No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionStorage V100R006C30 Block Storage Service Disaster Recovery Feature Guide 03

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Creating a Certificate

Creating a Certificate

Generating the Root Certificate

Scenarios
This operation is used to guide administrators to generate the root certificate. The root certificate is used for the certificate update in FusionStorage Block.
Impact on the System
This operation has no adverse impact on the system.
Prerequisites
You have obtained the management IP address of the active FusionStorage Manager (FSM) node and the passwords of users dsware and root.
NOTE:
The default passwords of users dsware and root are IaaS@OS-CLOUD9! and IaaS@OS-CLOUD8!, respectively.
Procedure

    1. Use PuTTY to log in to the active FSM node.

      Ensure that the management IP address and username dsware are used to establish the connection.

      If the public and private keys are used to authenticate the login, perform the operations based on Using PuTTY to Log In to a Node in Key Pair Authentication Mode.

    2. Run the following command to create the directory for storing certificates:

      mkdir -p /home/dsware/genCert

    3. Run the following command and enter the password of user root to switch to user root:

      su - root

    4. Run the following command to switch to the directory containing the certificates:

      cd /home/dsware/genCert

    5. Run the following command and set the private key password as prompted to generate the private key file for the root certificate:

      openssl genrsa -aes256 -out root.key 2048

      root.key indicates the name of the generated private key file for the root certificate.

    6. Run the following command and enter the private key password as prompted to generate the root certificate:

      openssl req -new -x509 -sha256 -key root.key -out root.cer -subj "/CN=*.*.*.*/OU=FusionStorage/O=Huawei/L=Shenzhen/ST=GuangDong/C=CN" -days Certificate validity period

      In the preceding command, you are advised to set the certificate validity period to 3650 days. root.key indicates the name of the private key file for the root certificate generated in 5. root.cer indicates the name of the generated root certificate file.

    7. Run the following commands to change the permissions on the root certificate and its private key file:

      chown dsware:omm root.cer

      chown dsware:omm root.key

    8. Use WinSCP to download the root certificate and its private key file to a local directory.

      Ensure that username dsware is used to establish the connection. The default password of user dsware is IaaS@OS-CLOUD9!.

      For details about how to use WinSCP, see Transferring a File Using WinSCP.

Issuing the Sub CA Certificate Using the Trust Certificate

Scenarios
This operation is used to guide administrators to issue the subordinate Certificate Authority (sub CA) certificate using the trust certificate. The sub CA certificate is used for the certificate update in FusionStorage Block.
Impact on the System
This operation has no adverse impact on the system.
Prerequisites
  • You have obtained the trust certificate, private key file of the trust certificate, and private key password of the trust certificate.
  • You have obtained the management IP address of the active FusionStorage Manager (FSM) node and the passwords of users dsware and root.
    NOTE:
    The default passwords of users dsware and root are IaaS@OS-CLOUD9! and IaaS@OS-CLOUD8!, respectively.
Procedure

    1. Use PuTTY to log in to the active FSM node.

      Ensure that the management IP address and username dsware are used to establish the connection.

      If the public and private keys are used to authenticate the login, perform the operations based on Using PuTTY to Log In to a Node in Key Pair Authentication Mode.

    2. Run the following command to create the directory for storing certificates:

      mkdir -p /home/dsware/genCert

    3. Use WinSCP to copy the trust certificate and its private key file to the /home/dsware/genCert directory on the active FSM node.

      Ensure that username dsware is used to establish the connection. The default password of user dsware is IaaS@OS-CLOUD9!.

      For details about how to use WinSCP, see Transferring a File Using WinSCP.

    4. Run the following command and enter the password of user root to switch to user root:

      su - root

    5. Run the following command to switch to the directory containing the certificates:

      cd /home/dsware/genCert

    6. Run the following commands one by one to initialize the related configuration files of the issuing certificate:

      rm -rf /etc/pki/CA/*.old

      touch /etc/pki/CA/index.txt

      echo 02 > /etc/pki/CA/serial

    7. Run the following command and set the private key password as prompted to generate the private key file of the sub CA certificate:

      openssl genrsa -aes256 -out subCA01.key 2048

      In the preceding command, subCA01.key specifies the generated private key file, and the file name is user-definable.

    8. Run the following command and enter the private key password as prompted to generate the request file of the sub CA certificate:

      openssl req -new -key subCA01.key -out subCA01.csr -subj "/CN=subCA01.csr/OU=FusionStorage/O=Huawei/L=Shenzhen/ST=GuangDong/C=CN"

      In the preceding command, subCA01.key specifies the private key file generated in 7, and subCA01.csr specifies the generated request file whose file name is user-definable.

    9. Run the following command and enter the trust certificate password as prompted to issue the sub CA certificate:

      openssl ca -extensions v3_ca -in subCA01.csr -config /etc/pki/tls/openssl.cnf -days Certificate validity period -out subCA01.cer -cert root.cer -keyfile root.key -batch

      In the preceding command, you are advised to set the certificate validity period to 3650 days. subCA01.csr specifies the certificate request file generated in 8, root.cer specifies the trust certificate, root.key specifies the private key file of the trust certificate, and subCA01.cer specifies the issued sub CA certificate, whose file name is user-definable.

      If other sub CA certificates need to be issued using the newly-issued sub CA certificates, repeatedly perform 6 to 9.

    10. Run the following commands one by one to create a certificate chain for all the trust certificates and the final sub CA certificate:

      ...

      cat subCA02.cer >> subCAxx.cer

      cat subCA01.cer >> subCAxx.cer

      cat root.cer >> subCAxx.cer

      In the preceding command, root.cer, subCA01.cer, and subCA02.cer are trust certificates. subCA01.cer is issued by root.cer, subCA02.cer is issued by subCA01.cer, and subCAxx.cer is the final sub CA certificate. The certificate chain is created based on the sequence that the certificates are issued. The trust certificate that issued the final sub CA certificate is added first, then the certificate that issued this trust certificate is added. Add all the certificates until the final sub CA certificate is added, and the certificate chain is complete.

    11. Run the following commands to change the permissions on the final sub CA certificate and its private key file:

      chown dsware:omm subCA01.key

      chown dsware:omm subCA01.cer

    12. Use WinSCP to copy the final sub CA certificate and its private key file to a local directory.

      Ensure that username dsware is used to establish the connection. The default password of user dsware is IaaS@OS-CLOUD9!.

      For details about how to use WinSCP, see Transferring a File Using WinSCP.

Translation
Download
Updated: 2019-01-17

Document ID: EDOC1100044928

Views: 19255

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next