No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00 Maintenance Guide 08

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Deploying a Security Certificate

Deploying a Security Certificate

Checking the Certificate Validity

You can use the OpenSSL tool delivered with eSight to check the certificate validity.

Prerequisites

The certificate archive file in .pfx format and the CA certificate in .crt format have been obtained. Assume that the name of the certificate archive file in .pfx format is eSight.pfx and the name of the CA certificate in .crt format is ca.crt.

Checking the Linux Operating System

Assume that you have logged in to the eSight server as the ossuser user. The eSight installation directory is /opt/eSight and the certificate is stored in /ossuser/cert/.

  1. Set environment variables.

    Run the following commands to set environment variables:

    > cd /ossuser/cert

    > export OPENSSL_CONF=/opt/eSight/mttools/etc/systool/certificate/openssl.cfg

  2. Export the certificate in .crt format from the certificate archive file in .pfx format.

    > /opt/eSight/mttools/tools/jks2pfx/openssl pkcs12 -in eSight.pfx -nokeys -out eSight.crt

    Enter the password of the eSight.pfx file as prompted. The command output is as follows:

    Enter Import Password: 
    MAC verified OK

    The certificate file eSight.crt is exported from eSight.pfx.

  3. Check the issuing relationship between eSight.crt and ca.crt.

    > /opt/eSight/mttools/tools/jks2pfx/openssl verify -CAfile ca.crt eSight.crt

    If eSight.crt is issued by ca.crt, the following information is displayed:

    eSight.crt: OK

  4. Check the certificate information about eSight.crt.

    > /opt/eSight/mttools/tools/jks2pfx/openssl x509 -in eSight.crt -text -noout

    The command output is as follows:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 9 (0x9)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=CN, ST=Jiangsu, O=Huawei Co.ltd, OU=eSight, CN=esight.huawei.com/emailAddress=esight@huawei.com
            Validity
                Not Before: Oct 07 19:27:33 2018 GMT
                Not After : Oct 07 19:27:33 2019 GMT
            Subject: C=CN, ST=Jiangsu, O=Huawei Co.ltd, OU=eSight, CN=esight.huawei.com/emailAddress=esight@huawei.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:b3:57:c7:28:37:9f:3d:6f:b6:ad:ce:35:cb:4a:
                        89:37:40:8a:ac:bb:42:ea:f1:a4:1d:56:52:4d:88:
                        18:d3:bb:fc:53:4a:28:89:e9:de:de:31:92:8a:27:
                        64:8f:38:23:2e:df:a2:04:e5:9d:94:7d:25:f3:6f:
                        dd:d5:3b:c8:01:2d:22:d4:41:47:02:cd:07:08:07:
                        6c:0c:c1:63:38:16:97:b5:67:31:41:48:5f:2b:8b:
                        90:84:5d:2b:e3:d3:68:bb:95:66:77:59:58:78:94:
                        ff:a5:1d:e6:3f:c2:67:60:9d:e0:fc:c1:5a:84:4a:
                        52:d1:f1:13:a3:6f:6e:ce:10:e6:10:4d:0b:97:42:
                        74:6b:8f:43:e2:ca:d5:23:62:c3:88:df:a4:3f:6f:
                        ba:5d:e4:54:3e:83:74:b0:b0:2c:23:dc:b1:46:25:
                        29:12:9c:5c:06:80:6c:b5:c3:fb:64:04:fe:13:01:
                        2b:1e:8f:6c:f2:40:08:aa:ba:7c:16:b5:cd:d7:d3:
                        98:6f:2d:58:d3:df:87:d1:3b:45:90:0d:65:4e:e8:
                        3d:7c:a7:ff:0e:98:21:bb:de:ca:d9:80:46:e8:d6:
                        98:95:d2:cb:86:64:1e:b8:ac:9b:4f:39:60:33:1b:
                        b5:3b:cd:ca:65:0a:cc:95:95:af:0b:bd:27:7d:b0:
                        7e:af
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                X509v3 Key Usage:
                    Digital Signature, Non Repudiation, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Subject Alternative Name:
                    DNS:esight.huawei.com, DNS:*.esight.huawei.com, IP Address:127.0.0.1
        Signature Algorithm: sha256WithRSAEncryption
             cc:fc:91:a2:d1:ed:03:2a:db:40:6a:62:99:e6:af:b7:f8:54:
             11:2d:d2:f4:d3:e9:e4:88:77:36:f5:f2:06:75:4e:51:da:ad:
             fc:db:6f:e8:0e:00:0a:e4:60:17:19:ca:59:c5:29:7f:8d:7f:
             95:4e:9a:38:60:0c:31:65:fe:97:7b:4d:e5:bb:12:0e:73:74:
             19:f5:26:c9:39:b1:3e:1d:d2:f1:ad:5e:a3:51:c3:cd:dd:ca:
             0a:1b:d4:1d:7b:07:04:0e:05:62:7c:ec:8c:7b:05:fa:22:a9:
             7f:1c:5a:83:1b:a7:d2:26:27:d0:55:ae:d3:63:fe:b6:40:9b:
             03:b1:70:66:29:a4:4d:c1:09:66:06:d3:da:8f:8d:2d:97:b6:
             45:ca:86:96:a1:f7:9d:70:22:ed:66:66:43:4e:09:43:17:b5:
             ab:69:8a:e0:12:90:f6:2c:3a:48:3c:c0:34:ff:3b:92:83:f1:
             a3:85:bd:60:66:2f:47:43:4c:60:e2:14:00:d6:1d:7f:9e:43:
             33:9a:64:c1:0a:c3:31:3f:d0:db:b7:84:a0:67:ba:0b:66:31:
             86:14:5e:a3:ef:88:19:31:54:4e:70:2e:dd:80:e1:cd:0d:fb:
             f8:33:f7:35:c3:2a:fd:93:29:f0:47:e2:37:c1:a2:f0:b2:5f:
             02:24:8e:21

