How Can I Use Self-Signed Certificates to Fix the Privacy Error Displayed When I Attempt to Log In to DeviceManager?

Question

How can I use self-signed certificates to fix the privacy error displayed when I attempt to log in to DeviceManager?

Answer

You can replace the default security certificates of the DeviceManager server and user browser with self-signed security certificates and private key files to eliminate the privacy error displayed when you log in to DeviceManager. The configuration procedure is as follows:

1. Prepare the OpenSSL environment.
   1. Prepare a Linux-based device where the OpenSSL tool is installed. (Generally, the OpenSSL tool has been pre-installed in a CentOS or Ubuntu system.) Run the openssl version command to verify that the OpenSSL tool version is 0.9.8j or later.

      CTU1000047802:~ # openssl version
      OpenSSL 0.9.8j-fips 07 Jan 2009

   2. Run the find / -name openssl.cnf command to identify the location of the openssl.cnf file.
      Generally, the openssl.cnf file is under /etc/ssl.

      CTU1000047802:/ # cd /etc/ssl
      CTU1000047802:/etc/ssl # ls
      ca.key  ca.pem  cacert.pem  cert.csr  certs  demoCA  openssl.cnf  private  private.key

   3. Open the openssl.cnf file and check the default CA directory.

      CTU1000047802:/etc/ssl # cat openssl.cnf

   4. Add the subjectAltName option to [v3_req] in the openssl.cnf file.

      The IP address is the management IP address of the storage system, XX.XX.109.96 in this example. If the storage system has multiple management IP addresses, configure all of them in the following format: IP:XX.XX.109.96, IP:XX.XX.109.97.

2. Use the OpenSSL tool to generate CA private key and CA certificate files.
   1. Create directories and files related to certificate files.

      CTU1000047802:/ # mkdir new9
      CTU1000047802:/ # cd new9
      CTU1000047802:/new9 # mkdir demoCA
      CTU1000047802:/new9 # mkdir demoCA/csr demoCA/private demoCA/jks demoCA/newcerts
      CTU1000047802:/new9 # touch demoCA/index.txt
      CTU1000047802:/new9 # echo 03 > ./demoCA/serial

   2. Generate a CA private key file.

      CTU1000047802:/new9 # openssl genrsa -out ./demoCA/private/ca.key 2048
      Generating RSA private key, 1024 bit long modulus
      ........++++++
      ...............++++++
      e is 65537 (0x10001)

   3. Generate a CA certificate file.

      CTU1000047802:/new9 # openssl req -new -x509 -sha256 -extensions v3_ca -key ./demoCA/private/ca.key -out ./demoCA/newcerts/RootCA.crt -subj '/C=CN/ST=SiChuan/O=Huawei/L=ChengDu/CN=*.*.*.*/OU=IT Product Line' -days 5475

      CN is the common name for the CA certificate. To avoid certificate alarms, set this parameter to *.*.*.*.

3. Generate certificate files for the DeviceManager server.
   1. Generate a key file.

      CTU1000047802:/new9 # openssl genrsa -out ./demoCA/private/deviceManager_key.pem 2048
      Generating RSA private key, 2048 bit long modulus
      .......+++
      ..............................................+++
      e is 65537 (0x10001)

   2. Generate a certificate request file.

      CTU1000047802:/new9 # openssl req -new -sha256 -extensions v3_req -key ./demoCA/private/deviceManager_key.pem -out ./demoCA/csr/deviceManager.csr -subj '/C=CN/ST=SiChuan/O=Huawei/L=ChengDu/CN=XX.XX.109.96/OU=IT Product Line' -days 3650

      CN is the common name for the DeviceManager server certificate. To avoid certificate alarms, set this parameter to the management IP address of the storage system, XX.XX.109.96 in this example.

