Security
This section contains information on configuring system security features, including user authentication.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Granting access to users
These are the general steps you need to take to grant users access to the system:
1.Add one or more identity providers to the system.
For information, see Adding identity providers.
2.Add one or more groups from your identity providers to the system.
For information, see Adding groups.
3.Create a role that contains the system permissions you want to associate with a group of users.
For information, see Creating roles.
4.Associate roles with groups.
For information, see Assigning roles to groups.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Setting the session timeout limit
You can use the System Management application, REST API, or CLI to set the system session timeout limit. This limit affects user sessions in all applications that your system runs and also affects the length of time that REST API authorization tokens are valid.
For information on REST API authorization tokens, see REST API reference.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.On the Settings tab, type a number of minutes in the Session Timeout field.
4.Click on the Update button.
Related CLI command(s)
editSecuritySettings
For information on running CLI commands, see CLI reference.
Related REST API method(s)
PUT /security/settings
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Setting the refresh token timeout limit
You can use the System Management application, REST API, or CLI to set the refresh token timeout limit. The refresh token timeout limit must be greater than the session timeout limit so that if the access token expires, the refresh token will still be active and you can request a new session token. Once your refresh token expires, you will need to resubmit your credentials in order to access your system.
For information on REST API authorization tokens, see REST API reference.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.On the Settings tab, type a number of minutes in the Refresh Token Timeout field.
4.Click on the Update button.
Related CLI command(s)
editSecuritySettings
For information on running CLI commands, see CLI reference.
Related REST API method(s)
PUT /security/settings
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Setting the CORS Allowed Origins
You can use the System Management application, REST API, or CLI to set CORS (cross-origin resource sharing) origins that are allowed on your system. Specifying multiple origins allows you to access restricted resources.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.On the Settings tab, enter a list of origins in the CORS Allowed Origins field.
4.Click on the Update button.
Related CLI command(s)
editSecuritySettings
For information on running CLI commands, see CLI reference.
Related REST API method(s)
PUT /security/settings
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Identity providers
The system supports these identity provider types for user authentication:
•Active Directory (AD)
•OpenLDAP
•389 Directory Server
•LDAP Compatible — Other LDAP-compatible identity providers not listed above.
To use one of these systems to authenticate users with your system, you need to first add your identity provider to the system.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Adding identity providers
For information on the types of identity providers you can add, see Identity provider configuration settings.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.On the Identity Providers tab, click on the Create button.
4.Select a identity provider type and configure it. For information, see Identity provider configuration settings.
5.Click on the Create button.
Related CLI command(s)
createIdentityProvider
For information on running CLI commands, see CLI reference.
Related REST API method(s)
POST /security/identityProviders
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Identity provider configuration settings
These sections describe the configuration settings for each type of identity provider that your system supports.
Security Realm Name — The name by which to identify this identity provider in the system. This name appears as an option in the Security Realm drop-down on login pages.
Tip: To ensure that your users can easily log into the system, pick security realm names that your users will recognize and understand. |
•Identity Provider Hostname — Hostname or IP address for the identity provider.
•Transport Security — The protocol to use for securing communications between the system and the identity provider. Options are:
oNone
oTLS Security (Transport Layer Security)
oSSL (Secure Sockets Layer)
•Identity Provider Host Port — Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
oFor None or TLS Security (Transport Layer Security), 389
oFor SSL (Secure Sockets Layer), 636
•User Name — A user account on the identity provider. Your system uses this user account to read information from the identity provider.
•Password — The user account password.
•Domain — The AD domain in which the user account is defined.
Note: Use the short name for the AD domain. For example, use MYACTIVEDIRECTORY instead of MYACTIVEDIRECTORY.local. |
•Search Base DN — The distinguished name (DN) of the identity provider location where you want your system to begin its searches for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, the system searches for users and groups in the organization unit called Users in the corp.example.com domain.
•Default Domain Name — The default domain for users logging into the System Management application and Search App. For example, if you specify a default domain name of east.example.com, the user jdoe@east.example.com needs to specify only jdoe when logging into either app.
•Identity Provider Hostname — Hostname or IP address for the identity provider.
•Transport Security — The protocol to use for securing communications between the system and the identity provider. Options are:
oNone
oTLS Security (Transport Layer Security)
oSSL (Secure Sockets Layer)
•Identity Provider Host Port — Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
oFor None or TLS Security (Transport Layer Security), 389
oFor SSL (Secure Sockets Layer), 636
•User Name — A user account on the identity provider. Your system uses this account to read information from the identity provider.
•Password — The user account password.
