Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Setting up a secure (SSL) connection

You can use a Secure Sockets Layer (SSL) certificate to create a secure, encrypted connection between the storage system and the management client.

Setting up SSL communications

Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.

The following figure shows the procedure to set up SSL communication. Unless otherwise noted, all steps are required. Note that creation of private and public keys requires a dedicated program. You can download a program for creating private and public keys from the OpenSSL website (http://www.openssl.org/).

GUID-004F06DD-E921-476E-BCCF-FE89A5ABEE0C-low.png

Setting up SSL encryption using Device Manager - Storage Navigator

To improve security of remote operations from a Device Manager - Storage Navigator SVP to a storage system, you can set up Secure Sockets Layer (SSL) encrypted communication. By setting SSL encryption, the Device Manager - Storage Navigator User ID and Password are encrypted.

SSL communication can be established between the management client and the SVP using the protocols and port numbers specified in the following table.

ProtocolPort Number
HTTPS443
RMI11099
RMI51100
SMI-S5989

SSL communication can be established between the following servers and the SVP:

  • Syslog Server
  • Key management server
  • External authentication or authorization server
  • Hitachi Ops Center server
  • Hitachi Command Suite server

The user with the Security Administrator (View & Modify) role can configure the following security settings used for the SSL/TLS communications with the SVP by using the Tool Panel dialog box on Device Manager - Storage Navigator:

  • Protocol
  • Cipher suites
  • Minimum key length of keys used for key exchange
  • Enabling renegotiation

Device Manager - Storage Navigator must satisfy the following security requirements:

  • Protocol
    • TLS1.2
    • TLS1.3
  • Cipher suites
    • Cipher suites supported by TLS1.2

      TLS_RSA_WITH_AES_128_CBC_SHA

      TLS_RSA_WITH_AES_128_CBC_SHA256

      TLS_RSA_WITH_AES_256_CBC_SHA256

      TLS_RSA_WITH_AES_256_GCM_SHA384

      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    • Cipher suite supported by TLS1.3

      TLS_AES_128_GCM_SHA256

      TLS_AES_256_GCM_SHA384

  • Minimum key length supported by key exchange algorithm
    • RSA: Supports the key length of 2048 bits, 3072 bits, or 4096 bits. It can be used when TLS1.2 is enabled.
    • DHE: Supports the key length of 2048 bits. It can be used when TLS1.2 or TLS1.3 is enabled.
    • ECDHE: Supports elliptic curve parameters of secp256r1, secp384r1, or secp521r1. It can be used when TLS1.2 or TLS1.3 is enabled.
  • Enabling renegotiation
    • It can be used when TLS1.2 is enabled, however it is recommended to disable renegotiation.
NoteTo enable SSL, the private and public key pair and SVP server certificate must be valid. If either the keys or the certificate is expired, the user cannot connect to the SVP.
NoteTo add the Secure attribute to cookies using Device Manager - Storage Navigator, you must block HTTP communication. For details, see Blocking HTTP communication to the storage system.
NoteDevice Manager - Storage Navigator supports HTTP Strict Transport Security (HSTS) with a max range of 31,536,000 seconds (1 year). To enable HSTS, you must use the security certificate issued by a trusted root certificate authority for your Device Manager - Storage Navigator domain. HSTS is valid for one year (31,536,000 seconds), and it is renewed automatically every time the HSTS header is sent to the browser. The security certificate to use is determined by the browser. For details, contact your browser vendor.
NoteIf HSTS is enabled on a Web application on a server you wish to install Device Manager - Storage Navigator, use a domain that is written to the security certificate specific to each application. If you use the same domain, the HSTS settings are applied to all Web applications that use the domain, and all connections are switched to https. If you have an application that can be accessed only through http, you cannot establish the connection.
NoteThe minimum key length supported by the key exchange algorithm set on the TLS Security Setting dialog box in the Tool Panel dialog box is applied when a certificate with RSA public key is set during the communications between the management client and the SVP.

When the following cipher suites are valid, and when a server certificate, root certificate, or client certificate with an RSA public key is uploaded to the SVP, the key length of the RSA public key of the certificate must be longer than the key length selected on the TLS Security Setting dialog box in the Tool Panel dialog box.

  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384

When the SVP communicates with a Syslog server, key management server, external authentication and authorization server, or Hitachi Command Suite server, the key length of the key exchange key set on the server must satisfy the following:

  • RSA: 2048 bits or more
  • DHE: 2048 bits
  • ECDHE: secp256r1, secp384r1, or secp521r1
Note
  • When using a certificate with a key type of ECDSA and a key length of secp521r1, the Tool Panel dialog box might not open depending on the web browser of the HDvM - SN management client. Take the following actions for each web browser:
    • Internet Explorer

      Configure the group policy setting from the management client. For details, see Configuring the ECC curve order.