    Note that the preceding command output is only an example.

    The following table describes the command output and requirements.

    Table 5-11 Certificate information and requirements

    Information

    Example

    Requirement

    Signature Algorithm

    sha256WithRSAEncryption

    The value must be sha256WithRSAEncryption.

    Validity

    -

    The current time must be within this range. Otherwise, the certificate will expire.

    Subject

    -

    The domain name in the Common Name (CN) must be specific. Contents with wildcard characters, for example, *.huawei.com, are not supported.

    Public Key Algorithm

    rsaEncryption

    The value must be rsaEncryption.

    Public-Key

    (2048 bit)

    At least 2048 bits.

    X509v3 Key Usage

    Digital Signature, Non Repudiation, Key Encipherment

    The Digital Signature must be contained.

    X509v3 Extended Key Usage

    TLS Web Server Authentication, TLS Web Client Authentication

    This field is optional. If this field exists, both Server Authentication and Client Authentication must be contained.

    X509v3 Subject Alternative Name

    esight.huawei.com

    *.huawei.com

    This field is optional, but it is recommended. Since Google Chrome 58, certificates that do not contain this field are no longer trusted.

Checking the Windows Operating System

Assume that you have logged in to the eSight server as a user who can access the eSight directory. The eSight installation directory is D:\eSight and the certificate is stored in D:\cert\.

  1. Set environment variables.

    Run the following commands to set environment variables:

    > cd /d D:\cert

    > set OPENSSL_CONF=D:\eSight\mttools\etc\systool\certificate\openssl.cfg

  2. Export the certificate in .crt format from the certificate archive file in .pfx format.

    > D:\eSight\mttools\tools\jks2pfx\openssl.exe pkcs12 -in eSight.pfx -nokeys -out eSight.crt

    Enter the password of the eSight.pfx file as prompted. The command output is as follows:

    Enter Import Password: 
    MAC verified OK

    The certificate file eSight.crt is exported from eSight.pfx.

  3. Check the issuing relationship between eSight.crt and ca.crt.

    > D:\eSight\mttools\tools\jks2pfx\openssl.exe verify -CAfile ca.crt eSight.crt

    If eSight.crt is issued by ca.crt, the following information is displayed:

    eSight.crt: OK

  4. Check the certificate information about eSight.crt.

    • CLI mode:

    > D:\eSight\mttools\tools\jks2pfx\openssl.exe x509 -in eSight.crt -text -noout

    The command output is as follows:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 9 (0x9)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=CN, ST=Jiangsu, O=Huawei Co.ltd, OU=eSight, CN=esight.huawei.com/emailAddress=esight@huawei.com
            Validity
                Not Before: Oct 07 19:27:33 2018 GMT
                Not After : Oct 07 19:27:33 2019 GMT
            Subject: C=CN, ST=Jiangsu, O=Huawei Co.ltd, OU=eSight, CN=esight.huawei.com/emailAddress=esight@huawei.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:b3:57:c7:28:37:9f:3d:6f:b6:ad:ce:35:cb:4a:
                        89:37:40:8a:ac:bb:42:ea:f1:a4:1d:56:52:4d:88:
                        18:d3:bb:fc:53:4a:28:89:e9:de:de:31:92:8a:27:
                        64:8f:38:23:2e:df:a2:04:e5:9d:94:7d:25:f3:6f:
                        dd:d5:3b:c8:01:2d:22:d4:41:47:02:cd:07:08:07:
                        6c:0c:c1:63:38:16:97:b5:67:31:41:48:5f:2b:8b:
                        90:84:5d:2b:e3:d3:68:bb:95:66:77:59:58:78:94:
                        ff:a5:1d:e6:3f:c2:67:60:9d:e0:fc:c1:5a:84:4a:
                        52:d1:f1:13:a3:6f:6e:ce:10:e6:10:4d:0b:97:42:
                        74:6b:8f:43:e2:ca:d5:23:62:c3:88:df:a4:3f:6f:
                        ba:5d:e4:54:3e:83:74:b0:b0:2c:23:dc:b1:46:25:
                        29:12:9c:5c:06:80:6c:b5:c3:fb:64:04:fe:13:01:
                        2b:1e:8f:6c:f2:40:08:aa:ba:7c:16:b5:cd:d7:d3:
                        98:6f:2d:58:d3:df:87:d1:3b:45:90:0d:65:4e:e8:
                        3d:7c:a7:ff:0e:98:21:bb:de:ca:d9:80:46:e8:d6:
                        98:95:d2:cb:86:64:1e:b8:ac:9b:4f:39:60:33:1b:
                        b5:3b:cd:ca:65:0a:cc:95:95:af:0b:bd:27:7d:b0:
                        7e:af
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                X509v3 Key Usage:
                    Digital Signature, Non Repudiation, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Subject Alternative Name:
                    DNS:esight.huawei.com, DNS:*.esight.huawei.com, IP Address:127.0.0.1
        Signature Algorithm: sha256WithRSAEncryption
             cc:fc:91:a2:d1:ed:03:2a:db:40:6a:62:99:e6:af:b7:f8:54:
             11:2d:d2:f4:d3:e9:e4:88:77:36:f5:f2:06:75:4e:51:da:ad:
             fc:db:6f:e8:0e:00:0a:e4:60:17:19:ca:59:c5:29:7f:8d:7f:
             95:4e:9a:38:60:0c:31:65:fe:97:7b:4d:e5:bb:12:0e:73:74:
             19:f5:26:c9:39:b1:3e:1d:d2:f1:ad:5e:a3:51:c3:cd:dd:ca:
             0a:1b:d4:1d:7b:07:04:0e:05:62:7c:ec:8c:7b:05:fa:22:a9:
             7f:1c:5a:83:1b:a7:d2:26:27:d0:55:ae:d3:63:fe:b6:40:9b:
             03:b1:70:66:29:a4:4d:c1:09:66:06:d3:da:8f:8d:2d:97:b6:
             45:ca:86:96:a1:f7:9d:70:22:ed:66:66:43:4e:09:43:17:b5:
             ab:69:8a:e0:12:90:f6:2c:3a:48:3c:c0:34:ff:3b:92:83:f1:
             a3:85:bd:60:66:2f:47:43:4c:60:e2:14:00:d6:1d:7f:9e:43:
             33:9a:64:c1:0a:c3:31:3f:d0:db:b7:84:a0:67:ba:0b:66:31:
             86:14:5e:a3:ef:88:19:31:54:4e:70:2e:dd:80:e1:cd:0d:fb:
             f8:33:f7:35:c3:2a:fd:93:29:f0:47:e2:37:c1:a2:f0:b2:5f:
             02:24:8e:21

    Note that the preceding command output is only an example.

    The following table describes the command output and requirements.

    Table 5-12 Certificate information and requirements

    Information

    Example

    Requirement

    Signature Algorithm

    sha256WithRSAEncryption

    The value must be sha256WithRSAEncryption.

    Validity

    -

    The current time must be within this range. Otherwise, the certificate will expire.

    Subject

    -

    The domain name in the Common Name (CN) must be specific. Contents with wildcard characters, for example, *.huawei.com, are not supported.

    Public Key Algorithm

    rsaEncryption

    The value must be rsaEncryption.

    Public-Key

    (2048 bit)

    At least 2048 bits.

