No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
OceanStor 2810 V500R007 Basic Storage Service Configuration Guide for Block

This document is applicable to OceanStor 2810 V5. It describes the basic storage services and explains how to configure and manage them.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Can I Generate and Import VM VNC Server and Client Certificate Files?

How Can I Generate and Import VM VNC Server and Client Certificate Files?

For V500R007C71 and later versions, valid VM VNC server and client certificates must be available for opening the VM console on DeviceManager.

Generally, you can obtain VM VNC server and client certificate files using any of the following methods:

  • Export certificate request files from the storage system. In a third-party CA center, sign the certificate request files and export a CA certificate file, server certificate file, and client certificate file. For details, see Method 1.
  • Export certificate request files from the storage system. Use the OpenSSL tool to generate a CA certificate file, server certificate file, and client certificate file. For details, see Method 2.
  • Use the OpenSSL tool to generate a CA certificate file as well as server and client private key files, certificate request files, certificate files. For details, see Method 3.

Method 1

Export certificate request files from the storage system. In a third-party CA center, sign the certificate request files and export a CA certificate file, server certificate file, and client certificate file.

  1. Export certificate request files from the storage system.

    1. Log in to DeviceManager and choose Settings> Storage Settings > Value-added Service Settings > Credential Management.
    2. In Scenario, select VM VNC server certificate and click Export Request File.
    3. In the displayed Export Request File dialog box, select a certificate key algorithm and click OK.

    4. Save the certificate request file (.csr) to the local PC.
    5. Use the same method to export the certificate request file for the VM VNC client.

  2. Go to a third-party CA center website (such as VeriSign and GeoTrust), sign the certificate request files, and export the CA certificate file, signed server certificate file, and signed client certificate file.
  3. Import and activate the certificates on the storage system.

    1. Log in to DeviceManager and choose Settings> Storage Settings > Value-added Service Settings > Credential Management.
    2. In Scenario, select VM VNC server certificate and click Import and Activate.
    3. In the displayed Import and Activate dialog box, select the server certificate file and CA certificate file exported from the third-party certificate authority, and click OK.

    4. Similarly, select VM VNC client certificate in Scenario, and import and activate the client certificate file and CA certificate file exported from the third-party certificate authority.
    5. After the certificates are imported and activated, you can view their details in the Certificate Details area.

Method 2

Export certificate request files from the storage system. Use the OpenSSL tool to generate a CA certificate file, server certificate file, and client certificate file.

  1. Export certificate request files from the storage system.

    1. Log in to DeviceManager and choose Settings> Storage Settings > Value-added Service Settings > Credential Management.
    2. In Scenario, select VM VNC server certificate and click Export Request File.
    3. In the displayed Export Request File dialog box, select a certificate key algorithm and click OK.

    4. Save the certificate request file (.csr) to the local PC.
    5. Use the same method to export the certificate request file for the VM VNC client.

      In this example, the exported server certificate request file is certificate_server.csr and client certificate request file is certificate_client.csr.

  2. Use the OpenSSL tool on a Linux device to generate a CA private key and CA certificate. (Generally, the OpenSSL tool is pre-installed in Ubuntu and CentOS.)

    1. Run the openssl version command to verify that the OpenSSL tool has been installed.
      # openssl version 
OpenSSL 1.0.2k-fips  26 Jan 2017
    2. Create directories and files related to certificate files.
      # mkdir -p ./demoCA/certs 
# mkdir -p ./demoCA/crl 
# mkdir -p ./demoCA/newcerts 
# mkdir -p ./demoCA/private 
# touch ./demoCA/index.txt 
# touch ./demoCA/serial 
# echo "01" > ./demoCA/serial
    3. Use an FTP tool (such as Xftp) to connect to the Linux environment where the OpenSSL tool resides. Send the server certificate request file (certificate_server.csr) and client certificate request file (certificate_client.csr) exported from DeviceManager to the private key directory (./demoCA/private/).
    4. Generate a CA private key file.
      In this example, the CA private key file is cakey.pem and stored in ./demoCA/private/.
      # openssl genrsa -out ./demoCA/private/cakey.pem 2048
    5. Generate a CA certificate file.
      In this example, the CA certificate file is cacert.pem and stored in ./demoCA/newcerts/.
      # openssl req -new -x509 -days 3650 -key ./demoCA/private/cakey.pem -out ./demoCA/newcerts/cacert.pem -sha256 -subj "/C=CN/O=Huawei/OU=Storage/CN=VM"

  3. Generate a server certificate file.

    Use the CA private key and CA certificate generated in Step 2 and the server certificate request file exported from the storage system to generate a server certificate file. Ensure that the v3.ext file exists.