•User DN Template — A template on the LDAP server. When a user logs into their system, the provided username is inserted into this template to determine the user's LDAP distinguished name (DN).
•Unique ID — The unique identifier for the specified LDAP server.
•Member Name Attribute — The name of the attribute that each group on the identity provider uses to list its members.
•Search Base DN — The distinguished name (DN) of the identity provider location where you want your system to begin searching for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, your system searches for users and groups in the organization unit called Users in the corp.example.com domain.
•Group Object Class — The objectClass value for groups on the LDAP server.
•Identity Provider Hostname — Hostname or IP address for the identity provider.
•Transport Security — The protocol to use for securing communications between the system and the identity provider. Options are:
oNone
oTLS Security (Transport Layer Security)
oSSL (Secure Sockets Layer)
•Identity Provider Host Port — Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
oFor None or TLS Security (Transport Layer Security), 389
oFor SSL (Secure Sockets Layer), 636
•User Name — A user account on the identity provider. Your system uses this account to read information from the identity provider.
•Password — The user account password.
•User DN Template — A template on the LDAP server. When a user logs into their system, the provided username is inserted into this template to determine the user's LDAP distinguished name (DN).
•Unique ID — The unique identifier for the specified LDAP server.
•Member Name Attribute — The name of the attribute that each group on the identity provider uses to list its members.
•Search Base DN — The distinguished name (DN) of the identity provider location where you want your system to begin searching for users and groups.
For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, your system searches for users and groups in the organization unit called Users in the corp.example.com domain.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
User information caching
The system caches the following information from each of your identity providers:
•The names of users who access the system
•The groups that each user belongs to
As long as this information is in the system's cache, your users can perform any activities for which they have permissions, without the system needing to reconnect to the identity provider.
User information remains in the cache for four hours.
Clearing the cache
Any changes that you make on the identity provider are not reflected in the system until the information is removed from the cache. For example, if you delete a user from the identity provider, that user will be able to access the system for up to four hours, or until the cache is cleared.
Related REST API method(s)
POST /security/clearCache
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Viewing identity providers
You can use the System Management application, REST API, and CLI to view the identity providers that have been added to your system.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.Click on the Identity Providers tab.
Related CLI command(s)
getIdentityProvider
listIdentityProviders
For information on running CLI commands, see CLI reference.
Related REST API method(s)
GET /security/identityProviders/{uuid}
GET /security/identityProviders
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Deleting identity providers
When you delete an identity provider from your system, all users from that provider lose access to the system.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.On the Identity Providers tab, click on the delete icon () for the server you want to remove.
Related CLI command(s)
deleteIdentityProvider
For information on running CLI commands, see CLI reference.
Related REST API method(s)
DELETE /security/identityProviders/{uuid}
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Groups
To allow user access to your system, you need to add groups to your system. These groups are defined on your organization's identity providers. Once you've added a group to your system, you can specify what roles its members have.
For information on:
•Adding identity providers to your system, see Adding identity providers.
•Roles, see Roles.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Adding groups
You use the REST API, System Management application, or CLI to add groups from your identity providers to your system.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.On the Groups tab, click on the Create button.
4.Select an identity provider and type a string on which to query the identity provider for groups.
5.Click on the Discover Groups button.
6.Click on the Continue button.
7.Select one or more roles to associate with the group.
8.Click on the Create button.
Related REST API method(s)
POST /security/groups
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Viewing groups
You use the REST API, CLI, or System Management application to view all the groups that have been created for your system.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.Click on the Groups tab.
Related CLI command(s)
getGroup
listGroups
For information on running CLI commands, see CLI reference.
Related REST API method(s)
GET /security/groups/{uuid}
GET /security/groups
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Assigning roles to groups
You use the REST API, System Management application, and CLI to assign roles to the groups that you've added your system.
For information on roles, see Roles.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.On the Groups tab, click on the group you want to edit.
4.On the Roles tab, select one or more roles to enable for the group.
5.Click on the Update button.
Related REST API method(s)
PUT /security/groups/{uuid}
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Deleting groups
When you delete a group, all users in the group lose access to your system.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.Click on the Groups tab.
4.Click on the delete icon () for the group you want to remove.
Related REST API method(s)
DELETE /security/groups/{uuid}
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Roles
Roles determine what actions a group of users can perform. You create your own roles, each of which can grant permission to perform any combination of actions.
For information on associating a role with a group of users, see Assigning roles to groups.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Creating roles
You can use the REST API, System Management application, and CLI to create roles and select which permissions the roles contain.