    X509v3 Key Usage

    Digital Signature, Non Repudiation, Key Encipherment

    The Digital Signature must be contained.

    X509v3 Extended Key Usage

    TLS Web Server Authentication, TLS Web Client Authentication

    This field is optional. If this field exists, both Server Authentication and Client Authentication must be contained.

    X509v3 Subject Alternative Name

    esight.huawei.com

    *.huawei.com

    This field is optional, but it is recommended. Since Google Chrome 58, certificates that do not contain this field are no longer trusted.

    • GUI mode:

    On the Windows operating system, viewing certificate information is very simple. Double-click the certificate file (eSight.crt). In the displayed Certificate window, click the Details tab to view the detailed certificate information. Table 5-12 describes the certificate information.

Using the Certificate Tool to Import the CA Certificate

eSight provides the certificate tool for you to import the CA certificate.

Prerequisites
  • You have obtained the CA certificate in .pfx format.
    NOTE:

    If the obtained certificate is customCrt.cer (with the extension .crt or .pem) and has a private key file customCrt.key, run the following command to convert the issued certificate into a .pfx file:

    openssl pkcs12 -export -in customCrt.cer -inkey customCrt.key -out customCrt.pfx

  • The signature algorithm of the CA certificate must be SHA256withRSA.
  • If the Key Usage extended field has been set for the CA certificate, the Key Usage field must contain Digital Signature.
  • If the Enhanced Key Usage extended field has been set for the CA certificate, the Enhanced Key Usage field must contain Server Authentication and Client Authentication.
  • The eSight service has been stopped.
Procedure
  • Windows
  1. Log in to the eSight server as the Administrator user.
    NOTE:

    If security hardening is performed on the Windows operating system, you need to log in to the server as the SWMaster user.

  2. Double-click the eSight Console shortcut icon on the desktop or choose Start > All Programs > eSight > eSight Console.
  3. In the eSight Console dialog box, choose Tools > Certificate Tool.
  4. In the Certificate Tool dialog box, select Import CA Certificate and click Next.
  5. Select a security certificate, enter the certificate password, select an issuer public key, and click Apply.
    • The issuer public key indicates the CA certificate used to issue a customer certificate, which can be a root certificate or a level-2 certificate. The issuer public key supports the .crt, .cer, and .p7b formats.
    • The new security certificate takes effect only after eSight is restarted.
    • If you select Automatic start and stop system, eSight is automatically started after the certificate is imported.
  • SUSE Linux
  • In a Veritas HA system, ensure that the mountFileRes resource is online. For details, see Bringing a Resource Online.
  • In a local HA system, you need to perform the operations only on the active server. The standby server automatically synchronizes data from the active server. In a remote HA system, you need to perform the operations on both the active and standby servers.
  1. Log in to the eSight server as the ossuser user.
  2. Import the certificate.
    • Use a graphical tool to import the certificate. This method applies only to the SUSE Linux operating system.
      1. Start the certificate tool.

        cd eSight installation directory/mttools/tools

        ./catool.sh

      2. In the Certificate Tool dialog box, select Import CA Certificate and click Next.
      3. Select a security certificate, enter the certificate password, select an issuer public key, and click Apply.

        The issuer public key indicates the CA certificate used to issue a customer certificate, which can be a root certificate or a level-2 certificate. The issuer public key supports the .crt, .cer, and .p7b formats.

    • Run a command to import the certificate. This method is applicable to the SUSE Linux and EulerOS operating systems.

      es_cli -cmd catool -type ca -passwd Certificate password -certpath Certificate -publickey Issuer public key

      Certificate password: Enter the certificate password.

      Certificate: Select a certificate.

      Issuer public key: Indicates the CA certificate used to issue a customer certificate, which can be a root certificate or a level-2 certificate. The issuer public key supports the .crt, .cer, and .p7b formats.

  3. Restart eSight for the new security certificate to take effect.

Using the Certificate Tool to Generate and Replace the Self-signed Certificate

You can use the certificate tool provided by eSight to generate and replace the self-signed certificate.

Prerequisites

The eSight service has been stopped.

Context

The default password of the self-signed certificate generated by the certificate tool is Changeme_123.

Procedure
  • Windows
  1. Log in to the eSight server as the Administrator user.
    NOTE:

    If security hardening has been performed for the Windows operating system, you need to log in to the eSight server as the SWMaster user.