    • Microsoft Edge or Google Chrome

      The certificate with a key type of ECDSA and a key length of secp521r1 cannot be used as of January 2022. If the key type is ECDSA, the key length must be less than secp521r1. For more information about future availability, check the support status of the security settings for the web browser because whether it can be used in the future depends on the web browser specifications.

    • Firefox

      The problem that the Tool Panel dialog box might not open does not occur.

  • When using a certificate with a key type of ECDSA and a key length of secp521r1, HDvM - SN might not open depending on the web browser of the HDvM - SN management client. Take the following actions for each web browser:
    • Internet Explorer, Microsoft Edge, or Google Chrome

      Configure the group policy setting from the management client. For details, see Configuring the ECC curve order.

    • Firefox

      The problem that the Tool Panel dialog box might not open does not occur.

Notes on updating the signed certificate to the SVP

Read the following notes about uploading the signed certificate to the SVP:

  • While the SVP server certificate is being updated, tasks that are being executed or scheduled for execution on Device Manager - Storage Navigator are not executed.
  • Certificates for RMI communication are updated asynchronously (within approximately two minutes).
  • If an SVP certificate is updated during Hitachi Command Suite setup operation, the Hitachi Command Suite setup operation will result in an error.
  • Update of the SSL certificate gives a great influence to the system and may lead to SVP failure. Therefore take sufficient care about the content of the certificate and private key to be set.
  • After the certificate update is complete, depending on the environment, the SVP web server can take 30 to 60 minutes to restart. When it takes that long, an internal server error occurs, and the update completion dialog box does not display. However, the certificate update is complete.
  • When using a certificate with a key type of ECDSA and a key length of secp521r1, the Tool Panel dialog box might not open depending on the web browser of the HDvM - SN management client. Take the following actions for each web browser:
    • Internet Explorer

      Configure the group policy setting from the management client. For details, see Configuring the ECC curve order.

    • Microsoft Edge or Google Chrome

      The certificate with a key type of ECDSA and a key length of secp521r1 cannot be used as of January 2022. If the key type is ECDSA, the key length must be less than secp521r1. For more information about future availability, check the support status of the security settings for the web browser because whether it can be used in the future depends on the web browser specifications.

    • Firefox

      The problem that the Tool Panel dialog box might not open does not occur.

  • When using a certificate with a key type of ECDSA and a key length of secp521r1, HDvM - SN might not open depending on the web browser of the HDvM - SN management client. Take the following actions for each web browser:
    • Internet Explorer, Microsoft Edge, or Google Chrome

      Configure the group policy setting from the management client. For details, see Configuring the ECC curve order.

    • Firefox

      The problem that the Tool Panel dialog box might not open does not occur.

Creating a keypair

To enable SSL, you must create a keypair consisting of a public and a private key on the management client. The instructions use Windows 8.1 as an example.

Creating a private key using the OpenSSL command

A private key is required to create an SSL keypair. The following procedure for Windows systems creates a private key file called server.key in the c:\key folder.

Before you begin

Ensure that OpenSSL is stored in C:\Mapp\OSS\apache\bin\openssl on the SVP. (You do not need to install OpenSSL.) If not, download and install openssl.exe from http://www.openssl.org/ to the C:\openssl folder.
NoteC:\Mapp indicates the installation directory for the storage management software and SVP software. Specify C:\Mapp for the installation directory if another directory is specified for the installation directory.

Procedure

  1. When you install OpenSSL, if the read-only attribute is set, release it from the c:\openssl folder. (This step is not necessary if you use OpenSSL on the SVP.)

  2. Open a command prompt with administrator permissions.

  3. Move the current directory to the folder to which the key file is output (such as c:\key), and execute the following command. (The command to be run differs depending on the key type of the private key to be created.)

    • For RSA

      C:\key>c:\openssl\bin\openssl genrsa -out server.key key-length

    • For ECDSA

      C:\key>c:\openssl\bin\openssl ecparam -genkey -name key-length -out server.key

    For key-length, you can specify either of the following:

    • For RSA: 2048, 3072, or 4096

      For ECDSA: prime256v1 (secp256r1), secp384r1, or secp521r1

      Example command input:

      • When the key type is RSA and the key length is 2048 bit:

        C:\key>c:\openssl\bin\openssl genrsa -out server.key 2048

      • When the key type is ECDSA and the key length is 256 bit (secp256r1):

        C:\key>c:\openssl\bin\openssl ecparam -genkey -name prime256v1 -out server.key

Creating a public key using the OpenSSL command

A public key, which has the file extension .csr, is required to create an SSL keypair. The following procedure is for the Windows operating system.

Before you begin

Download openssl.exe from the OpenSSL website or determine to use OpenSSL on the SVP.

