttools/tools/bmetool/encrypt/encrypt.bat must be used to encrypt the key.
      • On Linux, the tool eSight installation directory/mttools/tools/bmetool/encrypt/encrypt.sh must be used to encrypt the store password.
    6. Set the Transport Layer Security (TLS) versions and encryption algorithms that are allowed to connect to the FTPS server. An example is as follows:
        <sslprotocol>TLSv1.2</sslprotocol> 
        <includeCipherSuites>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA</includeCipherSuites>     
    7. Set isServerMustTrusted to true.
      NOTE:
      • true: The FTPS servers that are not trusted by the client cannot function as the servers configured in the remote backup policy.
      • false: Any FTPS servers can function as the servers configured in the remote backup policy.

      Setting the configuration item to false is risky, which is not recommended.

      An example is as follows:

          <isServerMustTrusted>true</isServerMustTrusted>
    8. Save and close the configuration file.

  4. Restart the maintenance tool.
Translation
Download
Updated: 2019-06-30

Document ID: EDOC1100044373

Views: 25155

Downloads: 74

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next