Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Managing domains and SSL server certificates

You can create multiple domains in HCP and associate one or more SSL server certificates with each domain. HCP uses these domains and certificates to facilitate and secure communications over its built-in and user-defined networks.

About domains

A domain is a group of computers or devices that are administered as a unit. In terms of HCP, a domain consists of nodes in a single HCP system.

Domains are associated with networks. Clients that communicate with HCP over a given network can use the name of the domain associated with that network to identify the system.

Each network specifies IP addresses for the system nodes. A single domain can be associated with multiple networks. Therefore, a single domain can correspond to multiple sets of IP addresses.

An HCP system can have at most 201 domains. You can create domains at any time. You can delete a domain only while it is not associated with any networks.

Domain names

Every domain has a name. A domain name can contain only letters, numbers, and hyphens (-). It must consist of at least three segments, separated by periods (.). Each segment must be one through 63 characters long. The entire domain name, including the periods between segments, must be less than 128 characters long.

When specifying a domain name, you can use both uppercase and lowercase letters. However, when you save the domain, HCP converts any uppercase letters to lowercase.

If the HCP system is configured to use DNS, the higher-level portion (minimally, the last two segments) of the name of each domain that you create must identify a DNS domain to which you have administrative access.

Domains cannot be subdomains of each other. For example, if a domain named hcp.example.com already exists, you cannot specify cust1.hcp.example.com as the name of another domain.

In the URL for access to a tenant, the tenant name is inserted before the name of the domain. For this reason, you should not specify the tenant name as part of the domain name.

For example, suppose you create a tenant named finance for Customer-1 and a domain named finance.cust1.com. If you select finance.cust1.com as the domain for the network you associate with the finance tenant for management purposes, the URL for access to the Tenant Management Console for the finance tenant is https://finance.finance.cust1.com.

During HCP installation, one domain is created automatically. The name of this domain is the name specified for the system during the installation procedure. This domain is created regardless of whether the system is configured to use DNS.

Domains and DNS

Typically, domains are defined in a DNS. For each domain, the DNS lists all node IP addresses assigned to each network with which the domain is associated.

With DNS, you can manage domains in a single set of corporate DNS servers. Alternatively, you can set up separate DNS servers for different networks that use the same domain. Or, you can use a combination of these two techniques. In any case, you need to ensure that your networking environment and DNS configuration allow client requests to be routed to the correct HCP network.

If DNS is in use at your site, you can take advantage of DNS configuration options to further enhance the security of the HCP networks. However, HCP does not require the use of DNS. Without DNS, you can still define multiple domains in HCP and associate them with networks. In this case, to enable client requests to be routed to an HCP network, users would use the hosts file on each client computer to map the node IP addresses assigned to the network to the fully qualified domain name (FQDN) of the domain associated with the network.

From the Networks page in the HCP System Management Console, you can display the stub zone definition that you need to include in the DNS for each combination of domain and network.

About SSL server certificates

Each domain in HCP must have at least one SSL server certificate or certificate signing request (CSR). SSL server certificates are used to verify to clients that the HCP system is the system it claims to be and to set up secure communications between the system and those clients.

HCP uses SSL to provide security for:

  • HCP System Management Console, Tenant Management Console, and Search Console
  • HCP management API
  • Replication
  • HTTP, S3 compatible, and WebDAV namespace access protocols
  • HCP metadata query API
  • HCP Namespace Browser
  • HCP Data Migrator

HCP comes with one self-signed SSL server certificate, which is generated and installed automatically when the system is installed. This certificate is associated with the domain that’s created during installation.

Self-signed SSL server certificates are not automatically trusted by web browsers and other HTTP client tools. However, clients can choose to trust them.

Certificates for domains

You add the first SSL server certificate to a domain as part of creating the domain. Once a domain exists, you can add certificates to it at any time. You can also delete certificates from a domain. However, if the domain is associated with any networks, you cannot delete the last certificate.

For example, you might choose to add a certificate from a trusted vendor and then delete any self-signed certificates associated with the domain. Or, you might choose to add a certificate before the last valid certificate for the domain expires.

You can add a certificate to a domain in these ways:

  • By having HCP generate and install a new self-signed certificate. In this case, the new certificate has an expiration date that’s five years later than the current date.
  • By generating a certificate signing request (CSR), sending it to a certificate authority (CA), and installing the returned certificate.

    A domain can have only one outstanding CSR at a time.

  • By installing a certificate that’s created outside of HCP.

At any given time, the combined number of certificates and outstanding CSRs for a domain cannot exceed ten.

Certificate signing requests and returned certificates

SSL server certificates are available from several trusted sources. To obtain a certificate, you need to create a certificate signing request (CSR) and present it to a certificate authority (CA). The CA then generates the requested certificate and makes it available to you either as an email attachment, as text embedded in the body of an email, or as a download from a web page:

  • If the certificate is an email attachment, save it to disk.