Procedure

  1. Open a command prompt with administrator permissions.

  2. Move the current directory to the folder to which the key file is output (such as c:\key), and then execute the following command:

    c:\key > c:\openssl req -sha256 -new -key server.key -config c:\openssl\bin\openssl.cfg -out server.csr
    NoteThis command uses SHA-256, SHA-384, or SHA-512 as a hash algorithm. Do not use MD5 or SHA-1 for a hash algorithm due to its low security level.
  3. Enter the following information in the prompt:

    • Country Name (two-letter code)
    • State or Province Name
    • Locality Name
    • Organization Name
    • Organization Unit Name
    • Common Name

      To create a self-signed certificate, enter the IP address of the SVP. The name you entered here is used as the server name (host name). To obtain a signed and trusted certificate, ensure that the server name is the same as the host name.

    • Email Address
    • Challenge password (optional)
    • Company name (optional)
Example

The following example shows the contents of a command window when you create a public key.

......++++++ 
..++++++ 
is 65537 (0x10001) 
C:\key>c:\openssl\bin\openssl req -sha256 -new -key server.key -config c 
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. 
\openssl\bin\openssl.cfg -out server.csr 
For some fields there will be a default value. 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:JP 
State or Province Name (full name) [Some-State]:Kanagawa 
Locality Name (eg, city) []:Odawara 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hitachi 
Organization Unit Name (eg, section) []:ITPD 
Common Name (eg, YOUR name) []:192.168.0.1 
Email Address []: 
Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []:

Converting the SSL certificates to PKCS#12 format

Uploaded SSL certificates need to be in PKCS#12 format.

If you are uploading a created private key and the SSL certificate to the management client, you need to convert the SSL certificate to PKCS#12 format. If you are not uploading the SSL certificate, conversion is not required.

Before you begin

  • You must store a private key and SSL certificate in the same folder.
  • In the following procedure:
    • The private key file name is “client.key”.
    • The SSL certificate file name is “client.crt”.
    • The SSL certificate in PKCS#12 format is output to c:\key.
    • If you update SSL certificates in a batch, conversion is not required.

Procedure

  1. Open a command prompt with administrator permissions.

  2. Enter the following command: C:key>c:\openssl\bin\openssl pkcs12 -export -in client.crt –inkey client.key -out client.p12

  3. Enter a password, which is used when uploading the SSL certificate in PKCS#12 format. You can use up to 128 alphanumeric characters and the following symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

  4. The client.p12 file is created in the C:\key folder. This client.p12 file is the SSL certificate in PKCS#12 format.

  5. Close the command prompt.

Obtaining a signed certificate

After creating a private key and public key, obtain a signed public key certificate file. You can use any of these methods to obtain a signed certificate file.

Note

When you send a request to a certificate authority, specify the SVPas the host name.

Hitachi recommends that self-signed certificates be used only for testing encrypted communication.

Obtaining a self-signed certificate

To obtain a self-signed certificate, open a command prompt and execute the following command:

c:\key>c:\openssl\bin\openssl x509 -req -sha256 -days 10000 -in server.csr -signkey server.key -out server.crt

NoteThis command uses SHA-256 as a hash algorithm. MD5 or SHA-1 is not recommended for a hash algorithm due to its low security level.

This command creates a server.crt file in the c:\key folder, which is valid for 10,000 days. This is the signed private key, which is also referred to as a self-signed certificate.

Obtaining a signed and trusted certificate

To obtain a signed and trusted certificate, you must obtain a certificate signing request (CSR), send that file to a Certificate Authority (CA), and request that the CA issue a signed and trusted certificate. Each certificate authority has its own procedures and requirements. Use of this certificate results in higher reliability in exchange for greater cost and requirements. The signed and trusted certificate is the signed public key.

Creating private and public keys using the Tool Panel dialog box

You can create a CSR (public key), private key, and self-signed certificate using the Tool Panel dialog box. If you want the certificate authority to issue a certificate, create a CSR and private key, and then send the CSR to the certificate authority.

Caution
  • Creating private and public keys take approximately 6 seconds, which differs depending on your environment.
  • Do not use the CSR created in this procedure, the certificate created using the private key, and the self-signed certificate created in this procedure for the purposes other than Device Manager - Storage Navigator.

Before you begin

  • You must have Security Administrator (View & Modify) role to perform this task

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. On the management client, open a web browser and enter the following URL to open the Tool Panel dialog box.

    http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
  3. In the Tool Panel dialog box, click Create CSR and Self-Signed Certificate. The Create CSR and Self-Signed Certificate login dialog box opens.

    If SSL communication has been established, the Security Alert dialog box opens before the login dialog box opens. In the Security Alert dialog box, click OK.

    If the Security Alert dialog box for the certificate opens, click View Certificate to display the certificate. Confirm that the certificate is correct, and click Yes.

  4. In the Create CSR and Self-Signed Certificate login dialog box, enter the administrator user ID and password, and click Login. The Create CSR and Self-Signed Certificate dialog box opens.

