所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

OceanStor 2800 V5 V500R007 安装指南

本文档适用于OceanStor 2800 V5。本文档主要介绍存储系统硬件设备的安装步骤,包括安装前应注意的安全事项、机柜安装、机柜内部设备安装、线缆安装、硬件安装检查、设备上电和检查以及接地规范等
评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
如何通过自签名证书的方法去掉登录DeviceManager界面时的隐私警告提示?

如何通过自签名证书的方法去掉登录DeviceManager界面时的隐私警告提示?

问题

如何通过自签名证书的方法去掉登录DeviceManager界面时的隐私警告提示?

回答

用户可以通过将DeviceManager服务端和用户浏览器端的默认安全证书替换为用户自己的安全证书及私钥文件,消除登录DeviceManager界面时的隐私警告提示。具体配置方法举例如下:

  1. OpenSSL环境准备。
    1. 准备一台已经安装OpenSSL工具的Linux设备(一般Ubuntu、CentOS系统都有预装),并使用openssl version命令确认环境中OpenSSL的版本为“0.9.8j”及以上。
      CTU1000047802:~ # openssl version
      OpenSSL 0.9.8j-fips 07 Jan 2009
    2. 确认openssl.cnf的位置(一般在“/etc/ssl/openssl.cnf”,可通过find / -name openssl.cnf命令查找)。
      CTU1000047802:/ # cd /etc/ssl
      CTU1000047802:/etc/ssl # ls
      ca.key  ca.pem  cacert.pem  cert.csr  certs  demoCA  openssl.cnf  private  private.key
    3. 查看openssl.cnf中CA默认目录。
      CTU1000047802:/etc/ssl # cat openssl.cnf

    4. openssl.cnf文件的[ v3_req ]项中,增加“subjectAltName”选项,IP地址为存储系统的管理IP地址(本例中,管理IP地址为“XX.XX.109.96”)。

  2. 使用OpenSSL工具生成CA私钥和CA证书。
    1. 建立证书文件相关的目录和文件。
      CTU1000047802:/ # mkdir new9
      CTU1000047802:/ # cd new9
      CTU1000047802:/new9 # mkdir demoCA
      CTU1000047802:/new9 # mkdir demoCA/csr demoCA/private demoCA/jks demoCA/newcerts
      CTU1000047802:/new9 # touch demoCA/index.txt
      CTU1000047802:/new9 # echo 03 > ./demoCA/serial
    2. 生成CA私钥文件。
      CTU1000047802:/new9 # openssl genrsa -out ./demoCA/private/ca.key 1024
      Generating RSA private key, 1024 bit long modulus
      ........++++++
      ...............++++++
      e is 65537 (0x10001)
    3. 生成CA证书文件。
      CTU1000047802:/new9 # openssl req -new -x509 -sha256 -extensions v3_ca -key ./demoCA/private/ca.key -out ./demoCA/newcerts/RootCA.crt -subj '/C=CN/ST=SiChuan/O=Huawei/L=ChengDu/CN=*.*.*.*/OU=IT Product Line' -days 5475

      这里,CN为CA证书的Common Name,避免证书告警,需要配置为“*.*.*.*”

  3. 生成DeviceManager服务端证书文件。
    1. 生成密钥文件。
      CTU1000047802:/new9 # openssl genrsa -out ./demoCA/private/deviceManager_key.pem 2048
      Generating RSA private key, 2048 bit long modulus
      .......+++
      ..............................................+++
      e is 65537 (0x10001)
    2. 生成证书请求文件。
      CTU1000047802:/new9 # openssl req -new -sha256 -extensions v3_req -key ./demoCA/private/deviceManager_key.pem -out ./demoCA/csr/deviceManager.csr -subj '/C=CN/ST=SiChuan/O=Huawei/L=ChengDu/CN=XX.XX.109.96/OU=IT Product Line' -days 3650

      这里,CN为DeviceManager服务端证书的Common Name,避免证书告警,需要配置为存储系统的管理IP地址(本例中,管理IP地址为“XX.XX.109.96”)。

