Question
How can I use self-signed certificates to fix the privacy error displayed when I attempt to log in to DeviceManager?
Answer
You can replace the default security certificates of the DeviceManager server and user browser with self-signed security certificates and private key files to eliminate the privacy error displayed when you log in to DeviceManager. The configuration procedure is as follows:
Step 1 Prepare the OpenSSL environment.
1. Prepare a Linux-based device where the OpenSSL tool is installed. (Generally, the OpenSSL tool has been pre-installed in a CentOS or Ubuntu system.) Run the openssl version command to verify that the OpenSSL tool version is 0.9.8j or later.
CTU1000047802:~ # openssl version
OpenSSL 0.9.8j-fips 07 Jan 2009
2. Run the find / -name openssl.cnf command to identify the location of the openssl.cnf file.
Generally, the openssl.cnf file is under /etc/ssl.
CTU1000047802:/ # cd /etc/ssl
CTU1000047802:/etc/ssl # ls
ca.key ca.pem cacert.pem cert.csr certs demoCA
openssl.cnf private private.key
3. Open the openssl.cnf file and check the default CA directory.
CTU1000047802:/etc/ssl # cat openssl.cnf
4. Add the subjectAltName option to [v3_req] in the openssl.cnf file.
The IP address is the management IP address of the storage system, XX.XX.109.96 in this example.
Step 2 Use the OpenSSL tool to generate CA private key and CA certificate files.
1. Create directories and files related to certificate files.
CTU1000047802:/ # mkdir new9
CTU1000047802:/ # cd new9
CTU1000047802:/new9 # mkdir demoCA
CTU1000047802:/new9 # mkdir demoCA/csr demoCA/private demoCA/jks
demoCA/newcerts
CTU1000047802:/new9 # touch demoCA/index.txt
CTU1000047802:/new9 # echo 03 > ./demoCA/serial
2. Generate a CA private key file.
CTU1000047802:/new9 # openssl genrsa
-out ./demoCA/private/ca.key 1024
Generating RSA private key, 1024 bit long modulus
........++++++
...............++++++
e is 65537 (0x10001)
3. Generate a CA certificate file.
CTU1000047802:/new9 # openssl req -new -x509 -sha256 -extensions v3_ca -key ./demoCA/private/ca.key -out ./demoCA/newcerts/RootCA.crt -subj '/C=CN/ST=SiChuan/O=Huawei/L=ChengDu/CN=*.*.*.*/OU=IT Product Line' -days 5475
CN is the common name for the CA certificate. To avoid certificate alarms, set this parameter to *.*.*.*.
Step 3 Generate certificate files for the DeviceManager server.
1. Generate a key file.
CTU1000047802:/new9 # openssl genrsa
-out ./demoCA/private/deviceManager_key.pem 2048
Generating RSA private key, 2048 bit long modulus
.......+++
..............................................+++
e is 65537 (0x10001)
2. Generate a certificate request file.
CTU1000047802:/new9 # openssl req -new -sha256 -extensions v3_req -key ./demoCA/private/deviceManager_key.pem -out ./demoCA/csr/deviceManager.csr -subj '/C=CN/ST=SiChuan/O=Huawei/L=ChengDu/CN=XX.XX.109.96/OU=IT Product Line' -days 3650
CN is the common name for the DeviceManager server certificate. To avoid certificate alarms, set this parameter to the management IP address of the storage system, XX.XX.109.96 in this example.
3. Use the CA certificate to sign the key.
CTU1000047802:/new9 # openssl ca
-batch -in ./demoCA/csr/deviceManager.csr -cert ./demoCA/newcerts/RootCA.crt
-keyfile ./demoCA/private/ca.key -out ./demoCA/newcerts/deviceManager_cert.pem
-days 3650 -md sha256 -extensions v3_req
Using configuration from /etc/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before:
Jul 30 02:42:35 2018 GMT
Not After :
Jul 27 02:42:35 2028 GMT
Subject:
countryName
= CN
stateOrProvinceName = SiChuan
organizationName = Huawei
organizationalUnitName = IT Product Line
commonName
= XX.XX.109.96
X509v3 extensions:
X509v3 Basic
Constraints:
CA:FALSE
X509v3 Key
Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3
Subject Alternative Name:
IP Address:XX.XX.109.96
Certificate is to be certified until Jul 27 02:42:35 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Step 4 Replace certificates.