  5. In the Create CSR and Self-Signed Certificate dialog box, enter the required items. After you have completed the entries, perform either of the following operations depending on whether you create a self-signed certificate.

    • When you create a self-signed certificate, go to step 6 without clicking Create CSR File and Key File.
    • When you do not create a self-signed certificate, go to step 7 after clicking Create CSR File and Key File.
  6. If you create a self-signed certificate, select the check box for Create Self-Signed Certificate.

    In the Profile field, select either of Default or Custom:

    • Default: If you select Default, 365 days is set as the validity period of the certificate. If you can accept the default settings, click Create Self-Signed Certificate File.
    • Custom: If you select Custom, the .cfg file allows you to specify the number of days that the self-signed certificate is valid. Click Browse to select the .cfg file, and then click Create Self-Signed Certificate File. See Create CSR and Self-Signed Certificate dialog box.
    NoteIt is recommended that the self-signed certificate be valid for less than 825 days (27 months).
  7. After step 5 or step 6 is complete, the Download File window is displayed.

    Click Save, and then confirm that the created self-signed certificate file is stored in the specified folder.

  8. In the Create CSR and Self-Signed Certificate dialog box, click Close. The Create CSR and Self-Signed Certificate dialog box is closed, and then the Tool Panel dialog box is displayed.

Before uploading the SSL certificate

Before uploading the SSL certificate to the SVP or management client, perform the following tasks:

  • If the passphrase is set, an SSL certificate cannot be applied for the SVP. You must release the passphrase for the SSL certificate before applying the SSL certificate to the SVP. For instructions, see Releasing an SSL certificate passphrase.
  • If you are uploading a created private key and the SSL certificate to the management client, you need to convert the SSL certificate to PKCS#12 format. For instructions, see Converting the SSL certificates to PKCS#12 format.

Releasing an SSL certificate passphrase

An SSL certificate cannot be uploaded to the SVP if the passphrase is set. If the passphrase is set, use the following procedure to release the passphrase for the SSL certificate before applying it to the SVP.

Before you begin

  • The private key (server.key file) must have been created.
  • OpenSSL must be installed. In this procedure, it is installed in C:\openssl.
  • All users must be logged out of Device Manager - Storage Navigator.

Procedure

  1. On the SVP, open a command prompt with administrator permissions.

  2. Move the current directory to the folder containing the key file (for example, C:\key).

  3. Execute the following command.

    CautionExecuting this command will overwrite the current key file. To prevent loss of the key file, either back up the key file before executing the following command, or specify a different key file input destination and output destination when executing the following command.
    C:\key>C:\openssl\bin\openssl rsa -in key-file-input-destination -out key-file-output-destination
  4. When Enter pass phrase for server.key: is displayed, enter the passphrase.

    The passphrase in the SSL private key is released, and the SSL certificate can be applied to the SVP.
Example (when passphrase is set)
  • When the key type is RSA:

    C:\key>C:\openssl\bin\openssl rsa -in server.key -out server.key
    Enter pass phrase for server.key:
  • When the key type is ECDSA:

    C:\openssl\bin\openssl ec -in server.key -out server.key
    read EC key
    Enter PEM pass phrase:
Example (when passphrase is not set)
  • When the key type is RSA:

    C:\key>C:\openssl\bin\openssl rsa -in server.key -out server.key
    writing RSA key
  • When the key type is ECDSA:

    C:\openssl\bin\openssl ec -in server.key -out server.key
    read EC key
    writing EC key

Converting the SSL certificates to PKCS#12 format

Uploaded SSL certificates need to be in PKCS#12 format.

If you are uploading a created private key and the SSL certificate to the management client, you need to convert the SSL certificate to PKCS#12 format. If you are not uploading the SSL certificate, conversion is not required.

Before you begin

  • You must store a private key and SSL certificate in the same folder.
  • In the following procedure:
    • The private key file name is “client.key”.
    • The SSL certificate file name is “client.crt”.
    • The SSL certificate in PKCS#12 format is output to c:\key.
    • If you update SSL certificates in a batch, conversion is not required.

Procedure

  1. Open a command prompt with administrator permissions.

  2. Enter the following command: C:key>c:\openssl\bin\openssl pkcs12 -export -in client.crt –inkey client.key -out client.p12

  3. Enter a password, which is used when uploading the SSL certificate in PKCS#12 format. You can use up to 128 alphanumeric characters and the following symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

  4. The client.p12 file is created in the C:\key folder. This client.p12 file is the SSL certificate in PKCS#12 format.

  5. Close the command prompt.

Uploading a signed certificate

To use SSL-encrypted communication, you must update and upload the private key and the signed server certificate (Public Key) to the SVP.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged into the SVP.
  • A private key (.key file) has been created. Make sure that the file name is server.key.
  • The passphrase for the private key (server.key file) is released.
  • A signed public key certificate (.crt file) has been acquired. Make sure that the file name is server.crt.
  • You must be an external authentication user whose external user group mapping is disabled, or a local authentication user.
  • If the public key of the certificate to be uploaded is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
  • The signature hash algorithm of the certificate to be uploaded must be SHA-256, SHA-384, or SHA-512.
  • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
    • subjectAltName
    • CRLDistributionPoint
    • AuthorityInfoAccess
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier

    Enter the host name or the IP address of the SVP in subjectAltName or CommonName of the certificate to be uploaded.