    In this example, the generated server certificate file is servercert.pem and stored in ./demoCA/newcerts/.

    # touch v3.ext
# openssl x509 -req -days 3650 -in ./demoCA/private/certificate_server.csr -CA ./demoCA/newcerts/cacert.pem -CAkey ./demoCA/private/cakey.pem -sha256 -set_serial 2 -out ./demoCA/newcerts/servercert.pem -extfile v3.ext

  4. Generate a client certificate file.

    Use the CA private key and CA certificate generated in Step 2 and the client certificate request file exported from the storage system to generate a client certificate file. Ensure that the v3.ext file exists.

    In this example, the generated client certificate file is clientcert.pem and stored in ./demoCA/newcerts/.

    # touch v3.ext
# openssl x509 -req -days 3650 -in ./demoCA/private/certificate_client.csr -CA ./demoCA/newcerts/cacert.pem -CAkey ./demoCA/private/cakey.pem -sha256 -set_serial 1 -out ./demoCA/newcerts/clientcert.pem -extfile v3.ext

  5. Import and activate the certificates on the storage system.

    1. Use an FTP tool (such as Xftp) to connect to the Linux environment where the OpenSSL tool resides and export the generated certificate and key files to the local PC.

      In this example, you need to export the following files:

      • Server certificate file servercert.pem, which is stored in ./demoCA/newcerts/
      • Client certificate file clientcert.pem, which is stored in ./demoCA/newcerts/
      • CA certificate file cacert.pem, which is stored in ./demoCA/newcerts/
    2. Log in to DeviceManager and choose Settings> Storage Settings > Value-added Service Settings > Credential Management.
    3. In Scenario, select VM VNC server certificate and click Import and Activate.
    4. In the displayed Import and Activate dialog box, select the generated server certificate file (servercert.pem) and CA certificate file (cacert.pem), and click OK.

      Ensure that the same CA certificate is imported for the VM VNC client and server certificates.

    5. Similarly, select VM VNC client certificate in Scenario, and import and activate the generated client certificate file (clientcert.pem) and CA certificate file (cacert.pem).
    6. After the certificates are imported and activated, view their details in the Certificate Details area and ensure that the CA certificate fingerprint information is the same for the VM VNC client and server certificates.
      Figure 8-1 Checking the fingerprint of the server CA certificate
      Figure 8-2 Checking the fingerprint of the client CA certificate

Method 3

Use the OpenSSL tool to generate a CA certificate file as well as server and client private key files, certificate request files, certificate files.

  1. Use the OpenSSL tool on a Linux device to generate a CA private key and CA certificate. (Generally, the OpenSSL tool is pre-installed in Ubuntu and CentOS.)

    1. Run the openssl version command to verify that the OpenSSL tool has been installed.
      # openssl version 
OpenSSL 1.0.2k-fips  26 Jan 2017
    2. Create directories and files related to certificate files.
      # mkdir -p ./demoCA/certs 
# mkdir -p ./demoCA/crl 
# mkdir -p ./demoCA/csr 
# mkdir -p ./demoCA/newcerts 
# mkdir -p ./demoCA/private 
# touch ./demoCA/index.txt 
# touch ./demoCA/serial 
# echo "01" > ./demoCA/serial
    3. Generate a CA private key file.
      In this example, the CA private key file is cakey.pem and stored in ./demoCA/private/.
      # openssl genrsa -out ./demoCA/private/cakey.pem 2048
    4. Generate a CA certificate file.
      In this example, the CA certificate file is cacert.pem and stored in ./demoCA/newcerts/.
      # openssl req -new -x509 -days 3650 -key ./demoCA/private/cakey.pem -out ./demoCA/newcerts/cacert.pem -sha256 -subj "/C=CN/O=Huawei/OU=Storage/CN=VM"