About permissions
Each permission in a role grants a user the ability to perform an action in some area of the system. For example, the admin:services:read permission grants the ability to view services through the System Management application.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.On the Roles tab, click on the Create button.
4.Specify a name and, optionally, a description for the role.
5.Use the Individual and Wildcard tabs to edit the permissions for the role.
On the Individual tab, you can enable individual permissions or categories of permissions:
oClick on a category of permissions and select one or more individual permissions within the category.
For example, with the permissions selected in this image, a user can read, create, and update certificates, but cannot delete them.
On the Wildcard tab, you can enable permissions for multiple categories at the same time. To do this:
a.Click on the Add Permission button.
a.Use the drop-down menus to select a category of permissions.
b.Leave the last drop-down menu set to the wildcard character (*).
6.Click on the Create button.
7.Click on the Update button.
Related REST API method(s)
POST /security/roles
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Viewing roles
You can use the REST API, CLI, and System Management application to view all the roles that have been created for your system.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.Click on the Roles tab.
Related CLI command(s)
getRole
listRoles
For information on running CLI commands, see CLI reference.
Related REST API method(s)
GET /security/roles/{uuid}
GET /security/roles
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Editing roles
You can use the REST API, System Management application, and CLI to change the permissions that a role contains.
About permissions
Each permission in a role grants a user the ability to perform an action in some area of the system. For example, the admin:services:read permission grants the ability to view services through the System Management application.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.Click on the Roles tab.
4.Click on the role you want to edit.
5.Use the Individual and Wildcard tabs to edit the permissions for the role.
On the Individual tab, you can enable individual permissions or categories of permissions:
oClick on a category of permissions and select one or more individual permissions within the category.
For example, with the permissions selected in this image, a user can read, create, and update certificates, but cannot delete them.
On the Wildcard tab, you can enable permissions for multiple categories at the same time. To do this:
a.Click on the Add Permission button.
a.Use the drop-down menus to select a category of permissions.
b.Leave the last drop-down menu set to the wildcard character (*).
6.Click on the Create button.
7.Click on the Update button.
Related REST API method(s)
PUT /security/roles/{uuid}
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Deleting roles
When you delete a role, all groups associated with that role lose the permissions that the role granted.
System Management application instructions
1.Click on the Configuration panel.
2.Click on Security.
3.Click on the Roles tab.
4.Click on the delete icon () for the role you want to remove.
Related REST API method(s)
DELETE /security/roles/{uuid}
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Permissions
The following tables list the permissions available for system roles. The words Yes and No indicate whether or not the permission is assigned to a default role.
MAPI Alerts | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:alert:list | List all active alerts |
Yes |
MAPI Job Configurations | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:job_configuration:list | List all job configurations |
Yes |
mapi:job_configuration:run | Run a job configuration immediately | Yes |
mapi:job_configuration:update | Modify a job configuration | Yes |
MAPI S3 Settings | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:s3_settings:get | Read S3 settings |
Yes |
mapi:s3_settings:set | Modify SS3 settings |
Yes |
MAPI User | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:user:list | List all existing users |
Yes |
mapi:user:revoke_credentials | Revoke S3 credentials | Yes |
mapi:user:revoke_tokens | Revoke OAuth tokens | Yes |
MAPI Storage Component | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:storage_component:activate | Activate a storage component |
Yes |
mapi:storage_component:create | Create a storage component |
Yes |
mapi:storage_component:list | List storage component(s) |
Yes |
mapi:storage_component:test | Test a storage component |
Yes |
mapi:storage_component:update | Modify a storage component |
Yes |
mapi:storage_component:update_state | Modify state of a storage component |
Yes |
MAPI Stored Objects | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:client_object:lookup | List stored objects |
Yes |
MAPI System | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:system:info | List system information |
Yes |
MAPI User | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:user:list | List system information |
Yes |
mapi:user:revoke_credentials | Revoke S3 credentials | Yes |
mapi:user:revoke_tokens | Revoke OAuth tokens | Yes |
S3 User | ||
---|---|---|
Permission name | Description | Default admin role permission? |
s3:user:generate_credentials | Generate S3 credentials |
Yes |
Serial Number | ||
---|---|---|
Permission name | Description | Default admin role permission? |
mapi:serial_number:get | Read serial number |
Yes |
mapi:serial_number:set | Modify serial number |
Yes |
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Changing the admin account password
Your system includes a single local user account called admin, which is available when you first install the system. You can use the REST API, System Management application, or CLI to change the password for this account.
System Management application instructions
1.When logged into the System Management application with the admin user account, click on the user icon in the top righthand corner of the screen.
2.Click on Change Password.
3.Confirm your current password and specify a new password.
4.Click on the Change Password button.
Related CLI command(s)
updateCurrentUserPassword
For information on running CLI commands, see CLI reference.
Related REST API method(s)
POST /setup/password
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Certificates
Your system uses SSL to provide security for the System Management application. To enable SSL security, you need a valid SSL server certificate or chain of certificates.
Your system comes with its own self-signed SSL server certificate, which is generated and installed automatically when the system is installed. This certificate is not automatically trusted by web browsers.
You can choose to trust this self-signed certificate or to replace it with one from a certificate authority (CA) or one that you create yourself. You can also have the system generate and install a new self-signed SSL server certificate. You would do this, for example, if the current certificate is close to expiring and you are waiting to retrieve a new one from your CA.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Viewing installed certificates
You can use the REST API, CLI, and System Management application to view information about:
•The system certificate. That is, the certificate used to secure communications for your system's applications, CLIs, and REST APIs.
•Data source certificates. These are the certificates retrieved from the systems that your system has connected to using a data connection. For information on data connections, see Data connections.
For each certificate, you can view:
•The distinguished name of the certificate
•The date and time when the certificate goes (or went) into effect
•The date and time when the certificate expires (or expired)
System Management application instructions
1.Click on the Configuration panel.
2.Click on Certificates.
The System tab displays the currently active system certificate.
3.To view the data source certificates, click on the Client tab.
Related CLI command(s)
listCertificates
getCertificate
getSystemCertificate
For information on running CLI commands, see CLI reference.
Related REST API method(s)
GET /certificates
GET /certificates/system
GET /certificates/{subjectDn}
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Adding data source certificates
For your system to retrieve documents from a data source that uses SSL-protected communication, it must accept the certificate from the data source. Your system prompts you to accept a data source certificate when it tests the connection to the data source. You can also upload data source certificates manually.
System Management application instructions
1.Retrieve the SSL certificate from your data source.
2.In the System Management application, click on Configuration.
3.Click on Certificates.
4.On the Client tab, click on Upload Client Certificate.
5.Click and drag the certificate file into the Upload License box.
Related CLI command(s)
testDataSource
createCertificate
For information on running CLI commands, see CLI reference.
Related REST API method(s)
POST /datasources/test
POST /certificates
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Changing the system certificate
By default, your system includes a self-signed certificate when the system is first installed.
You cannot delete the currently installed certificate. However, you can replace it by:
•Installing a new PKCS12 certificate (for instructions, see Installing a certificate you created)
•Generating and installing a new self-signed certificate (for instructions, see Installing a new self-signed certificate)
•Generating a certificate signing request (CSR) and installing the certificate you receive in response to this request (for instructions, see Creating a CSR and installing the returned certificate)
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
System certificate considerations
Keep the following in mind when configuring SSL certificates for your system, especially if you are configuring the system to use one or more certificates that you create yourself:
•Do not allow any of the SSL certificates to expire.
•Adhere to the established best practices for setting up SSL certificates. For example, if you are using wildcards to identify hostnames in an SSL certificate, a wildcard should appear only at the beginning of the hostname, not in the middle.
For information on SSL best practices, see http://tools.ietf.org/html/rfc5280 and http://tools.ietf.org/html/rfc6125.
•Ensure that the DNS name for the system matches the name defined in the certificate.
•When configuring a certificate chain, ensure that all intermediate issuers have the appropriate signing authority permissions so that the entire chain is signed.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Installing a certificate you created
You can create an SSL server certificate by using a third-party tool such as OpenSSL. When creating the certificate, you specify two passwords — one for the PKCS12 object containing the certificate and one for the private key for the certificate. To use the certificate with your system, these passwords must be the same.
When you create your own SSL server certificate, you can choose to have that certificate signed by a certificate authority (CA). In this case, the CA you use may provide you with one or more intermediate certificates. These certificates are used in conjunction with the SSL server certificate you created to establish a certificate chain, an ordered list of certificates in which each certificate is trusted by the next.
To preserve the chain of trust among the certificates, you need to upload the certificates in the correct order. That is, each certificate you upload must be immediately followed by the certificate that signs it. For information on the correct order for the certificate chain, see your CA.
Important: Read and understand the topic System certificate considerations before creating your own SSL certificates and especially if you are using an in-house CA. |
System Management application instructions
To install your certificates:
1.Click on the Configuration panel.
2.Click on Certificates.
3.Click on the Update System Certificate button.