  • If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
    • ECDSA_P256 (secp256r1)
    • ECDSA_P384 (secp384r1)
    • ECDSA_P521 (secp521r1)
  • When you perform a certificate revocation check by using CRL, set the CRL repository URI for the cRLDistributionPoint (CRL distribution point) of the intermediate certificate and server certificate.
  • When you perform a certificate revocation check by using OCSP, set the OCSP responder URI for authorityInfoAccess (Authority Information Access) of the intermediate certificate and server certificate.
  • When you perform a certificate revocation check on the management client, the CRL repository or the OCSP responder must be on the network that can be accessed by the management client so that they can be accessed by the management client. If the management client cannot communicate with the CRL repository or the OCSP responder, the connection to Device Manager - Storage Navigator is established without certificate revocation check.
  • If an intermediate certificate exists, prepare a signed public key certificate file (server.crt) that has a certificate chain that includes the intermediate certificate.
  • The number of tiers of the certificate chain for the certificate to be uploaded must be 20 tiers or fewer including the root CA certificate.
  • When using a certificate with a key type of ECDSA and a key length of secp521r1, make sure to use Internet Explorer or Firefox as the web browser of the HDvM - SN management client.
    • In Internet Explorer, configure the group policy setting from the management client before this operation. For details, see Configuring the ECC curve order. The Tool Panel dialog box might not open if you do not configure the ECC curve order.
    • In Microsoft Edge or Google Chrome, the certificate with a key type of ECDSA and a key length of secp521r1 cannot be used as of January, 2022. If the key type is ECDSA, the key length must be less than secp521r1. For more information about the future availability, check the support status of the security settings for the web browser because whether it can be used in the future depends on the web browser specifications.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. On the management client, open a web browser and enter the following URL to open the Tool Panel dialog box.

    http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
  3. In the Tool Panel dialog box, click Update Certificate Files.

    If SSL communication has been established, the Security Alert dialog box opens before the login dialog box opens. In the Security Alert dialog box, click OK. The Security Alert dialog box closes and the Login dialog box opens.
  4. In the Login dialog box, enter the administrator user ID and password, and click login. The Upload dialog box opens.

  5. In the Upload dialog box, enter the public key certificate file name in the Certificate file box and the private Key file name (server.key file) in the Key file box. You can enter the file names directly or by clicking Browse.

  6. In the dialog box, confirm the messages about a possible TLS communication failure and recommendations, and then select the check box for I understood that I canceled HTTP blocking or TLS communication might fail.

  7. In the Upload dialog box, click Upload. A confirmation dialog box opens.

  8. Click OK to begin the certificate update. When the update is complete, the SVP web server restarts.

    Depending on the environment, the SVP web server can take 30 to 60 minutes to restart. When it takes that long, an internal server error occurs, and the update completion dialog box does not display. However, the certificate update is complete.

    It can take 30 to 60 minutes for the web server to restart. After the SVP restarts, the Completion dialog box does not appear. Instead, an "internal server error" message is displayed. However, the setting is actually completed.

  9. In the error message box, click OK. If the Security Alert dialog box for the certificate opens, click View Certificate to display the certificate. Confirm that the certificate is correct, and click Yes.

    NoteIf an error occurs during the certificate update, an error message displays. Resolve the problem described in the error message and then repeat this procedure, starting with Step 4 (login) above.

Importing the SSL certificate to the Web browser

To allow your Web browser to automatically trust SSL certificates, you can import the SSL certificate into your Web browser.

Consult your Web browser's documentation for instructions to import the SSL certificate to the Web browser.

Returning the certificate to default

You can return the certificate that was updated by the procedure in Uploading a signed certificate to default.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be an external authentication user whose external user group mapping is disabled, or a local authentication user.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. On the Device Manager - Storage Navigator computer, open a web browser and enter the following URL to open the Tool Panel dialog box.

    http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
  3. In the Tool Panel dialog box, click Update Certificate Files. The Update Certificate Files login dialog box opens.

    If SSL communication has been established, the Security Alert dialog box opens before the login dialog box. In the Security Alert dialog box, click OK.
  4. In the Login dialog box, enter the administrator user ID and password, and click login. The Upload dialog box opens.

  5. In the Upload dialog box, click Return to Default. A confirmation dialog box opens.

  6. Click Yes to confirm and close the dialog box.

    When the certificate update is complete, the SVP Web server restarts to show the update. When the restart is complete, the Update Completion dialog box opens.
  7. In the Update Completion dialog box, click OK. The dialog box closes and the display returns to the Login dialog box.

