Skip to main content
Outside service Partner
Hitachi Vantara Knowledge

Configuring SSL for replication


Before replication can occur between two HCP systems, the systems involved must have a trust relationship with each other. This trust is based on shared SSL server certificates.

This section of the Help provides instructions for downloading, uploading, and deleting SSL server certificates for replication. For general information on SSL server certificates for HCP, see Managing domains and SSL server certificates.

RoleWebHelp.png

Roles: To view the SSL configuration for replication, you need the monitor or administrator role. To configure SSL for replication, you need the administrator role.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Sharing SSL server certificates


Before replication can occur on a replication link, the two systems involved in the link each need to have installed at least one valid replication SSL server certificate. Each system also needs to have installed at least one valid replication SSL server certificate from the other system as a trusted replication server certificate.

A valid replication SSL server certificate on any given HCP system is one that:

Is associated with the domain that’s associated with the network that’s selected for replication on that system

Has already reached its start date

Has not expired

To share a certificate, the HCP administrator for the system in which the certificate is installed needs to download the certificate and give it to the administrator for the other system. That administrator then needs to upload the certificate as a trusted replication server certificate on the other system. Because what’s downloaded is only the public portion of each server certificate, you can transfer the certificate unsecured.

For any given replication link, the two systems directly involved must share certificates. In a replication chain, for example, from system A to system B to system C, systems A and B must share certificates, and systems B and C must share certificates, but systems A and C don’t need to do this.

If you take any of these actions on one of the systems in a replication pair, the replication certificate on that system automatically changes:

Delete the certificate that’s currently being used for replication

Associate a different domain with the network that’s selected for replication

Select a different network for replication, where that network is associated with a different domain from the previously selected network

Install a new valid certificate for the applicable domain where that certificate has an earlier start date than the certificate that’s currently being used for replication

The replication certificate also automatically changes if:

The certificate that’s currently being used for replication expires and the applicable domain has at least one other certificate that’s valid

A future certificate for the applicable domain becomes valid and the domain has no other valid certificates

In any of these cases, when the certificate changes, HCP automatically suspends replication or recovery activity on all links in which the system participates. At that point, you need to download the new certificate and upload it to the other system for each link. After you upload the new certificate, activity on the link resumes automatically.

For more information on:

Domains and SSL server certificates, see Managing domains and SSL server certificates

Selecting the network to use for replication, see Selecting the network for replication

Suspended replication links, see Suspending and resuming activity on an individual link

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Downloading an SSL server certificate


To download an installed replication SSL server certificate:

1.In the top-level menu of the HCP System Management Console, select Services Replication.

2.On the left side of the Replication page, click on Certificates.

On the replication Certificates page, the Replication Server panel is displayed. The panel shows this information about each currently installed replication SSL server certificate, regardless of whether it’s expired:

oServer Certificate Domain — The distinguished name for the certificate

oValid On — The date and time at which the certificate goes (or went) into effect

oExpires On — The date and time at which the certificate expires (or expired)

3.Click on the download control ( DownloadControl.png ) for the certificate you want to download. Then save the downloaded certificate in the location of your choice.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Uploading a trusted replication server certificate


To upload a downloaded replication SSL server certificate as a trusted replication server certificate:

1.In the top-level menu of the HCP System Management Console, select Services Replication.

2.On the left side of the Replication page, click on Certificates.

3.On the replication Certificates page, click on Trusted Replication.

The Trusted Replication panel shows this information about each trusted replication server certificate:

oServer Certificate Domain — The distinguished name for the certificate

oValid On — The date and time at which the certificate goes (or went) into effect

oExpires On — The date and time at which the certificate expires (or expired)

4.In the Trusted Replication section, click on Browse. Then select the file containing the downloaded SSL server certificate.

5.Click on Upload Certificate.

The Trusted Replication section displays the uploaded certificate.

NoteWebHelp.png

Note: You can also download a trusted replication server certificate. To do this, click on the download control ( DownloadControl.png ) for the certificate in the Trusted Replication section.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Deleting a trusted replication server certificate


You can delete trusted replication server certificates. You may want to do this, for example, with certificates that become invalid.

You can delete a trusted replication server certificate only while all links in which the system participates are suspended. For instructions on suspending a link, see Suspending and resuming activity on an individual link.

To delete a trusted replication server certificate:

1.In the top-level menu of the HCP System Management Console, select Services Replication.

2.On the left side of the Replication page, click on Certificates.

3.On the replication Certificates page, click on Trusted Replication.

4.In the Trusted Replication panel, click on the delete control ( DeleteControl.png ) for the certificate you want to delete.

5.In response to the confirming message, click on Remove Certificate.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.