    3. 使用CA证书给密钥签名。
      CTU1000047802:/new9 # openssl ca -batch -in ./demoCA/csr/deviceManager.csr -cert ./demoCA/newcerts/RootCA.crt -keyfile ./demoCA/private/ca.key -out ./demoCA/newcerts/deviceManager_cert.pem -days 3650 -md sha256 -extensions v3_req
      Using configuration from /etc/ssl/openssl.cnf
      Check that the request matches the signature
      Signature ok
      Certificate Details:
              Serial Number: 3 (0x3)
              Validity
                  Not Before: Jul 30 02:42:35 2018 GMT
                  Not After : Jul 27 02:42:35 2028 GMT
              Subject:
                  countryName               = CN
                  stateOrProvinceName       = SiChuan
                  organizationName          = Huawei
                  organizationalUnitName    = IT Product Line
                  commonName                = XX.XX.109.96
              X509v3 extensions:
                  X509v3 Basic Constraints: 
                      CA:FALSE
                  X509v3 Key Usage: 
                      Digital Signature, Non Repudiation, Key Encipherment
                  X509v3 Subject Alternative Name: 
                      IP Address:XX.XX.109.96
      Certificate is to be certified until Jul 27 02:42:35 2028 GMT (3650 days)
      Write out database with 1 new entries
      Data Base Updated
  4. 替换证书。
    1. 使用FTP传输工具(例如FileZilla等),连接OpenSSL所在的Linux环境,导出生成的证书和密钥文件至本地电脑。

      本例中,需要导出的文件包括:

      • RootCA.crt
      • deviceManager_cert.pem
      • deviceManager_key.pem
      说明:
      • 其中,“RootCA.crt”“deviceManager_cert.pem”所在的位置为newcerts文件夹:
        CTU1000047802:/new9/demoCA/newcerts # ls
        03.pem  RootCA.crt  deviceManager_cert.pem
      • “deviceManager_key.pem”所在的位置为private文件夹:
        CTU1000047802:/new9/demoCA/private # ls
        ca.key  deviceManager_key.pem

      本例中,导出的3个文件保存在本地电脑“F”盘的“replace”文件夹(“F:\replace”)。

    2. 使用FTP服务器工具将导出的文件进行FTP共享。

      自定义设置FTP服务器用户名、密码和端口号;共享路径请选择保存导出文件的文件夹路径(本例中为“F:\replace”);IP地址请设置为本地电脑的IP地址(本例中为“XX.XX.117.211”)。

    3. 将生成的自签名证书导入存储阵列。

      通过CLI登录存储阵列环境,使用import ssl_certificate命令导入4.b共享的证书和密钥文件(本例中为“deviceManager_cert.pem”“deviceManager_key.pem”)。

      admin:/>import ssl_certificate ip=XX.XX.117.211 user=admin password=********* cert_file=deviceManager_cert.pem key_file=deviceManager_key.pem port=32 protocol=SFTP
      DANGER: You are about to use an unencrypted SSL certificate to replace the current SSL certificate. Security risks may exist in the unencrypted certificate. This operation will cause DeviceManager automatically to restart, interrupting services. The certificate you are about to import has the following security risks: a certificate loading error (the certificate fails to be loaded, the certificate key fails to be obtained, certificate public information fails to be obtained, the certificate signature algorithm fails to be obtained).
      Suggestion:
      1. Use an encrypted certificate to replace the current certificate.
      2. Before running the command, confirm that you want to replace the SSL certificate.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      Command executed successfully.
    4. 重启DeviceManager。
      admin:/>change user_mode current_mode user_mode=developer
      DANGER: You are about to switch to the developer view. Commands in this view must be run under the guidance of R&D engineers. You can choose whether to run this command. If you run this command to switch to the developer view, it means that you know risks of running commands in the developer view. Device vendors are not responsible for any loss or damage caused to the user or others by running commands in the developer view.
      1. Running the command in the developer view may cause system reset, restart, offline, service interruption, data loss, and data inconsistency.
      2. Running the command in the developer view may cause the performance to decrease.
      3. Running the command in the developer view to delete or remove configurations may have impact on the service and data.
      4. Running the command in the developer view may cause system alarms.
      Suggestion: Run this command under the guidance of R&D engineers.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      developer:/>reboot ism
      DANGER: You are about to restart the DeviceManager for the storage system. This operation causes the DeviceManager unavailable temporarily.
      Suggestion: Before performing this operation, ensure that all users have exit the DeviceManager.
      Have you read danger alert message carefully?(y/n)y
      Are you sure you really want to perform the operation?(y/n)y
      Command executed successfully.
    5. 在浏览器导入证书文件。此处以Google Chrome浏览器(67.0版本)为例。
      说明:

      关于其它浏览器端安全证书的替换方法,请参见DeviceManager联机帮助中“导入网络安全证书”的内容。

      1. 打开Google Chrome浏览器,依次点击“设置 > 高级 > 管理证书 > 受信任的根证书颁发机构 > 导入”,进入证书导入向导。
      2. 按照导入向导的提示,选择并导入证书文件(本例中为“RootCA.crt”)。
      3. 导入成功后,重启浏览器。
      4. 重新登录存储系统环境,将不再有告警提示。

翻译
下载文档
更新时间:2019-07-11

文档编号:EDOC1000181534

浏览量:8729

下载量:49

平均得分:
本文档适用于这些产品
相关文档
相关版本
Share
上一页 下一页