    NoteIf an error occurs during the certificate update, an error message appears. Resolve the problem described in the error message and then repeat this procedure, starting with Step 4 (login) above.
    NoteIf the Security Alert dialog box for the certificate opens at other times, click View Certificate to confirm that the certificate is correct and then click Yes.

Importing the SSL certificate to the Web browser

To allow your Web browser to automatically trust SSL certificates, you can import the SSL certificate into your Web browser.

Consult your Web browser's documentation for instructions to import the SSL certificate to the Web browser.

Blocking HTTP communication to the storage system

If the web server supports SSL (HTTPS), the HTTP setting tool allows you to block access to port 80. When you block access to port 80, the connection used to import the certificate from the web browser to the web server occurs on port 443 (HTTPS).

If you are using Hitachi Command Suite to access Device Manager - Storage Navigator, blocking HTTP communication might interfere with that access. Make sure the Hitachi Command Suite can use SSL communication to access Device Manager - Storage Navigator.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be an external authentication user whose external user group mapping is disabled.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. On the Device Manager - Storage Navigator computer, open a web browser and enter the following URL to open the Tool Panel dialog box.

    http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
  3. In the Tool Panel dialog box, click Set up HTTP Blocking. A login dialog box opens.

  4. In the Login dialog box, enter the storage administrator user ID and password, then click Login. The Set up HTTP Blocking dialog box opens.

  5. In the dialog box, click OK. A confirmation dialog box opens.

  6. In the confirmation dialog box, click OK to implement HTTP blocking.

    When the configuration change is complete, the SVP web server restarts. When the restart is complete, the HTTP Communications Blocked dialog box opens.

    Depending on the environment, it can take 30 to 60 minutes for the web server to restart. If it does, after the SVP restarts, the Completion dialog box does not appear. Instead, an "internal server error" message appears. However, the setting is actually completed.

  7. Click OK to continue the operation and return to the Login dialog box, or click Cancel to cancel the operation and return to the Login dialog box.

Releasing HTTP communication blocking

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be an external authentication user whose external user group mapping is disabled.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. On the Device Manager - Storage Navigator computer, open a web browser. Enter the following URL to open the Tool Panel dialog box.

    https://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
  3. In the Tool Panel dialog box, click Release HTTP Blocking.

  4. Enter the User ID and Password for the root storage administrator, then click Login. The Release HTTP Blocking dialog box opens.

  5. Click OK. A configuration dialog box opens.

  6. Click OK to release HTTP blocking. When the configuration change is complete, the SVP web server reboots. Once the reboot is complete, the Release HTTP Blocking Complete dialog box opens.

    Depending on the environment, it can take 30 to 60 minutes for the web server to restart. After the SVP restarts, the Completion dialog box does not appear. Instead, an "internal server error" message is displayed. However, the setting is actually completed.
  7. Click OK to continue the operation and return to the Login dialog box, or click Cancel to cancel the operation and return to the Login dialog box.

Configuring the ECC curve order

When using a certificate with a key type of ECDSA and a key length of secp521r1, use the following procedure to configure the ECC curve order from the management client.

SSL communication with SVP fails, and then the Tool Panel dialog box and HDvM - SN might not open if you do not configure the ECC curve order.

NoteThe ECC curve order must be configured also for an OS in the SVP. Ask maintenance personnel to configure the setting in the SVP.

Procedure

  1. Open the Run dialog box (press Windows Key + R).

  2. Type gpedit.msc, and then press Enter.

  3. In the Local Group Policy Editor, navigate to Computer Configuration Administrative Templates Network SSL Configuration Settings.

  4. Double-click ECC Curve Order and open the ECC Curve Order window.

  5. Select Enabled and add secP521r1 to ECC Curve Order in Options.

    Example:
    Curve25519
    NistP256
    NistP384
    secP521r1
  6. Click OK and close the Setting window.

  7. Close the Local Group Policy Editor, and then restart the management client.

  8. Ask maintenance personnel to configure the ECC curve order in the SVP.

Problems with a website security certificate

If the following security warning appears, take the actions in accordance with the warning messages. If no action is taken, verify the security certificate sent from the server and make sure that the connection destination is the SVP as expected. After confirmation, click Continue to this website (not recommended).

  • If this security warning appears after the microprogram replacement, the SSL certificate has been returned to default. In this case, upload the original SSL certificate. For more information, see Uploading a signed certificate.
  • The message of "The security certificate presented by this website was not issued by a trusted certificate authority." appears if the security certificate is not issued by a trusted certificate authority when connecting to an SSL-enabled Hitachi Device Manager - Storage Navigator. Register the root certificate in the trusted root certificate authority in the browser.
  • The message of "The security certificate presented by this website was issued for a different website's address." appears if an IP address or a host name specified in the URL does not match the CN (Common Name) or subjectAltName described in the security certificate. Verify that the CN (Common Name) or subjectAltName described in the security certificate is the same as the IP address or host name specified in the URL when connecting to Hitachi Device Manager - Storage Navigator. If it is not the same, see Registering the SVP host name.