4.On the PKCS12 panel, click and drag your certificate into the Upload Certificate Chain box.
5.In the PKCS12 Password field, type the password for your certificate.
6.Click and drag the certificate into the Upload Certificate Chain box.
7.Click on the Continue button.
8.Click on the Accept button.
Related CLI command(s)
uploadPKCS12Certificate
applyCertificateChanges
For information on running CLI commands, see CLI reference.
Related REST API method(s)
POST /certificates/system/pkcs12
POST /certificates/system
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Installing a new self-signed certificate
Your system can generate and install a new self-signed SSL server certificate. The new certificate is good for five years.
Important: If the system is using a self-signed certificate, when you change the hostname name of the system, you need to generate a new SSL certificate. For information on changing the hostname, see Setting the system hostname. |
System Management application instructions
To generate a new self-signed certificate:
1.Click on the Configuration panel.
2.Click on Certificates.
3.Click on Update System Certificate.
4.Click on the Self-Signed panel.
5.Click on the Continue button.
Your system generates a new self-signed server certificate.
6.Click on the Accept button.
Your system installs the new certificate.
7.To continue using the System Management application, log out and then log back in.
Related CLI command(s)
generateSelfSignedCertificate
applyCertificateChanges
For information on running CLI commands, see CLI reference.
Related REST API method(s)
POST /certificates/system/selfsigned
POST /certificates/system
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Creating a CSR and installing the returned certificate
SSL server certificates are available from several trusted sources. To obtain a certificate created by a certificate authority (CA), you need to create a certificate signing request (CSR) and give it to the CA. The CA then generates the requested certificate and makes it available to you.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Creating a certificate signing request
You can create a CSR using the System Management application or a third-party tool. When you use the System Management application, the system securely stores the private key needed for installing the returned certificate, so you don’t need to save it yourself.
To know exactly what information is required, check with the CA you plan to use.
System Management application instructions
To create a CSR:
1.Click on the Configuration panel.
2.Click on Certificates.
3.Click on the System tab.
4.Click on Update System Certificate.
5.Click on the CSR panel.
6.Choose Generate a new certificate signing request and click on the Continue button.
7.Fill in the fields as needed:
oIn the Common Name (CN) field, type the DNS name of the system preceded by an asterisk (*) and a period (.) (for example, *.system.example.com).
The Common Name (CN) field is required.
oIn the Organizational Unit (OU) field, type the name of the organizational unit that uses the system (for example, the name of a division or a name under which your company does business).
oIn the Organization (O) field, type the full legal name of your organization.
oIn the Location (L) field, type the name of the city in which your organization's headquarters are located.
oIn the State/Province (ST) field, type the full name of the state or province in which your organization's headquarters are located.
oIn the Country (C) field, type the two-letter ISO 3166-1 abbreviation for the country in which your organization's headquarters are located (for example, US for the United States).
8.Click on the Generate CSR button.
The page displays the generated certificate request.
9.Copy and paste the request text into a file and send that file to your CA.
10.Continue to Installing the certificates returned for a system-generated CSR.
Related REST API method(s)
PUT /certificates/system/csr
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.
Installing the certificates returned for a system-generated CSR
In response to a CSR, your CA provides you with an SSL server certificate and any required intermediate certificates. These certificates are used in conjunction with the SSL server certificate to establish a certificate chain, an ordered list of certificates in which each certificate is trusted by the next. You need to upload and install these certificates on your system.
To preserve the chain of trust among the certificates, you need to upload the certificates in the correct order. That is, each certificate you upload must be immediately followed by the certificate that signs it. For information on the correct order for the certificate chain, see your CA.
System Management application instructions
To install the SSL server certificate and any intermediate certificates returned from a CA:
1.Click on the Configuration panel.
2.Click on Certificates.
3.Click on the System tab.
4.Click on Update System Certificate.
5.Click on the CSR panel.
6.Select the I already generated a CSR and obtained a signed certificate option and click on the Continue button.
7.Click and drag the certificate into the Upload certificate obtained from Certificate Authority box.
8.Click on the Accept button.
Related CLI command(s)
uploadCSR
applyCertificateChanges
For information on running CLI commands, see CLI reference.
Related REST API method(s)
POST /certificates/system/csr
POST /certificates/system
For information on specific REST API methods, in the System Management application, click on the help icon (). Then:
•To view the administrative REST API methods, click on REST API - Admin.
For general information about the administrative REST API, see REST API reference.
Trademarks, Legal disclaimer, Third-party software in this documentation
© 2017 - 2019 Hitachi Vantara Corporation. All rights reserved.