  2. Double-click the eSight Console shortcut icon on the desktop or choose Start > All Programs > eSight > eSight Console.
  3. In the eSight Console dialog box, choose Tools > Certificate Tool.
  4. In the Certificate Tool dialog box that is displayed, select Create Self-signed Certificate and click Next.
  5. Click Apply.
    • The new security certificate takes effect only after eSight is restarted.
    • If you select Automatic start and stop system, eSight is automatically started after the self-signed certificate is replaced.
  • SUSE Linux
    NOTE:
    • In a Veritas HA system, ensure that the mountFileRes resource is online. For details, see Bringing a Resource Online.
    • In a local HA system, you need to perform the operations only on the active server. The standby server automatically synchronizes data from the active server. In a remote HA system, you need to perform the operations on both the active and standby servers.
  1. Log in to the Linux operating system as the ossuser user.
  2. Start the certificate tool.

    cd eSight installation directory/mttools/tools

    ./catool.sh

  3. In the Certificate Tool dialog box that is displayed, select Create Self-signed Certificate and click Next.
  4. Click Apply.

    The new security certificate takes effect only after eSight is restarted.

Generating a CSR File Using the OpenSSL Tool

The Certificate Signing Request (CSR) file is generated with a private key when an applicant applies for a digital certificate. After the certificate applicant submits the CSR file to the certificate issuing organization, the certificate issuing organization uses the root certificate private key signature to generate a public key file.

Procedure
  1. Log in to the server.
    • In the Windows environment, log in to the server as the Administrator user.
    NOTE:

    If security hardening has been performed for the Windows operating system, you need to log in to the eSight server as the SWMaster user.

    • In the SUSE Linux environment, log in to the server as the ossuser user. (If the environment is deployed in a two-node cluster, log in to the active server).
  2. Go to the OpenSSL tool directory eSight installation directory\mttools\tools\jks2pfx.
    • Windows

      Open the command-line interface and run the following command to go to the tool directory:

      cd /d eSight installation directory\mttools\tools\jks2pfx

    • SUSE Linux

      Run the following command to go to the tool directory:

      cd eSight installation directory/mttools/tools/jks2pfx/

  3. Copy the OpenSSL configuration file and set the OPENSSL_CONF variable.
    • Windows

      copy eSight installation directory\mttools\etc\systool\certificate\openssl.cfg openssl.cfg

      set OPENSSL_CONF=eSight installation directory\mttools\tools\jks2pfx\openssl.cfg

    • SUSE Linux

      cp eSight installation directory/mttools/etc/systool/certificate/openssl.cfg openssl.cfg

      export OPENSSL_CONF=eSight installation directory/mttools/tools/jks2pfx/openssl.cfg

  4. Generate the CSR file and private key.

    openssl req -new -sha256 -keyout customCrt.key -out customCrt.csr

    Enter the protection password of the private key and certificate information as prompted. The information in bold is mandatory.

    The following information is displayed:

    Generating a 2048 bit RSA private key 
    .........................................................................+++ 
    ..........................................................................+++ 
    writing new private key to 'customCrt.key' 
    Enter PEM pass phrase:Verifying - Enter PEM pass phrase: 
    ----- 
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter '.', the field will be left blank. 
    ----- 
    Country Name (2 letter code) [AU]:CN 
    State or Province Name (full name) [Some-State]:jiangsu 
    Locality Name (eg, city) []:nanjing 
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:huawei 
    Organizational Unit Name (eg, section) []:SPO 
    Common Name (e.g. server FQDN or YOUR name) []:eSight.huawei.com 
    Email Address []: 
      
    Please enter the following 'extra' attributes 
    to be sent with your certificate request 
    A challenge password []:
    an optional country name []:

    NOTE:
    • PEM pass phrase: indicates the protection password of the private key. Save it properly.
    • Country Name: indicates the country code, which must be the same as that configured in the user certificate request.
    • Common Name: indicates the server address or domain name.
  5. Obtain the customCrt.key (private key) and customCrt.csr files from the eSight installation directory\mttools\tools\jks2pfx directory, and save them properly.
    NOTE:
    • After the customCrt.csr file is generated, the CA certificate (customCrt.cer) is generated by the certificate issuing authority or the certificate server.
    • Run the following command to convert the issued certificate to a .pfx file:

      openssl pkcs12 -export -in customCrt.cer -out customCrt.pfx -inkey customCrt.key

Translation
Download
Updated: 2019-08-03

Document ID: EDOC1100044373

Views: 26889

Downloads: 90

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next