Skip to main content
Outside service Partner
Hitachi Vantara Knowledge

Managing domains and SSL server certificates


You can create multiple domains in HCP and associate one or more SSL server certificates with each domain. HCP uses these domains and certificates to facilitate and secure communications over its built-in and user-defined networks. For information on networks, see About virtual networking with HCP.

You can configure an HCP system to periodically send its domains and SSL server certificates to every other system with which it participates as a sending system in a replication link. For information on doing this, see Replicating Tenants and Namespaces.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

About domains


A domain is a group of computers or devices that are administered as a unit. In terms of HCP, a domain consists of nodes in a single HCP system.

Domains are associated with networks. Clients that communicate with HCP over a given network can use the name of the domain associated with that network to identify the system.

Each network specifies IP addresses for the system nodes. A single domain can be associated with multiple networks. Therefore, a single domain can correspond to multiple sets of IP addresses.

An HCP system can have at most 201 domains. You can create domains at any time. You can delete a domain only while it is not associated with any networks.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Domain names


Every domain has a name. A domain name can contain only letters, numbers, and hyphens (-). It must consist of at least three segments, separated by periods (.). Each segment must be one through 63 characters long. The entire domain name, including the periods between segments, must be less than 128 characters long.

When specifying a domain name, you can use both uppercase and lowercase letters. However, when you save the domain, HCP converts any uppercase letters to lowercase.

If the HCP system is configured to use DNS, the higher-level portion (minimally, the last two segments) of the name of each domain that you create must identify a DNS domain to which you have administrative access.

Domains cannot be subdomains of each other. For example, if a domain named hcp.example.com already exists, you cannot specify cust1.hcp.example.com as the name of another domain.

In the URL for access to a tenant, the tenant name is inserted before the name of the domain. For this reason, you should not specify the tenant name as part of the domain name.

For example, suppose you create a tenant named finance for Customer-1 and a domain named finance.cust1.com. If you select finance.cust1.com as the domain for the network you associate with the finance tenant for management purposes, the URL for access to the Tenant Management Console for the finance tenant is https://finance.finance.cust1.com.

During HCP installation, one domain is created automatically. The name of this domain is the name specified for the system during the installation procedure. This domain is created regardless of whether the system is configured to use DNS.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Domains and DNS


Typically, domains are defined in a DNS. For each domain, the DNS lists all node IP addresses assigned to each network with which the domain is associated.

With DNS, you can manage domains in a single set of corporate DNS servers. Alternatively, you can set up separate DNS servers for different networks that use the same domain. Or, you can use a combination of these two techniques. In any case, you need to ensure that your networking environment and DNS configuration allow client requests to be routed to the correct HCP network.

If DNS is in use at your site, you can take advantage of DNS configuration options to further enhance the security of the HCP networks. However, HCP does not require the use of DNS. Without DNS, you can still define multiple domains in HCP and associate them with networks. In this case, to enable client requests to be routed to an HCP network, users would use the hosts file on each client computer to map the node IP addresses assigned to the network to the fully qualified domain name (FQDN) of the domain associated with the network.

From the Networks page in the HCP System Management Console, you can display the stub zone definition that you need to include in the DNS for each combination of domain and network. For more information on this, see Viewing the DNS zone definition for a network domain.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

About SSL server certificates


Each domain in HCP must have at least one SSL server certificate or certificate signing request (CSR). SSL server certificates are used to verify to clients that the HCP system is the system it claims to be and to set up secure communications between the system and those clients.

HCP uses SSL to provide security for:

The System Management, Tenant Management, and Search Consoles

The HCP management API

Replication

The HTTP, S3 compatible, and WebDAV namespace access protocols

The HCP metadata query API

The Namespace Browser

HCP Data Migrator

HCP comes with one self-signed SSL server certificate, which is generated and installed automatically when the system is installed. This certificate is associated with the domain that’s created during installation.

Self-signed SSL server certificates are not automatically trusted by web browsers and other HTTP client tools. However, clients can choose to trust them.

For information on CSRs, see Certificates for domains. For information on the interaction between replication and certificate changes, see Replicating Tenants and Namespaces.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Certificates for domains


You add the first SSL server certificate to a domain as part of creating the domain. Once a domain exists, you can add certificates to it at any time. You can also delete certificates from a domain. However, if the domain is associated with any networks, you cannot delete the last certificate.

For example, you might choose to add a certificate from a trusted vendor and then delete any self-signed certificates associated with the domain. Or, you might choose to add a certificate before the last valid certificate for the domain expires.

You can add a certificate to a domain in these ways:

By having HCP generate and install a new self-signed certificate. In this case, the new certificate has an expiration date that’s five years later than the current date.

By generating a certificate signing request (CSR), sending it to a certificate authority (CA), and installing the returned certificate (see Certificate signing requests and returned certificates below).

A domain can have only one outstanding CSR at a time.

By installing a certificate that’s created outside of HCP (see Certificates created outside of HCP below).

At any given time, the combined number of certificates and outstanding CSRs for a domain cannot exceed ten.

For instructions on adding a certificate to a domain, see Adding a certificate to a domain. For instructions on deleting a certificate or CSR, see Deleting a certificate or CSR.

Certificate signing requests and returned certificates

SSL server certificates are available from several trusted sources. To obtain a certificate, you need to create a certificate signing request (CSR) and present it to a certificate authority (CA). The CA then generates the requested certificate and makes it available to you either as an email attachment, as text embedded in the body of an email, or as a download from a web page:

If the certificate is an email attachment, save it to disk.

TipWebHelp.png

Tip: Use .cer as the extension for the certificate file name.

If the certificate is embedded in an email or downloadable from a web page, copy and paste it into a new text file. Then save the file to disk.

ImportantWebHelp.png

Important: Use a simple text editor to do this. Do not use Microsoft® Word or any other word-processing program to create the text file.

You can create a CSR by using the HCP System Management Console or a third-party tool. When you use the System Management Console, however, HCP securely stores the private key needed for installing the returned certificate, so you don’t need to save it yourself.

For a list of trusted certificate providers, see SSL server certificate providers.

For information on creating a certificate signing request in the System Management Console, see Creating a certificate signing request. For information on installing a returned certificate, see Installing the certificate returned for an HCP-generated CSR.

Certificates created outside HCP

You can create an SSL server certificate yourself by using a third-party tool such as OpenSSL, which is publicly available. Or, you can create a CSR yourself and use that to get a certificate from a CA.

Certificates created outside HCP have two passwords — one for the PKCS12 object containing the certificate and one for the private key for the certificate. To install the certificate in HCP, these passwords must be identical.

For instructions on installing a certificate that was created outside of HCP, see .

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Common names


Every SSL server certificate has a common name. In HCP, the common name for a certificate must represent a subdomain of the domain with which the certificate is associated. The first segment of the common name can be an asterisk (*) by itself, which represents any valid domain name segment. A common name can be at most 255 characters long.

Here are some examples of common names for certificates associated with the domain named hcp.example.com:

*.hcp.example.com
admin.hcp.example.com
ten1.hcp.example.com
*.ten1.hcp.example.com
ns1.ten1.hcp.example.com

The common name for the certificate generated during HCP installation is an asterisk followed by the name of the domain created during installation.

NoteWebHelp.png

Notes: 

HCP supports subject alternative names for certificates created outside the system.

In an HCP system that was upgraded from a release earlier than 6.0, the domain associated with the [hcp_system] network may have a certificate with a common name that does not match the domain name. HCP ignores common name mismatches when choosing which certificate to use for a given domain. For information on how HCP chooses certificates, see Certificate selection.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Certificate selection


At any given time, an SSL server certificate is in one of these three states: valid, expired, or future (that is, not yet valid). When choosing which certificate to present to a client for a given domain:

1.HCP first looks for a valid certificate for the domain and, if it finds any, uses the one with the earliest start date and time.

2.If the domain has no valid certificates, HCP looks for an expired certificate for the domain and, if it finds any, uses the one with the latest expiration date and time.

3.If the domain has no expired certificates, HCP uses the future certificate with the earliest start date and time.

HCP consistently chooses the same certificate. Any of these events, however, can cause HCP to start choosing a different certificate:

The chosen certificate expires or is deleted.

A future certificate for the domain becomes valid.

A new certificate is added to the domain.

NoteWebHelp.png

Note: After an event that causes HCP to choose a different certificate, the system may continue using the certificate initially chosen for a client session until the applicable cache is cleared.

HCP does not take the common name into consideration when choosing a certificate. This means that in response to a client request, HCP can use any certificate for the domain associated with the network over which the request arrives (subject to the selection process described above).

For example, suppose the domain named hcp.example.com has a certificate with the common name *.ten1.hcp.example.com. Suppose also that the management network for the tenant named ten2 uses the hcp.example.com domain. In response to a client request with a URL that specifies ten2.hcp.example.com, HCP could present the certificate with the common name *.ten1.hcp.example.com. The client is responsible for deciding how to handle certificates with common names that don’t match the requested URL.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

About the Domains and Certificates page


To view, create, and delete domains and the SSL server certificates associated with them, you use the Domains and Certificates page in the HCP System Management Console. To display this page, in the top-level menu, select Security Domains & Certificates.

RoleWebHelp.png

Roles: To view existing domains and SSL server certificates, you need the monitor or administrator role. To create and delete domains and SSL server certificates, you need the administrator role.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Managing the domain list


The Domains and Certificates page lists existing domains. For each domain, the list shows the domain name.

You can sort the domain list in ascending or descending order by domain name. To change the sort order, click on the Name column heading. Each time you click on the column heading, the sort order switches between ascending and descending.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Understanding the certificate list for a domain


To view the SSL server certificates and outstanding CSRs associated with a domain, click on the domain name in the domain list. The panel that opens contains a list of the existing certificates and outstanding CSRs for that domain.

For each certificate or CSR, the certificate list contains a Certificate Details or CSR Details section, respectively. This section shows the distinguished name (DN) of the existing or requested certificate. The distinguished name of a certificate consists of the common name and any of this optional information:

An organizational unit (OU)

An organization (O)

A location (L)

A state or province (ST)

A two-letter country code (C)

Additionally, for each existing certificate, the Certificate Details section shows:

Not valid before — The date and time at which the certificate goes (or went) into effect

Not valid after — The date and time at which the certificate expires (or expired)

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Creating a domain


To create a domain, on the Domains and Certificates page:

1.Click on Create Domain.

2.In the Domain Name field, type a unique name for the domain. For the rules for domain names, see Domain names.

3.In the Certificates field, select one of these options:

oGenerate and install self-signed certificate.

oGenerate CSR. Then follow the instructions in Creating a certificate signing request.

oInstall PKCS12 certificate. Then follow the instructions in Installing a certificate created outside HCP.

4.Click on Create Domain.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Adding a certificate to a domain


To add an SSL server certificate to an existing domain, on the Domains and Certificates page:

1.In the list of domains, click on the name of the domain for which you want to add a certificate.

2.In the panel that opens, click on New Certificate.

3.In the field in the New Certificate window, select one of these options:

oGenerate and install self-signed certificate.

oGenerate CSR. Then follow the instructions in Creating a certificate signing request.

oInstall PKCS12 certificate. Then follow the instructions in Installing a certificate created outside HCP.

4.Take one of these actions:

oIf you selected Generate and install self-signed certificate, click on Generate Certificate.

oIf you selected Generate CSR, click on Generate CSR.

oIf you selected Install PKCS12 certificate, click on Install Certificate.

After you generate a CSR, you need to download it to a file that you can send to the CA. When you receive the certificate from the CA, you need to upload it to HCP.

For instructions on downloading a CSR, see Downloading a CSR. For instructions on uploading the returned certificate, see Installing the certificate returned for an HCP-generated CSR.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Creating a certificate signing request


To create a CSR, you need to select Generate CSR when creating a new domain or when adding a new certificate to an existing domain. When you select this option, the Generate CSR section appears. This section prompts for the information that a CA needs in order to generate an SSL server certificate for you. To know exactly which information is required, you need to check with the CA that you plan to use.

Except where otherwise noted, the values that you specify in the Generate CSR section can be from zero through 64 characters long and can contain any Latin-1 characters, including white space. Your CA, however, may place other restrictions on these values.

To specify the CSR information, fill in the fields in the Generate CSR section, as needed:

In the Common Name (CN) field, type the common name for the certificate you want. The common name from be from one through 255 characters long.

The Common Name (CN) field is always required.

For the rules for common names, see Common names.

In the Organizational Unit (OU) field, type the name of the organizational unit that will be using the certificate (for example, the name of a division or a name under which your company does business). This field only accepts alphanumeric characters. Do not include a comma (,), plus (+), or equals (=) sign.

In the Organization (O) field, type the full legal name of your company. This field only accepts alphanumeric characters. Do not include a comma (,), plus (+), or equals (=) sign.

In the Location (L) field, type the name of the city in which your company headquarters are located.

In the State/Province (ST) field, type the full name of the state or province in which your company headquarters are located.

In the Country (C) field, type the two-letter ISO 3166-1 abbreviation for the country in which your company headquarters are located (for example, US for the United States).

For instructions on creating a domain, see Creating a domain. For instructions on adding a certificate to a domain, see Adding a certificate to a domain.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Downloading a CSR


To download a CSR, on the Domains and Certificates page:

1.In the list of domains, click on the name of the domain for which you want to download a CSR.

2.In the panel that opens, click on Download CSR in the CSR Details section for the applicable CSR.

3.When prompted, save the file containing the CSR to the location of your choice. This is a plain text file. By default, the file name is certificate.txt.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Installing the certificate returned for an HCP-generated CSR


To install the SSL server certificate returned in response to an HCP-generated CSR, on the Domains and Certificates page:

1.In the list of domains, click on the name of the domain that has the HCP-generated CSR for the SSL server certificate you want to install.

2.In the panel that opens, click on Browse in the CSR Details section for the applicable CSR. Then select the file containing the returned certificate.

3.Click on Upload Certificate.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Installing a certificate created outside HCP


To install a certificate that was created outside HCP, you need to select Install PKCS12 certificate when creating a domain or when adding a certificate to an existing domain. When you select this option, the Install PKCS12 certificate section appears. This section prompts you to select the file containing the certificate that you want to install and specify the password for that certificate.

To select the certificate file and specify the password, in the Install PKCS12 certificate section:

Click on Browse for the PKCS12 Certificate field. Then select the file containing the PKCS12 object.

In the PKCS12 Password field, type the password for the PKCS12 object.

For instructions on creating a domain, see Creating a domain. For instructions on adding a certificate to a domain, see Adding a certificate to a domain.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Deleting a certificate or CSR


You can delete an SSL server certificate or CSR from a domain at any time, subject to these restrictions:

If the domain is associated with any networks, it must have at least one certificate.

If the domain is not associated with any networks, it must have at least one certificate or CSR.

To delete an SSL server certificate or CSR, on the Domains and Certificates page:

1.In the list of domains, click on the name of the domain that has the certificate or CSR that you want to delete.

2.In the panel that opens, click on the delete control ( DeleteControlOrangeWhiteBG.png ) in the Certificate Details or CSR Details section for the applicable certificate or CSR, respectively.

3.In response to the confirming message, click on Delete.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Deleting a domain


To create a domain, on the Domains and Certificates page:

1.Click on Create Domain.

2.In the Domain Name field, type a unique name for the domain. For the rules for domain names, see Domain names.

3.In the Certificates field, select one of these options:

oGenerate and install self-signed certificate.

oGenerate CSR. Then follow the instructions in Creating a certificate signing request.

oInstall PKCS12 certificate. Then follow the instructions in Installing a certificate created outside HCP.

4.Click on Create Domain.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

SSL server certificate providers


An SSL server certificate provides security for:

HCP System Management Console

Tenant Management Console

HCP management API

Replication

HTTP and WebDAV protocols

HCP metadata query API

HCP Search Console

HCP is installed with its own SSL server certificate. If you want, you can replace this with a different certificate.

SSL server certificates are available from several sources. The table in this appendix lists some vendors with products that are suitable for use with HCP.

For information on obtaining and uploading SSL server certificates, see Adding a certificate to a domain.

Vendor Suitable SSL Products Web site
thawte, Inc.

SGC SuperCert
SSL Web Server Certificate
SSL123

http://www.thawte.com

VeriSign, Inc.

Secure Site Pro
Secure Site

http://www.verisign.com

Entrust, Inc.

Entrust Certificate
Management Service

http://www.entrust.com

IPS Certification Authority, S.L.

Certificado Digital de
Servidor SSL Tipo A1

http://www.ipsca.com/en

Comodo Group

PremiumSSL
PremiumSSL Wildcard
InstantSSL Pro
InstantSSL

http://www.instantssl.com

GeoTrust, Inc.

Enterprise SSL
True BusinessID
Power Server ID

http://www.geotrust.com

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.