  2. Generate a server pirate key and certificate file.

    1. Generate a server private key file.
      In this example, the server private key file is serverkey.pem and stored in ./demoCA/private/.
      # openssl genrsa -out ./demoCA/private/serverkey.pem 2048
    2. Generate a server certificate request file and ensure that the v3.ext file exists.
      In this example, the generated server certificate request file is serverkey.csr and stored in ./demoCA/csr/.
      # openssl req -new -key ./demoCA/private/serverkey.pem -out ./demoCA/csr/serverkey.csr -sha256  -subj "/C=CN/O=Huawei/OU=Storage/CN=2102353RLQ10L5000XXX" 
 # touch v3.ext
      • Set CN to the SN of the storage system, for example, CN=2102353RLQ10L5000XXX.
      • You can obtain the SN of a storage system in the Basic Information area on the DeviceManager home page.
    3. Use the CA private key and CA certificate obtained in Step 1, server private key file, and certificate request file to generate a server certificate file.
      In this example, the generated server certificate file is servercert.pem and stored in ./demoCA/newcerts/.
      # openssl x509 -req -days 3650 -in ./demoCA/csr/serverkey.csr -CA ./demoCA/newcerts/cacert.pem -CAkey ./demoCA/private/cakey.pem -sha256 -set_serial 2 -out ./demoCA/newcerts/servercert.pem -extfile v3.ext

  3. Generate a client pirate key and certificate file.

    1. Generate a client private key file.
      In this example, the client private key file is clientkey.pem and stored in ./demoCA/private/.
      # openssl genrsa -out ./demoCA/private/clientkey.pem 2048
    2. Generate a client certificate request file and ensure that the v3.ext file exists.
      In this example, the generated client certificate request file is clientkey.csr and stored in ./demoCA/csr/.
      # openssl req -new -key ./demoCA/private/clientkey.pem -out ./demoCA/csr/clientkey.csr -sha256  -subj "/C=CN/O=Huawei/OU=Storage/CN=2102353RLQ10L5000XXX" 
# touch v3.ext
      • Set CN to the SN of the storage system, for example, CN=2102353RLQ10L5000XXX.
      • You can obtain the SN of a storage system in the Basic Information area on the DeviceManager home page.
    3. Use the CA private key and CA certificate obtained in Step 1, client private key file, and certificate request file to generate a client certificate file.
      In this example, the generated client certificate file is clientcert.pem and stored in ./demoCA/newcerts/.
      # openssl x509 -req -days 3650 -in ./demoCA/csr/clientkey.csr -CA ./demoCA/newcerts/cacert.pem -CAkey ./demoCA/private/cakey.pem -sha256 -set_serial 1 -out ./demoCA/newcerts/clientcert.pem -extfile v3.ext

  4. Import and activate the certificates on the storage system.

    1. Use an FTP tool (such as Xftp) to connect to the Linux environment where the OpenSSL tool resides and export the generated certificate and key files to the local PC.
      In this example, you need to export the following files:
      • Server certificate file servercert.pem, which is stored in ./demoCA/newcerts/
      • Server private key file serverkey.pem, which is stored in ./demoCA/private/
      • Client certificate file clientcert.pem, which is stored in ./demoCA/newcerts/
      • Client private key file clientkey.pem, which is stored in ./demoCA/private/
      • CA certificate file cacert.pem, which is stored in ./demoCA/newcerts/
    2. Log in to DeviceManager and choose Settings> Storage Settings > Value-added Service Settings > Credential Management.
    3. In Scenario, select VM VNC server certificate and click Import and Activate.
    4. In the displayed Import and Activate dialog box, select the generated server certificate file (servercert.pem), private key file (serverkey.pem), and CA certificate file (cacert.pem), and click OK.

      Ensure that the same CA certificate is imported for the VM VNC client and server certificates.

    5. Similarly, select VM VNC client certificate in Scenario, and import and activate the generated CA certificate file (cacert.pem), client private key file (clientkey.pem), and client certificate file (clientcert.pem).
    6. After the certificates are imported and activated, you can view their details in the Certificate Details area and ensure that the CA certificate fingerprint information is the same for the VM VNC client and server certificates.
      Figure 8-3 Checking the fingerprint of the server CA certificate
      Figure 8-4 Checking the fingerprint of the client CA certificate

Translation
简体中文
Download
Updated: 2023-09-13

Document ID: EDOC1100138513

Views: 57845

Downloads: 31

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :