Setting up a secure (SSL) connection
You can use a Secure Sockets Layer (SSL) certificate to create a secure, encrypted connection between the storage system and the management client.
Setting up SSL communications
Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.
The following figure shows the procedure to set up SSL communication. Unless otherwise noted, all steps are required. Note that creation of private and public keys requires a dedicated program. You can download a program for creating private and public keys from the OpenSSL website (http://www.openssl.org/).
Setting up SSL encryption
To improve security of remote operations from a Device Manager - Storage Navigator SVP to a storage system, you can set up Secure Sockets Layer (SSL) encrypted communication. By setting SSL encryption, the Device Manager - Storage Navigator User ID and Password are encrypted.
Device Manager - Storage Navigator must satisfy the following security requirements:
- Key exchange algorithm
- RSA: The key length must be 2048 bits or more.
- DHE: The key length must be 2048 bits or 4096 bits.
Creating a keypair
To enable SSL, you must create a keypair consisting of a public and a private key on the management client. The instructions use Windows 7 as an example.
Creating a private key
A private key is required to create an SSL keypair. The following procedure for Windows 7 creates a private key file called server.key in the c:\key folder.
Before you begin
Download
openssl.exe from the OpenSSL website.
Procedure
If the read-only attribute is set, release it from the
c:\opensslfolder.Open a command prompt with administrator permissions.
Move the current directory to the folder to which the key file is output (such as
c:\key), and execute the following command:c:\key > c:\openssl\bin\openssl genrsa -out server.key 2048
Creating a public key
A public key has the file extension .csr. It is required to create an SSL keypair. The following procedure is for the Windows 7 operating system.
Before you begin
Download
openssl.exe from the OpenSSL website.
Procedure
Open a command prompt with administrator permissions.
Move the current directory to the folder to which the key file is output (such as
c:\key). Execute the following command:c:\key > c:\openssl req -sha256 -new -key server.key -config c:\openssl\bin\openssl.cfg -out server.csrEnter the following information in the prompt:
- Country Name (two-letter code)
- State or Province Name
- Locality Name
- Organization Name
- Organization Unit Name
- Common Name
To create a self-signed certificate, enter the IP address of the SVP. The name you entered here is used as the server name (host name). To obtain a signed and trusted certificate, ensure that the server name is the same as the host name.
- Email Address
- Challenge password (optional)
- Company name (optional)
The following example shows the contents of a command window when you create a public key.
......++++++ ..++++++ is 65537 (0x10001) C:\key>c:\openssl\bin\openssl req -sha256 -new -key server.key -config c You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. \openssl\bin\openssl.cfg -out server.csr For some fields there will be a default value. If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Odawara Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hitachi Organization Unit Name (eg, section) []:ITPD Common Name (eg, YOUR name) []:192.168.0.1 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:
Obtaining a signed certificate
After creating a private key and public key, obtain a signed public key certificate file. You can use any of these methods to obtain a signed certificate file.
- Create a certificate by self-signing. See Obtaining a self-signed certificate .
- Obtain a certificate from the certificate authority that is used by your company.
- Request an official certificate from an SSL certificate authority. See Obtaining a signed and trusted certificate.
When you send a request to a certificate authority, specify the SVPas the host name.
Hitachi recommends that self-signed certificates be used only for testing encrypted communication.
Obtaining a self-signed certificate
To obtain a self-signed certificate, open a command prompt and execute the following command:
c:\key>c:\openssl\bin\openssl x509 -req -sha256 -days 10000 -in server.csr -signkey server.key -out server.crt
This command creates a
server.crt file in the
c:\key folder, which is valid for 10,000 days. This is the signed private key, which is also referred to as a self-signed certificate.
Obtaining a signed and trusted certificate
To obtain a signed and trusted certificate, you must obtain a certificate signing request (CSR), send that file to a Certificate Authority (CA), and request that the CA issue a signed and trusted certificate. Each certificate authority has its own procedures and requirements. Use of this certificate results in higher reliability in exchange for greater cost and requirements. The signed and trusted certificate is the signed public key.
Uploading a signed certificate
To use SSL-encrypted communication, you must update and upload the private key and the signed server certificate (Public Key) to the SVP.
Before you begin
- You must have the Storage Administrator (Initial Configuration) role to perform this task.
- You must be logged into the SVP.
- A private key (.key file) has been created. Make sure that the file name is server.key. See Creating a private key.
- The passphrase for the private key (server.key file) is released.
- A signed public key certificate (.crt file) has been acquired. Make sure that the file name is server.crt. See Creating a public key.
- The private key (.key file) must be in PEM format. You cannot use DER format.
- The signed public key certificate (.crt file) must be in X509 PEM format. You cannot use X509 DER format. See Obtaining a self-signed certificate .
- The passphrase for the private key (server.key file) is released.
- You must be an external authentication user whose external user group mapping is disabled.
- If the public key of the certificate to be uploaded is RSA, the key length must be 2048 bits or more.
- The signature hash algorithm of the certificate to be uploaded must be SHA-256, SHA-384, or SHA-521.
- Enter the host name or the IP address of the SVP in subjectAltName or CommonName of the certificate to be uploaded.
Procedure
Close all Device Manager - Storage Navigator sessions on the SVP.
On the management client, open a web browser and enter the following URL to open the Tool Panel dialog box.
http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
In the Tool Panel dialog box, click Update Certificate Files.
If SSL communication has been established, the Security Alert dialog box opens before the login dialog box opens. In the Security Alert dialog box, click OK. The Security Alert dialog box closes and the Login dialog box opens.In the Login dialog box, enter the administrator user ID and password, and click login. The Upload dialog box opens.
In the Upload dialog box, enter the public key certificate file name in the Certificate file box and the private Key file name (server.key file) in the Key file box. You can enter the file names directly or by clicking Browse.
In the Upload dialog box, click Upload. A confirmation dialog box opens.
Click OK to begin the certificate update. When the update is complete, the SVP web server restarts.
Depending on the environment, the SVP web server can take 30 to 60 minutes to restart. When it takes that long, an internal server error occurs, and the update completion dialog box does not display. However, the certificate update is complete.It can take 30 to 60 minutes for the web server to restart. After the SVP restarts, the Completion dialog box does not appear. Instead, an "internal server error" message is displayed. However, the setting is actually completed.
In the error message box, click OK. If the Security Alert dialog box for the certificate opens, click View Certificate to display the certificate. Confirm that the certificate is correct, and click Yes.
NoteIf an error occurs during the certificate update, an error message displays. Resolve the problem described in the error message and then repeat this procedure, starting with Step 4 (login) above.
Releasing an SSL certificate passphrase
An SSL certificate cannot be applied for the SVP if the passphrase is set. If the passphrase is set, release the passphrase for the SSL certificate before applying the SSL certificate to the SVP. The following procedure explains how to verify and release the passphrase settings.
Before you begin
- A private key (.key file) has been created.
- OpenSSL must be installed. In this procedure, it is installed in
C:\openssl.
Procedure
Open a command prompt window with administrator permissions.
Move the current directory to the folder (for example, C:\key) where the key file is stored, and run the following command:
CautionExecuting this command will overwrite the current key file. To prevent loss of the key file, do one of the following:- Back up the key file first.
- Use a different key file input destination and output destination.
C:\key>C:\openssl\bin\openssl rsa -in key-file-input-destination -out key-file-output-destination
If
Enter pass phrase for server.key:is displayed, the passphrase is set. Enter the passphrase. The passphrase in the SSL private key will be released, and the SSL certificate can be applied to the SVP.
C:\key>c:\openssl\bin\openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: "Enter passphrase"
Writing RSA key
C:\key>c:\openssl\bin\openssl rsa -in server.key –out server.key
Writing RSA key
Converting the SSL certificates to PKCS#12 format
Uploaded SSL certificates need to be in PKCS#12 format.
If you are uploading a created private key and the SSL certificate to the management client, you need to convert the SSL certificate to PKCS#12 format. If you are not uploading the SSL certificate, conversion is not required.
Before you begin
- You must store a private key and SSL certificate in the same folder.
- In the following procedure:
- The private key file name is “client.key”.
- The SSL certificate file name is “client.crt”.
- The SSL certificate in PKCS#12 format is output to c:\key.
Procedure
Open a command prompt with administrator permissions.
Enter the following command:
C:key>c:\openssl\bin\openssl pkcs12 -export -in client.crt –inkey client.key -out client.p12Enter a password, which is used when uploading the SSL certificate in PKCS#12 format. You can use up to 128 alphanumeric characters and the following symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
The client.p12 file is created in the C:\key folder. This client.p12 file is the SSL certificate in PKCS#12 format.
Close the command prompt.
Returning the certificate to default
You can return the certificate that was updated by the procedure in Uploading a signed certificate to default.
Before you begin
- You must have the Storage Administrator (Initial Configuration) role to perform this task.
- You must be an external authentication user whose external user group mapping is disabled.
Procedure
Close all Device Manager - Storage Navigator sessions on the SVP.
On the Device Manager - Storage Navigator computer, open a web browser and enter the following URL to open the Tool Panel dialog box.
http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
In the Tool Panel dialog box, click Update Certificate Files. The Update Certificate Files login dialog box opens.
If SSL communication has been established, the Security Alert dialog box opens before the login dialog box. In the Security Alert dialog box, click OK.In the Login dialog box, enter the administrator user ID and password, and click login. The Upload dialog box opens.
