No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionStorage V100R006C30 Block Storage Service Disaster Recovery Feature Guide 03

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Updating the Arbitration Certificates of the HyperMetro Service

Updating the Arbitration Certificates of the HyperMetro Service

Scenarios

This operation is used to update the arbitration certificates for FusionStorage Agent (FSA) nodes and the quorum server when the system is running properly to enhance system security.

SSL certificates of OMM include service certificates (certfile), service certificate private key files (private_key), and root certificates (ca_certfile) that issue service certificates.
  • Service certificates (certfile): specify the public key files, which exist in pairs with private key files. Issued by the root certificate, service certificates are used to encrypt sessions or data, ensuring the security of accessed requests.
  • Service certificate private key files (private_key): specify the private key files used to decrypt data encrypted by service certificates.
  • Root certificates (ca_certfile): specify the certificates used to verify service certificates during service accesses, ensuring that service certificates are issued by the same root certificate.
Trusted certificates are used for the communication with service certificates. Trusted certificates and service certificates are stored at the two communication ends, respectively. A trusted certificate can be a service certificate or the root certificate that issues the service certificate.
Precautions
  • After the initial installation of FusionStorage Block is complete, the system contains service certificates by default. To ensure system security, you are advised to update the certificates before using services.

  • You are advised to use one root certificate to issue all the service certificates. In this case, all the trusted certificates use the same root certificate.
  • The password must meet the following requirements:
    • The password must be a string of 8 to 32 characters.
    • The password cannot contain spaces.
    • The password must contain the following four types of characters:
      • Lowercase letters
      • Uppercase letters
      • Digits
      • Special characters, such as, ~@#%^&,*()_=+|[{]};<.>/?-

Impact on the System

The third-party arbitration function is unavailable during the certificate updating process, but automatically recovers after the certificate update is completed.

Prerequisites

Conditions

  • You have obtained the root certificate file, client certificate file, private key file, and the certificate encryption password from the third-party CA if you need to use third-party certificates. The obtained files are named rootCA.cer, client.cer, and client.key, respectively.
  • You have obtained the management IP address of a DR node and the password of user root.
  • You have obtained the management IP address of the active FusionStorage Manager (FSM) node and passwords of users dsware and root.
  • You have obtained the management address of the quorum server and the password of user root.

Procedure

    Obtain the certificates.

    1. Obtain the certificates.

      You can obtain the certificates in either of the following ways:

      • Obtain the certificates from a third party.
      • Manually create the certificates. For details, see Certificate Management > Creating a Certificate > Generating the Root Certificate and Certificate Management > Creating a Certificate > Issuing the Sub CA Certificate Using the Trust Certificate in the Block Storage Service Security Maintenance.

    Encrypt the password of the root certificate.

    1. Use PuTTY to log in to a DR node.
    2. Switch to user root and run the following command to encrypt the password of the root certificate:

      /opt/dsware/agent/tool/dsware_agent_tool --op encrypt_pwd_by_kmc --domain_id 103

      Enter the password of the root certificate as prompted and record the encrypted ciphertext.

      The command is successfully executed, if information similar to the following is displayed:
      AAAAAgAAAAAAAABnAAAAAAAAAAUqkDfz+Ksrbsjin//Fdzz74bc3dBCz0riILw2G68f6LQAAAAAAAAAAAAAAEFdm4P+sZj7zTr2zWvwXaUE=

    Upload the certificates to the FSM Node.

    1. Use WinSCP to copy client.cer, client.key, and rootCA.cer to the /home/dsware directory on the active FSM node.

      Ensure that username dsware is used to establish the connection. The default password of user dsware is IaaS@OS-CLOUD9!.

      For details about how to use WinSCP, see Transferring a File Using WinSCP.

    2. Use PuTTY to log in to the active FSM node.

      Ensure that the management IP address and username dsware are used to establish the connection.

      If the public and private keys are used to authenticate the login, perform the operations based on Using PuTTY to Log In to a Node in Key Pair Authentication Mode.

