How Do I Remove the Privacy Warning Displayed When I Log In to DeviceManager?

Question

How do I remove the privacy warning displayed when I log in to DeviceManager?

Answer

Replace the certificate with that issued by the Certificate Authority (CA).

1. Generate the private key and request file.
   1. Prepare a Linux-based device where the OpenSSL tool is installed (generally, the OpenSSL tool has been pre-installed in a CentOS or Ubuntu system). Run the openssl version command to verify that the OpenSSL tool version is 1.0.2a or later.

      # openssl version
      OpenSSL 1.0.2k-fips 26 Jan 2017

   2. Create a temporary directory, for example, /tmp/cert, and go to the directory.
   3. Create and edit the ssl.conf file.

      # vi ssl.conf

      Copy the following content to the ssl.conf file:

      [ req ]
      default_bits = 4096
      distinguished_name = req_distinguished_name
      req_extensions = req_ext
       
      [ req_distinguished_name ]
      countryName = Country Name (2 letter code)
      countryName_default = CN
      stateOrProvinceName = State or Province Name (full name)
      stateOrProvinceName_default = SC
      localityName = Locality Name (eg, city)
      localityName_default = CD
      organizationName = Organization Name (eg, company)
      organizationName_default = Huawei
      organizationalUnitName = Organizational Unit Name (eg, section)
      organizationalUnitName_default = Storage
      commonName = Common Name (e.g. server FQDN or YOUR name)
      commonName_max = 64
      commonName_default = xx.xx.xx.xx
       
      [ req_ext ]
      subjectAltName = @alt_names
       
      [alt_names]
      IP.1 = xx.xx.xx.xx 
      IP.2 = yy.yy.yy.yy
      DNS.1 = aaa.bbb
      DNS.2 = ccc.ddd
       
      [ x509_ext ]
      subjectKeyIdentifier        = hash
      authorityKeyIdentifier    = keyid,issuer
       
      [ v3_ca ]
      subjectKeyIdentifier=hash
      authorityKeyIdentifier=keyid:always,issuer
      basicConstraints = CA:true

      Replace xx.xx.xx.xx and yy.yy.yy.yy in the preceding information with the management IP addresses of the storage system, and aaa.bbb and ccc.ddd with the domain names to be changed. All management IP addresses or domain names are required.

   4. Generate a DeviceManager private key file named deviceManager_key.pem.

      openssl genrsa -out deviceManager_key.pem 2048 

   5. Generate a DeviceManager certificate request file named device_manager.csr.

      openssl req -new -key deviceManager_key.pem -out device_manager.csr -config ssl.conf -subj "/C=cn/ST=sc/L=cd/O=huawei/OU=storage/CN=xx.xx.xx.xx"

      cn indicates the common name of the DeviceManager certificate. Set it to the management IP address or domain name of the storage system to prevent alarms. If there are multiple management IP addresses or domain names, choose one.

2. Request a certificate.
   1. Enter http://x.x.x.x/certsrv/ in the address box of the browser. x.x.x.x indicates the IP address of the CA authentication service.

      Perform as follows:

   2. Open request file device_manager.csr, copy the content to the request file text box, and submit it.

3. The CA issues the certificate.

   Log in to the CA server and perform as follows:

4. Download the certificate.
   1. Enter http://x.x.x.x/certsrv/ in the address box of the browser. x.x.x.x indicates the IP address of the CA authentication service.

      Perform as follows:

   2. After the download is complete, rename the certificate file name deviceManager_cert.pem.

5. Download the CA certificate.
   1. Enter http://x.x.x.x/certsrv/ in the address box of the browser. x.x.x.x indicates the IP address of the CA authentication service.

      Perform as follows:

   2. Name the downloaded CA certificate file RootCA.crt.

6. Replace the certificate.
   1. Use an FTP tool (such as FileZilla) to connect to the Linux environment where the OpenSSL tool is installed and transfer the certificates and private key file to a local directory. Exported files include:
      • RootCA.crt
      • deviceManager_cert.pem
      • deviceManager_key.pem

      Here three exported files are saved in F:\replace on the local computer.

   2. Use an FTP server tool to share the three exported files.

      Set the user name, password, and port number of the FTP server. Set the shared path to the exported file save path and the IP address to that of the local computer. The path and IP address in this example are F:\replace and XX.XX.117.211, respectively.

   3. Import the generated self-signed certificates to the storage system.

      Log in to the storage system using the CLI. Run the import ssl_certificate command to import the certificate and key file shared in 4.b, deviceManager_cert.pem and deviceManager_key.pem in this example.

      • You must log in to the storage system using the CLI and import the certificate and key file shared in 4.b.
      • The import ssl_certificate command must be executed on each controller to import the shared certificate and key file.

      admin:/>import ssl_certificate ip=XX.XX.117.211 user=admin password=********* cert_file=deviceManager_cert.pem key_file=deviceManager_key.pem port=32 protocol=SFTP
      DANGER: You are about to use an unencrypted SSL certificate to replace the current SSL certificate. Security risks may exist in the unencrypted certificate. This operation will cause DeviceManager automatically to restart, interrupting services. The certificate you are about to import has the following security risks: a certificate loading error (the certificate fails to be loaded, the certificate key fails to be obtained, certificate public information fails to be obtained, the certificate signature algorithm fails to be obtained).
      Suggestion:
      1. Use an encrypted certificate to replace the current certificate.
      2. Before running the command, confirm that you want to replace the SSL certificate.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      Command executed successfully.

   4. Restart DeviceManager.

      admin:/>change user_mode current_mode user_mode=developer
      DANGER: You are about to switch to the developer view. Commands in this view must be run under the guidance of R&D engineers. You can choose whether to run this command. If you run this command to switch to the developer view, it means that you know risks of running commands in the developer view. Device vendors are not responsible for any loss or damage caused to the user or others by running commands in the developer view.
      1. Running the command in the developer view may cause system reset, restart, offline, service interruption, data loss, and data inconsistency.
      2. Running the command in the developer view may cause the performance to decrease.
      3. Running the command in the developer view to delete or remove configurations may have impact on the service and data.
      4. Running the command in the developer view may cause system alarms.
      Suggestion: Run this command under the guidance of R&D engineers.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      developer:/>reboot ism
      DANGER: You are about to restart the DeviceManager for the storage system. This operation causes the DeviceManager unavailable temporarily.
      Suggestion: Before performing this operation, ensure that all users have exit the DeviceManager.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      Command executed successfully.

   5. Import the certificate file to the browser.
      The following uses Google Chrome (67.0) as an example.

      1. Open Google Chrome and choose Settings > Advanced > Manage Certificate > Trusted Root Certification Authorities > Import. The Certificate Import Wizard dialog box is displayed.
      2. Select and import the certificate file (RootCA.crt in this example) as prompted.
      3. Restart the browser after the certificate is successfully imported.
      4. Log in to the storage system again. No privacy error is generated.

      For details about how to replace the security certificate of other browsers, see "Importing a Security Certificate" in the DeviceManager Online Help.