In the Upload dialog box, click Return to Default. A confirmation dialog box opens.
Click Yes to confirm and close the dialog box.
When the certificate update is complete, the SVP Web server restarts to show the update. When the restart is complete, the Update Completion dialog box opens.In the Update Completion dialog box, click OK. The dialog box closes and the display returns to the Login dialog box.
NoteIf an error occurs during the certificate update, an error message appears. Resolve the problem described in the error message and then repeat this procedure, starting with Step 4 (login) above.NoteIf the Security Alert dialog box for the certificate opens at other times, click View Certificate to confirm that the certificate is correct and then click Yes.
Importing the SSL certificate to the Web browser
To allow your Web browser to automatically trust SSL certificates, you can import the SSL certificate into your Web browser.
Consult your Web browser's documentation for instructions to import the SSL certificate to the Web browser.
Blocking HTTP communication to the storage system
If the web server supports SSL (HTTPS), the HTTP setting tool allows you to block access to port 80. When you block access to port 80, the connection used to import the certificate from the web browser to the web server occurs on port 443 (HTTPS).
If you are using Hitachi Command Suite to access Device Manager - Storage Navigator, blocking HTTP communication might interfere with that access. Make sure the Hitachi Command Suite can use SSL communication to access Device Manager - Storage Navigator.
Before you begin
- You must have the Storage Administrator (Initial Configuration) role to perform this task.
- You must be an external authentication user whose external user group mapping is disabled.
Procedure
Close all Device Manager - Storage Navigator sessions on the SVP.
On the Device Manager - Storage Navigator computer, open a web browser and enter the following URL to open the Tool Panel dialog box.
http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
In the Tool Panel dialog box, click Set up HTTP Blocking. A login dialog box opens.
In the Login dialog box, enter the storage administrator user ID and password, then click Login. The Set up HTTP Blocking dialog box opens.
In the dialog box, click OK. A confirmation dialog box opens.
In the confirmation dialog box, click OK to implement HTTP blocking.
When the configuration change is complete, the SVP web server restarts. When the restart is complete, the HTTP Communications Blocked dialog box opens.Depending on the environment, it can take 30 to 60 minutes for the web server to restart. If it does, after the SVP restarts, the Completion dialog box does not appear. Instead, an "internal server error" message appears. However, the setting is actually completed.
Click OK to continue the operation and return to the Login dialog box, or click Cancel to cancel the operation and return to the Login dialog box.
Releasing HTTP communication blocking
Before you begin
- You must have the Storage Administrator (Initial Configuration) role to perform this task.
- You must be an external authentication user whose external user group mapping is disabled.
Procedure
Close all Device Manager - Storage Navigator sessions on the SVP.
On the Device Manager - Storage Navigator computer, open a web browser. Enter the following URL to open the Tool Panel dialog box.
https://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
In the Tool Panel dialog box, click Release HTTP Blocking.
Enter the User ID and Password for the root storage administrator, then click Login. The Release HTTP Blocking dialog box opens.
Click OK. A configuration dialog box opens.
Click OK to release HTTP blocking. When the configuration change is complete, the SVP web server reboots. Once the reboot is complete, the Release HTTP Blocking Complete dialog box opens.
Depending on the environment, it can take 30 to 60 minutes for the web server to restart. After the SVP restarts, the Completion dialog box does not appear. Instead, an "internal server error" message is displayed. However, the setting is actually completed.Click OK to continue the operation and return to the Login dialog box, or click Cancel to cancel the operation and return to the Login dialog box.
Managing HCS certificates
This topic explains how to set or delete certificates for Hitachi Command Suite (HCS) that are used to check the server's reliability when SSL communication for HCS external authentication is performed.
Registering certificates for HCS
To manage the storage system by using HCS and perform the HCS external authentication, upload an HCS public key certificate to the web server to register the certificate. Complete the steps in the following procedure to upload and register a certificate using the certificate update tool.
Before you begin
- You must have the Security Administrator (View & Modify) role to perform this task.
- If the certificate to be registered has an extension other than ".crt", change it to ".crt".
- The certificate to be registered must be in X509 PEM or X509 DER format.
- You must be an external authentication user whose external user group mapping is disabled.
- If the public key of the certificate to be uploaded is RSA, the key length must be 2048 bits or more.
- The signature hash algorithm of the certificate to be uploaded must be SHA-256, SHA-384, or SHA-521.
- Enter the host name or the IP address of the server in subjectAltName or CommonName of the certificate for the connected server.
Procedure
Close all Device Manager - Storage Navigator sessions on the SVP.
On the Device Manager - Storage Navigator computer, open a web browser and enter the following URL to open the Tool Panel dialog box.
http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
In the Tool Panel dialog box, click Set or Delete Certificate File for HCS. The Login dialog box opens.