    3. Run the following command and enter the password of user root to switch to user root:

      su - root

    4. Run the following commands to compress the certificate files in the /home/dsware directory:

      cd /home/dsware/

      zip -r replicationCertInfo.zip client.cer client.key rootCA.cer

    5. Run the following command to copy files to the specified directory:

      cp /home/dsware/replicationCertInfo.zip /opt/dsware/manager/setup/certificate/service/dr/

    6. Run the following command to open the certificate.properties file using the visual interface (vi) editor:

      vi /opt/dsware/manager/setup/certificate/service/dr/certificate.properties

    7. Press i to enter the editing mode.
    8. Modify the certificate.properties file.

      Change the value of certificatePassword to the generated ciphertext.

      The file content after modification is as follows:
      certificatePassword=AAAAAgAAAAAAAABnAAAAAAAAAAUqkDfz+Ksrbsjin//Fdzz74bc3dBCz0riILw2G68f6LQAAAAAAAAAAAAAAEFdm4P+sZj7zTr2zWvwXaUE=

    9. Press Esc and enter :wq.

      The system saves the modification and exits the vi editor.

    10. Run the following commands to change the certificate properties:

      chown omm:omm /opt/dsware/manager/setup/certificate/service/dr/certificate.properties

      chown omm:omm /opt/dsware/manager/setup/certificate/service/dr/replicationCertInfo.zip

      chmod 700 /opt/dsware/manager/setup/certificate/service/dr/certificate.properties

      chmod 700 /opt/dsware/manager/setup/certificate/service/dr/replicationCertInfo.zip

    Update certificates on DR nodes.

    1. Run the following command to switch to user dsware:

      su - dsware

    2. Run the following command to switch to the directory containing the dswareTool script:

      cd /opt/dsware/client/bin

    3. Run the following command to update certificates on the DR nodes:

      NOTE:

      Since the system has been hardened, you need to enter the username and password for login authentication after running the dswareTool command of FusionStorage Block. The default username is cmdadmin, and its default password is IaaS@PORTAL-CLOUD9!.

      The system supports authentication using environment variables so that you do not need to repeatedly enter the username and password for authentication each time you run the dswareTool command. For details, see Authentication Using Environment Variables.

      sh dswareTool.sh --op drCmd -subOp TransFileToFsaAndNotifyUpdate -controlClusterId id -fsaIp FSA1,FSA2...

      In the command, id specifies the control cluster ID, and FSA1,FSA2... specifies the IP addresses of the DR nodes.

      The command is successfully executed, if the following information is displayed:
      Operation finish successfully. Result Code:0

    4. Run the following commands to delete the temporary files in the /home/dsware directory:

      rm -f /home/dsware/replicationCertInfo.zip

      rm /home/dsware/client.cer

      rm /home/dsware/client.key

      rm /home/dsware/rootCA.cer

    Update certificates on the quorum server.

    1. Use PuTTY to log in to the quorum server.
    2. Run the following command as user root to enter the command line mode:

      qsadmin

    3. Run the following command to export the certificate request file of the quorum server:

      export tls_cert

      After the command is successfully executed, certificate request file qs_certreq.csr is generated in the /opt/quorum_server/export_import directory on the quorum server.

    4. Run the following command to exit the command line mode:

      exit

    5. Generate the server certificate file using root certificate rootCA.cer and exported certificate request file qs_certreq.csr.

      You can generate the server certificate file using the following methods:

      • Obtain the certificates from the third-party, send certificate request file qs_certreq.csr to the third-party, and generate the server certificate file.
      • Manually generate the certificate. For details, see Certificate Management > Creating a Certificate > Issuing the Sub CA Certificate Using the Trust Certificate in the Block Storage Service Security Maintenance.

    6. Use WinSCP to copy root certificate rootCA.cer and server certificate server.cer to /opt/quorum_server/export_import on the quorum server.
    7. Run the following commands to change the file properties:

      chown quorumsvr:quorumsvr /opt/quorum_server/export_import/rootCA.cer

      chown quorumsvr:quorumsvr /opt/quorum_server/export_import/server.cer

      In the command, quorumsvr is the default administrator account created to install the quorum server software.

    8. Run the following command to enter the command line mode:

      qsadmin

    9. Run the following command as user root to import the certificates to the quorum server software:

      import tls_cert ca=rootCA.cer cert=server.cer

Translation
Download
Updated: 2019-01-17

Document ID: EDOC1100044928

Views: 17420

Downloads: 34

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next