1. Use an FTP tool (such as FileZilla) to connect to the Linux environment where the OpenSSL tool is located and export the generated certificates and key file to the local PC.
− RootCA.crt
− deviceManager_cert.pem
− deviceManager_key.pem
l The RootCA.crt and deviceManager_cert.pem files are stored in the newcerts folder.
CTU1000047802:/new9/demoCA/newcerts
# ls
03.pem RootCA.crt deviceManager_cert.pem
l The deviceManager_key.pem file is stored in the private folder.
CTU1000047802:/new9/demoCA/private
# ls
ca.key deviceManager_key.pem
In this example, the three files are exported to F:\replace.
2. Use an FTP server tool to share the three exported files.
Specify the user, password, and port number of the FTP server. Set the share pathto the directory where the three exported files are saved, F:\replace in this example. Set the IP address to the IP address of the local computer, XX.XX.117.211 in this example.
3. Import the generated self-signed certificates to the storage system.
Log in to the storage system using the CLI. Run the import ssl_certificate command to import the shared certificate and key files, deviceManager_cert.pem and deviceManager_key.pem in this example.
admin:/>import ssl_certificate ip=XX.XX.117.211 user=admin password=*********
cert_file=deviceManager_cert.pem key_file=deviceManager_key.pem port=32
protocol=SFTP
DANGER: You are about to use an unencrypted SSL certificate to replace the
current SSL certificate. Security risks may exist in the unencrypted
certificate. This operation will cause DeviceManager automatically to restart,
interrupting services. The certificate you are about to import has the
following security risks: a certificate loading error (the certificate fails to
be loaded, the certificate key fails to be obtained, certificate public
information fails to be obtained, the certificate signature algorithm fails to
be obtained).
Suggestion:
1. Use an encrypted certificate to replace the current certificate.
2. Before running the command, confirm that you want to replace the SSL
certificate.
Have you read danger alert message carefully?(y/n)y
Are you sure you really want to perform the operation?(y/n)y
Command executed successfully.
4. Restart DeviceManager.
admin:/>change user_mode
current_mode user_mode=developer
DANGER: You are about to switch to the developer view. Commands in this view
must be run under the guidance of R&D engineers. You can choose whether to
run this command. If you run this command to switch to the developer view, it
means that you know risks of running commands in the developer view. Device
vendors are not responsible for any loss or damage caused to the user or others
by running commands in the developer view.
1. Running the command in the developer view may cause system reset, restart,
offline, service interruption, data loss, and data inconsistency.
2. Running the command in the developer view may cause the performance to
decrease.
3. Running the command in the developer view to delete or remove configurations
may have impact on the service and data.
4. Running the command in the developer view may cause system alarms.
Suggestion: Run this command under the guidance of R&D engineers.
Have you read danger alert message carefully?(y/n)y
Are you sure you really want to perform the operation?(y/n)y
developer:/>reboot ism
DANGER: You are about to restart the DeviceManager for the storage system. This
operation causes the DeviceManager unavailable temporarily.
Suggestion: Before performing this operation, ensure that all users have exit
the DeviceManager.
Have you read danger alert message carefully?(y/n)y
Are you sure you really want to perform the operation?(y/n)y
Command executed successfully.
5. Import the certificate file to the browser.
The following uses Google Chrome (67.0) as an example.
For details about how to replace the security certificates of other browsers, see section "Importing a Security Certificate" in the DeviceManager Online Help.
a. Open Google Chrome and choose Settings > Advanced > Manage Certificate > Trusted Root Certification Authorities > Import. The Certificate Import Wizard dialog box is displayed.
b. Select and import the certificate file (RootCA.crt in this example) as prompted.
c. Restart the browser after the certificate is successfully imported.
d. Log in to the storage system again. No privacy error is generated.
----End