If SSL communication has been established, the Security Alert dialog box opens before the Login dialog box. In the Security Alert dialog box, click OK.When the Login dialog box opens, enter the administrator user ID and password, and click Login. The Login dialog box opens.
In the dialog box, enter the certificate file for HCS (.crt file) in the Certificate file (.crt file) box. You can enter the file name directly or by clicking Browse and searching for the file name.
Click Register. The execution confirmation dialog for Set or Delete Certificate File for HCS opens.
Click OK to register the certificate. Registration of the certificate starts.
When the certificate is registered, the registration completion dialog box for Set or Delete Certificate File for HCS opens.In the registration completion dialog box for Set or Delete Certificate File for HCS, click OK. The display returns to the login dialog box.
NoteIf an error occurs during registration of the HCS certificate, an error message displays. Resolve the problem and then run the procedure again, starting with logging in to Set or Delete HCS Certificate.NoteIf the Security Alert dialog box for the certificate opens at other times, click View Certificate to confirm that the certificate is correct and then click Yes.
Notes on registering certificates for HCS
Read the following notes about registering certificates for HCS:
- Ensure that the certificate to be registered is the right one. If you register a wrong certificate, the storage system is not manged by using HCS and HCS external authentication is not performed.
- Only with registration of the correct certificate, the storage system is manged by using HCS and HCS external authentication operates normally.
Deleting certificates for HCS
You can delete the certificates you registered in the procedure of the "Registering certificates for HCS" section. Once you delete a certificate, HCS external authentication cannot be performed.
Before you begin
- You must have the Security Administrator (View & Modify) role to perform this task.
- You must be an external authentication user whose external user group mapping is disabled.
Procedure
Close all Device Manager - Storage Navigator sessions on the SVP.
On the Device Manager - Storage Navigator computer, open a web browser and enter the following URL to open the Tool Panel dialog box.
http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
In the Tool Panel dialog box, click Set or Delete Certificate File for HCS. The login dialog box opens.
If SSL communication has been established, the Security Alert dialog box opens before the login dialog box. In the Security Alert dialog box, click OK.In the login dialog box, enter the administrator user ID and password, and click Login. The Set or Delete Certificate File for HCS dialog box opens.
In the dialog box, click Delete. A confirmation dialog box opens.
Click OK to delete the certificate. Deletion of the certificate starts.
When the certificate has been deleted, a completion dialog box opens.
In the completion dialog box click OK. The display returns to the login dialog box.
NoteIf an error occurs during deletion of the certificate for HCS, an error message displays. Resolve the problem and then run the procedure again, starting with logging in, to Set or Delete Certificate for HCS.NoteIf the Security Alert dialog box for the certificate opens at other times, click View Certificate to confirm that the certificate is correct and then click Yes.
Using HSTS
HSTS (HTTP Strict Transport Security) is a security mechanism used when the Web server communicates with the Web browser using HTTPS.
Enabling HSTS
Procedure
Open a command prompt with administrator permissions on the SVP.
Move the current directory to the folder in which the setting tool is located, and then execute the following command:
cd /d C:\Mapp\wk\Supervisor\MappIniSet MappHstsEnable.bat
NoteC:\Mapp:Indicates the installation directory of storage management software and SVP software. If you specified an installation directory other thanC:\Mapp, replaceC:\Mappwith the specified installation directory.When "Press any key to continue ..." appears in the window, press the Enter key.
To verify that HSTS is enabled, execute the following command:
MappHstsState.batNoteIf "hsts=on" appears, HSTS is enabled. Press the Enter key. If "hsts=off" appears, HSTS is not enabled. Press the Enter key, and then go back to step 2.
If the message indicating that the specified file could not be found appears, the HSTS settings failed. Press the Enter key, and then go back to step 2.
Close the command prompt window.
Disabling HSTS
To disable HSTS, use the following procedure:
Procedure
Open a command prompt with administrator permissions on the SVP.
Move the current directory to the folder in which the setting tool is located, and then execute the following command:
cd /d C:\Mapp\wk\Supervisor\MappIniSet MappHstsDisable.bat
NoteC:\Mapp:indicates the installation directory of storage management software and SVP software. If you specified an installation directory other thanC:\Mapp, replaceC:\Mappwith the specified installation directory.When "Press any key to continue ..." appears in the window, press the Enter key.
To verify that HSTS is disabled, execute the following command:
MappHstsState.batNoteIf "hsts=off" appears, HSTS is disabled. Press the Enter key. If "hsts=on" appears, HSTS is not disabled. Press the Enter key, and then go back to step 2.
If the message indicating that the specified file could not be found appears, the HSTS settings failed. Press the Enter key, and then go back to step 2.
Close the command prompt window.