GUID-5FDCE416-9071-46C9-BE33-A1E482D3AFFE-low.png

Setting SSL/TLS communications using the Tool Panel

Use the following procedure to create the security settings used for SSL/TLS communications with the SVP.

Caution
  • If an SSL/TLS communication setting is not correct, SSL/TLS communication with the SVP might fail. If SSL communication fails, you need to configure the security settings again using the Tool Panel dialog box by using HTTP connection. Therefore, it is recommended to release the HTTP communication blocking using the Tool Panel dialog box before making security settings. For more information about how to release the HTTP communication blocking, see Releasing HTTP communication blocking.
  • When you perform this procedure, use HTTPS connection for access. If you access via an HTTP connection, the ID and password used for login are communicated in clear text.
  • If the self-signed certificates for the following communication paths are registered in the SVP, some of the test items are not verified in the communication test in this procedure:
    • SVP – Syslog Server
    • SVP – Key Management Server
    • SVP – LDAP Server
    • SVP – HCS server

    If this is the case, communication will be performed while security requirements are not met. Use certificates issued by trusted CA (Certificate Authority).

Before you begin

  • Verify the security settings of the SVP communication destination before the setting. If the protocol is TLS1.3 only, make sure that the communication destination supports TLS1.3.

    When you use Device Manager - Storage Navigator with Adobe AIR, you must enable TLS1.2. Adobe AIR does not support TLS1.3.

  • Verify that no other management or maintenance operations are being performed onDevice Manager - Storage Navigator.
  • You must have Security Administrator (View & Modify) role to perform this task.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. On the management client, open a web browser, and then type the following URL to open the Tool Panel dialog box by using HTTPS connection.

    https://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
  3. In the Tool Panel dialog box, click TLS Security Settings to open the TLS Security Settings login dialog box.

    If SSL/TLS communication has been established, the Security Alert dialog box opens before the login dialog box opens. In the Security Alert dialog box, click OK.

    If the Security Alert dialog box for the certificate opens, click View Certificate to display the certificate, confirm that the certificate is correct, and then click Yes.

  4. In the TLS Security Settings login dialog box, enter the administrator user ID and password, and then click Login.

  5. In the TLS Security Settings dialog box, enter the required items.

    CautionWhen using TLS1.2, select the cipher suites corresponding to the key type of the certificate uploaded to the SVP.
    • If the key type is RSA, select a cipher suite whose name contains “RSA”.
    • If the key type is ECDSA, select a cipher suite whose name contains “ECDSA”.

    If the cipher suites are not set correctly, the SSL/TLS communications with the SVP fail, and then a problem, such as a Device Manager - Storage Navigator login error, occurs.

    When using TLS1.3, you can select both cipher suites regardless of whether the certificate key type is RSA or ECDSA.

  6. In the TLS Security Settings dialog box, confirm the messages about the possible TLS communication failures and recommendations, and then select the check box for I understood that I canceled HTTP blocking or TLS communication might fail.

  7. Click Next to perform a communication test. The Communication Test dialog box for TLS Security Settings opens.

  8. The communication test using the security settings specified in step 5 starts automatically for the following communication paths:

    • SVP – Syslog Server
    • SVP – Key Management Server
    • SVP – LDAP Server
    • SVP – HCS server

    The communication test verifies the following items:

    • Protocol
    • Cipher suites
    • Key length of the key exchange algorithm
    • Expiration date of the certificate
    • Certificate chain to the root CA certificate
  9. Verify the results of the communication test for each communication path performed in the previous step. In the Communication Test dialog box for TLS Security Settings, wait until any of the following is displayed as the communication test result:

    • Normal: Communication is complete correctly.
    • Skipped: Connection settings are not made on Device Manager - Storage Navigator.
    • Error:Communication failed.
  10. Confirm the communication test result, and then click Submit in the Communication Test dialog box for TLS Security Settings.

  11. When prompted if you are sure you want to change the settings, click OK.

    The SVP web server restarts to reflect the security settings. When the SVP Web server restart is complete, the setting completion dialog box for TLS Security Settings opens.
  12. Click OK to return to the login dialog box.

  13. Back up the new security settings. For details, see Backing up HDvM - SN configuration files.

Administering management software certificates

You can set or delete certificates for management software, including Hitachi Ops Center Administrator and Hitachi Command Suite, that are used to check the server's reliability when SSL communication external authentication is performed.

You cannot register the certificate for both Ops Center Administrator and HCS at the same time. Register one of the certificate for the server you are using to manage the storage system.