   3. Use the CA certificate to sign the key.

      CTU1000047802:/new9 # openssl ca -batch -in ./demoCA/csr/deviceManager.csr -cert ./demoCA/newcerts/RootCA.crt -keyfile ./demoCA/private/ca.key -out ./demoCA/newcerts/deviceManager_cert.pem -days 3650 -md sha256 -extensions v3_req
      Using configuration from /etc/ssl/openssl.cnf
      Check that the request matches the signature
      Signature ok
      Certificate Details:
              Serial Number: 3 (0x3)
              Validity
                  Not Before: Jul 30 02:42:35 2018 GMT
                  Not After : Jul 27 02:42:35 2028 GMT
              Subject:
                  countryName               = CN
                  stateOrProvinceName       = SiChuan
                  organizationName          = Huawei
                  organizationalUnitName    = IT Product Line
                  commonName                = XX.XX.109.96
              X509v3 extensions:
                  X509v3 Basic Constraints: 
                      CA:FALSE
                  X509v3 Key Usage: 
                      Digital Signature, Non Repudiation, Key Encipherment
                  X509v3 Subject Alternative Name: 
                      IP Address:XX.XX.109.96
      Certificate is to be certified until Jul 27 02:42:35 2028 GMT (3650 days)
      Write out database with 1 new entries
      Data Base Updated

4. Replace certificates.
   1. Use an FTP tool (such as FileZilla) to connect to the Linux environment where the OpenSSL tool is located and export the generated certificates and key file to the local PC.
      • RootCA.crt
      • deviceManager_cert.pem
      • deviceManager_key.pem
      • The RootCA.crt and deviceManager_cert.pem files are stored in the newcerts folder.

        CTU1000047802:/new9/demoCA/newcerts # ls
        03.pem  RootCA.crt  deviceManager_cert.pem

      • The deviceManager_key.pem file is stored in the private folder.

        CTU1000047802:/new9/demoCA/private # ls
        ca.key  deviceManager_key.pem

      In this example, the three files are exported to F:\replace.

   2. Use an FTP server tool to share the three exported files.

      Specify the user, password, and port number of the FTP server. Set the share path to the directory where the three exported files are saved, F:\replace in this example. Set the IP address to the IP address of the local computer, XX.XX.117.211 in this example.

   3. Import the generated self-signed certificates to the storage system.

      Log in to the storage system using the CLI. Run the import ssl_certificate command to import the shared certificate and key files, deviceManager_cert.pem and deviceManager_key.pem in this example.

      • You must log in to the storage system using the CLI and import the certificate and key files shared in 4.b.
      • The import ssl_certificate command must be executed on each controller to import the shared certificate and key files.

      admin:/>import ssl_certificate ip=XX.XX.117.211 user=admin password=********* cert_file=deviceManager_cert.pem key_file=deviceManager_key.pem port=32 protocol=SFTP
      DANGER: You are about to use an unencrypted SSL certificate to replace the current SSL certificate. Security risks may exist in the unencrypted certificate. This operation will cause DeviceManager automatically to restart, interrupting services. The certificate you are about to import has the following security risks: a certificate loading error (the certificate fails to be loaded, the certificate key fails to be obtained, certificate public information fails to be obtained, the certificate signature algorithm fails to be obtained).
      Suggestion:
      1. Use an encrypted certificate to replace the current certificate.
      2. Before running the command, confirm that you want to replace the SSL certificate.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      Command executed successfully.

   4. Restart DeviceManager.

      admin:/>change user_mode current_mode user_mode=developer
      DANGER: You are about to switch to the developer view. Commands in this view must be run under the guidance of R&D engineers. You can choose whether to run this command. If you run this command to switch to the developer view, it means that you know risks of running commands in the developer view. Device vendors are not responsible for any loss or damage caused to the user or others by running commands in the developer view.
      1. Running the command in the developer view may cause system reset, restart, offline, service interruption, data loss, and data inconsistency.
      2. Running the command in the developer view may cause the performance to decrease.
      3. Running the command in the developer view to delete or remove configurations may have impact on the service and data.
      4. Running the command in the developer view may cause system alarms.
      Suggestion: Run this command under the guidance of R&D engineers.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      developer:/>reboot ism
      DANGER: You are about to restart the DeviceManager for the storage system. This operation causes the DeviceManager unavailable temporarily.
      Suggestion: Before performing this operation, ensure that all users have exit the DeviceManager.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      Command executed successfully.

   5. Import the certificate file to the browser.
      The following uses Google Chrome (67.0) as an example.

      For details about how to replace the security certificates of other browsers, see section "Importing a Security Certificate" in the DeviceManager Online Help.

      1. Open Google Chrome and choose Settings > Advanced > Manage Certificate > Trusted Root Certification Authorities > Import. The Certificate Import Wizard dialog box is displayed.
      2. Select and import the certificate file (RootCA.crt in this example) as prompted.
      3. Restart the browser after the certificate is successfully imported.
      4. Log in to the storage system again. No privacy error is generated.