    Use .cer as the extension for the certificate file name.

  • If the certificate is embedded in an email or downloadable from a web page, copy and paste it into a new text file. Then save the file to disk.
    ImportantUse a simple text editor to do this. Do not use Microsoft® Word or any other word-processing program to create the text file.

You can create a CSR by using the HCP System Management Console or a third-party tool. When you use the System Management Console, however, HCP securely stores the private key needed for installing the returned certificate, so you don’t need to save it yourself.

Certificates created outside HCP

You can create an SSL server certificate yourself by using a third-party tool such as OpenSSL, which is publicly available. Or, you can create a CSR yourself and use that to get a certificate from a CA.

Certificates created outside HCP have two passwords: one for the PKCS12 object containing the certificate and one for the private key for the certificate. To install the certificate in HCP, these passwords must be identical.

Common names

Every SSL server certificate has a common name. In HCP, the common name for a certificate must represent a subdomain of the domain with which the certificate is associated.

The first segment of the common name can be an asterisk (*) by itself, which represents any valid domain name segment. A common name can be at most 255 characters long.

Here are some examples of common names for certificates associated with the domain named hcp.example.com:

*.hcp.example.com
admin.hcp.example.com
ten1.hcp.example.com
*.ten1.hcp.example.com
ns1.ten1.hcp.example.com

The common name for the certificate generated during HCP installation is an asterisk followed by the name of the domain created during installation.

HCP supports subject alternative names for certificates created outside the system.

Certificate selection

At any given time, an SSL server certificate is in one of these three states: valid, expired, or future (that is, not yet valid). When choosing which certificate to present to a client for a given domain:

  1. HCP first looks for a valid certificate for the domain and, if it finds any, uses the one with the earliest start date and time.
  2. If the domain has no valid certificates, HCP looks for an expired certificate for the domain and, if it finds any, uses the one with the latest expiration date and time.
  3. If the domain has no expired certificates, HCP uses the future certificate with the earliest start date and time.

HCP consistently chooses the same certificate. Any of these events, however, can cause HCP to start choosing a different certificate:

  • The chosen certificate expires or is deleted.
  • A future certificate for the domain becomes valid.
  • A new certificate is added to the domain.
NoteAfter an event that causes HCP to choose a different certificate, the system may continue using the certificate initially chosen for a client session until the applicable cache is cleared.

HCP does not take the common name into consideration when choosing a certificate. This means that in response to a client request, HCP can use any certificate for the domain associated with the network over which the request arrives (subject to the selection process described above).

For example, suppose the domain named hcp.example.com has a certificate with the common name *.ten1.hcp.example.com. Suppose also that the management network for the tenant named ten2 uses the hcp.example.com domain. In response to a client request with a URL that specifies ten2.hcp.example.com, HCP could present the certificate with the common name *.ten1.hcp.example.com. The client is responsible for deciding how to handle certificates with common names that don’t match the requested URL.

Managing domains and certificates

To view, create, and delete domains and the SSL server certificates associated with them, you use the Domains and Certificates page in the HCP System Management Console.

NoteTo view existing domains and SSL server certificates, you need the monitor or administrator role. To create and delete domains and SSL server certificates, you need the administrator role.

Creating a domain

You can create a domain by using the HCP System Management Console.

Before you begin

To view existing domains and SSL server certificates, you need the monitor or administrator role. To create and delete domains and SSL server certificates, you need the administrator role.

Procedure

  1. Open the HCP System Management Console.

  2. From the top-level menu, click Security Domains and Certificates.

    The Domains and Certificates page opens.
  3. Click Create Domain.

  4. In the Domain Name field, type a unique name for the domain.

  5. In the Certificates field, select one of these options:

    • Generate and install self-signed certificate
    • Generate CSR
    • Install PKCS12 certificate
  6. Click Create Domain.

Adding a certificate to a domain

You can add an SSL server certificate to an existing domain by using the HCP System Management Console.

Before you begin

To view existing domains and SSL server certificates, you need the monitor or administrator role. To create and delete domains and SSL server certificates, you need the administrator role.

Procedure

  1. Open the HCP System Management Console.

  2. From the top-level menu, select Security Domains and Certificates.

    The Domains and Certificates page opens.
  3. In the list of domains, click the name of the domain that you want to add a certificate to.

  4. In the panel that opens, click New Certificate.

  5. Select one of these options:

    • Generate and install self-signed certificate
    • Generate CSR
    • Install PKCS12 certificate
  6. Take one of these actions:

    • If you selected Generate and install self-signed certificate, click Generate Certificate.
    • If you selected Generate CSR, click Generate CSR.
    • If you selected Install PKCS12 certificate, click Install Certificate.

Next steps

After you generate a CSR, you need to download it to a file that you can send to the CA. Later, when you receive the certificate from the CA, you need to upload it to HCP.

Creating a certificate signing request

You can create a certificate signing request (CSR) when you create a new domain or add a new certificate to an existing domain.

Before you begin

To view existing domains and SSL server certificates, you need the monitor or administrator role. To create and delete domains and SSL server certificates, you need the administrator role.

Procedure

  1. Open the HCP System Management Console.

  2. From the top-level menu, select Security Domains and Certificates.

    The Domains and Certificates page opens.
  3. Select Generate CSR.

    The Generate CSR section opens.
  4. Fill in the field values that a certificate authority (CA) needs to generate an SSL server certificate.

    Check with the CA that you plan to use to learn what information is needed.

    • Common Name (CN) field

      Required. Type the common name for the certificate. This value can range from 1-255 characters long and can contain any Latin-1 characters, including white space.

    • Organizational Unit (OU) field

      Type the name of the organizational unit that will use the certificate, for example, the name of a division or the name under which your company does business. This field accepts only alphanumeric characters. Do not include a comma (,), plus (+), or equals (=) sign.

    • Organization (O) field

      Type the full legal name of your company. This field accepts only alphanumeric characters. Do not include a comma (,), plus (+), or equals (=) sign.

    • Location (L) field

      Type the name of the city where your company headquarters are located.

    • State/Province (ST) field

      Type the full name of the state or province where your company headquarters are located.

Deleting a certificate or CSR

You can delete a SSL server certificate or certificate signing request (CSR) from a domain by using the HCP System Management Console.

Deleting a SSL server certificate or CSR from a domain is subject to several restrictions:

  • If the domain is associated with any networks, it must have at least one SSL server certificate.
  • If the domain is not associated with any networks, it must have at least one SSL server certificate or CSR.

Before you begin

To view existing domains and SSL server certificates, you need the monitor or administrator role. To create and delete domains and SSL server certificates, you need the administrator role.

Procedure

  1. Open the HCP System Management Console.

  2. From the top-level menu, select Security Domains and Certificates.

    The Domains and Certificates page opens.
  3. In the list of domains, click the name of the domain that has the certificate or CSR that you want to delete.

  4. In the panel that opens, click the delete control (Delete control icon) in the Certificate Details or CSR Details section for the applicable certificate or CSR.

  5. In response to the confirm message, click Delete.

Downloading a CSR

You can download a certificate signing request (CSR) by using the HCP System Management Console.

Before you begin

To view existing domains and SSL server certificates, you need the monitor or administrator role. To create and delete domains and SSL server certificates, you need the administrator role.

Procedure

  1. Open the HCP System Management Console.

  2. From the top-level menu, select Security Domains and Certificates.

    The Domains and Certificates page opens.
  3. In the list of domains, click the name of the domain for which you want to download a CSR.

  4. In the panel that opens, in the CSR Details section for the applicable CSR, click Download CSR.

  5. When prompted, save the file containing the CSR to a location of your choice.

    This is a plain text file. The default file name is certificate.txt.

Installing the certificate returned for an HCP generated CSR

You can install the SSL server certificate returned in response to an HCP generated CSR by using the HCP System Management Console.

Before you begin

To view existing domains and SSL server certificates, you need the monitor or administrator role. To create and delete domains and SSL server certificates, you need the administrator role.

Procedure

  1. Open the HCP System Management Console.

  2. From the top-level menu, select Security Domains and Certificates.

    The Domains and Certificates page opens.
  3. In the list of domains, click the name of the domain that has the HCP generated CSR for the SSL server certificate you want to install.

  4. In the panel that opens, in the CSR Details section for the applicable CSR, click Browse and select the file containing the returned certificate.

  5. Click Upload Certificate.

Installing a certificate created outside HCP

You can install a SSL server certificate that was created outside HCP when you create a domain or add a certificate to an existing domain.

Before you begin

To view existing domains and SSL server certificates, you need the monitor or administrator role. To create and delete domains and SSL server certificates, you need the administrator role.

Procedure

  1. Open the HCP System Management Console and follow the procedure for creating a domain or adding a certificate to a domain.

  2. To install a certificate that was created outside HCP, in the New Certificate section of the Domains and Certificates page, select Install PKCS12 certificate.

    The Install PKCS12 certificate section opens.
  3. Select the file containing the certificate that you want to install and enter the password for the certificate.

    1. In the PKCS12 Certificate field, click Browse and select the file containing the PKCS12 object.

    2. In the PKCS12 Password field, type the password for the PKCS12 object.

 

  • Was this article helpful?