Registering certificates for HCS

To manage the storage system by using HCS and perform the HCS external authentication, upload an HCS public key certificate to the web server to register the certificate. Complete the steps in the following procedure to upload and register a certificate using the certificate update tool.

Before you begin

  • You must have the Security Administrator (View & Modify) role to perform this task.
  • If the certificate to be registered has an extension other than ".crt", change it to ".crt".
  • The certificate to be registered must be in X509 PEM or X509 DER format.
  • You must be an external authentication user whose external user group mapping is disabled, or a local authentication user.
  • If the public key of the certificate to be uploaded is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
  • If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
    • ECDSA_P256 (secp256r1)
    • ECDSA_P384 (secp384r1)
    • ECDSA_P521 (secp521r1)
  • The signature hash algorithm of the certificate to be uploaded must be SHA-256, SHA-384, or SHA-512.
  • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
    • subjectAltName
    • CRLDistributionPoint
    • AuthorityInfoAccess
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier

    Enter the host name or the IP address of the server in subjectAltName or CommonName of the certificate for the connected server.

  • The number of tiers of the certificate chain for the connected server certificate must be 20 tiers or less including the root CA certificate.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. On the Device Manager - Storage Navigator computer, open a web browser and enter the following URL to open the Tool Panel dialog box.

    http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
  3. In the Tool Panel dialog box, click Set or Delete Certificate File for HCS. The Login dialog box opens.

    If SSL communication has been established, the Security Alert dialog box opens before the Login dialog box. In the Security Alert dialog box, click OK.
  4. When the Login dialog box opens, enter the administrator user ID and password, and click Login. The Login dialog box opens.

  5. In the dialog box, enter the certificate file for HCS (.crt file) in the Certificate file (.crt file) box. You can enter the file name directly or by clicking Browse and searching for the file name.

  6. Click Register. The execution confirmation dialog for Set or Delete Certificate File for HCS opens.

  7. Click OK to register the certificate. Registration of the certificate starts.

    When the certificate is registered, the registration completion dialog box for Set or Delete Certificate File for HCS opens.
  8. In the registration completion dialog box for Set or Delete Certificate File for HCS, click OK. The display returns to the login dialog box.

    NoteIf an error occurs during registration of the HCS certificate, an error message displays. Resolve the problem and then run the procedure again, starting with logging in to Set or Delete HCS Certificate.
    NoteIf the Security Alert dialog box for the certificate opens at other times, click View Certificate to confirm that the certificate is correct and then click Yes.

Notes on registering certificates for HCS

Read the following notes about registering certificates for HCS:

  • Ensure that the certificate to be registered is the right one. If you register a wrong certificate, the storage system is not manged by using HCS and HCS external authentication is not performed.
  • Only with registration of the correct certificate, the storage system is manged by using HCS and HCS external authentication operates normally.
  • When you perform a certificate revocation check by using CRL, set the URI of the CRL repository for cRLDistributionPoint (CRL distribution point) of the intermediate certificate and server certificate set on the connected server. The CRL repository must be on the network that can be accessed by the SVP so that the SVP can communicate with the CRL repository. If the SVP cannot communicate with the CRL repository, HCS external authentication fails.
  • When you perform a certificate revocation check by using OCSP, correctly set the URI of the OCSP responder for authorityInfoAccess (Authority Information Access) of the intermediate certificate and server certificate set on the connected server. The OCSP responder must be on the network that can be accessed by the SVP so that the SVP can communicate with the OCSP responder. If the SVP cannot communicate with the OCSP responder, HCS external authentication fails.

Deleting certificates for HCS

You can delete the certificates you registered in the procedure of the "Registering certificates for HCS" section. Once you delete a certificate, HCS external authentication cannot be performed.

Before you begin

  • You must have the Security Administrator (View & Modify) role to perform this task.
  • You must be an external authentication user whose external user group mapping is disabled, or a local authentication user.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. On the Device Manager - Storage Navigator computer, open a web browser and enter the following URL to open the Tool Panel dialog box.

    http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
  3. In the Tool Panel dialog box, click Set or Delete Certificate File for HCS. The login dialog box opens.

    If SSL communication has been established, the Security Alert dialog box opens before the login dialog box. In the Security Alert dialog box, click OK.
  4. In the login dialog box, enter the administrator user ID and password, and click Login. The Set or Delete Certificate File for HCS dialog box opens.

  5. In the dialog box, click Delete. A confirmation dialog box opens.

  6. Click OK to delete the certificate. Deletion of the certificate starts.

  7. When the certificate has been deleted, a completion dialog box opens.

  8. In the completion dialog box click OK. The display returns to the login dialog box.

    NoteIf an error occurs during deletion of the certificate for HCS, an error message displays. Resolve the problem and then run the procedure again, starting with logging in, to Set or Delete Certificate for HCS.
    NoteIf the Security Alert dialog box for the certificate opens at other times, click View Certificate to confirm that the certificate is correct and then click Yes.