Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Setting up a secure (SSL) connection

You can use a Secure Sockets Layer (SSL) certificate to create a secure, encrypted connection between the storage system and the management client.

Setting up SSL communications

Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.

The following figure shows the procedure to set up SSL communication. Unless otherwise noted, all steps are required. Note that creation of private and public keys requires a dedicated program. You can download a program for creating private and public keys from the OpenSSL website (http://www.openssl.org/).

GUID-E0EADC18-03AF-4742-8D4E-62311D6605CE-low.png

SSL encryption of the storage system

The storage systems can use SSL encryption for all connection paths, as shown in the following figure and table. The encryption protocol used for SSL encryption is TLS version 1.2.

NoteThe cipher suites for RSA key exchange used by SSL communication are set to enabled by default.
GUID-DC49C3B1-9025-4B5A-B7FF-A3C03E143C7F-low.png
  • A: Path between the management client and the storage system.
  • B: Path between the SVP and the management client.
  • C: Path between the SVP and the storage system.
  • D: Path between the management client and the storage system.
Management modelPathDescriptionCipher suites
Using embedded interfacesABetween management PC and storage system

For VSP E series:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256

For VSP G130, G/F350, G/F370, G/F700, G/F900 when the cipher suites for RSA key exchange are enabled:

  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA

If either of these two cipher suites is selected, you can use the following cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256

If both of these two cipher suites are not selected, you can use the following cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Using Device Manager - Storage NavigatorBBetween the SVP and client PC

For VSP E series:

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_PSK_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_PSK_WITH_AES_128_CBC_SHA

For VSP G130, G/F350, G/F370, G/F700, G/F900 when the cipher suites for RSA key exchange are enabled (default):

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

For VSP G130, G/F350, G/F370, G/F700, G/F900 when the cipher suites for RSA key exchange are disabled:

  • TLS_ECDHE_RSA_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
CBetween the SVP and the storage system

For VSP E series:

  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA

For VSP G130, G/F350, G/F370, G/F700, G/F900 you can select the following cipher suites or select not to use both cipher suites in the maintenance utility:

  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA

You can specify the following cipher suites, regardless of the setting in Maintenance Utility:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
DBetween the client PC and storage system

For VSP E series:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256

For VSP G130, G/F350, G/F370, G/F700, G/F900:

  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
If either of the above cipher suites is selected, you can use the following cipher suites:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
If neither of the above cipher suites is selected, you can use the following cipher suites:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
NoteWhen the TLSv1.0/1.1 communication is disabled, pages might not appear properly depending on the TLS settings of browsers. Perform the following TLS settings of browsers:
  • Using Internet Explorer: Click Tool Internet Option, go to the Advanced tab, and then select Use TLS 1.2.
  • Using Firefox: Enter a about:config into the address bar, open the configuration editor (about: config page) and set the value of security.tls.version.max to 3.
  • Using Google Chrome: Click Chrome menu Settings Show advanced settings Advanced settings, and then select Use TLS 1.2.

To prevent a man-in-the middle attack, the SSL encryption on path B (between the SVP and storage system) verifies the validity of the connection by using the certificate that was uploaded to the SVP in advance and by using the certificate of the storage system. The same certificate must be uploaded to the SVP and the storage system.

Note
  • If a certificate for the SVP or the storage system is changed, the SVP does not operate normally. Upload the certificate to the storage system before uploading the certificate to the SVP.
  • Different certificates can be used to connect to the SVP and web server.
Certificate Upload destination Comments
A signed certificate of SSL encryption between the SVP and client PC SVP N/A
For connecting to the SVP SVP and storage system If a certificate for the SVP or the storage system was uploaded, the SVP will not operate normally.
For connecting to the web server SVP and storage system If a certificate for the SVP or storage system was uploaded, the SVP will not operate normally.

Setting up SSL encryption using Device Manager - Storage Navigator

To improve security of remote operations from a Device Manager - Storage Navigator SVP to a storage system, you can set up Secure Sockets Layer (SSL) encrypted communication. By setting SSL encryption, the Device Manager - Storage Navigator User ID and Password are encrypted.

The SSL communication can be established between the management client and the SVP using the following supported protocols and the port numbers:

ProtocolPort Number
HTTPS443
RMI11099
RMI51100
SMI-S5989
HTTPS (raidinf)5443

The SSL communication can be established between the following servers and the SVP:

  • Key management server
  • Authentication server
  • Authorization server
  • Hitachi Command Suite server
NoteTo enable SSL, the private and public key pair and SVP server certificate must be valid. If either the keys or the certificate is expired, the user cannot connect to the SVP.
NoteThe extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
  • BasicConstraints
  • KeyUsage
  • SubjectKeyIdentifier
  • subjectAltName
NoteTo add the Secure attribute to cookies using Device Manager - Storage Navigator, you must block HTTP communication. For details, see Blocking HTTP communication to the SVP.
NoteDevice Manager - Storage Navigator supports HTTP Strict Transport Security (HSTS) with a max range of 31,536,000 seconds (1 year). To enable HSTS, you must use the security certificate issued by a trusted root certificate authority for your Device Manager - Storage Navigator domain. HSTS is valid for one year (31,536,000 seconds), and it is renewed automatically every time the HSTS header is sent to the browser. The security certificate to use is determined by the browser. For details, contact your browser vendor.
Note If HSTS is enabled on a Web application on a server you wish to install Device Manager - Storage Navigator, use a domain that is written to the security certificate specific to each application. If you use the same domain, the HSTS settings are applied to all Web applications that use the domain, and all connections are switched to https. If you have an application that can be accessed only through http, you cannot establish the connection.

Creating a keypair

To enable SSL, you must create a keypair consisting of a public and a private key on the management client. The instructions use Windows 8.1 as an example.

Creating a private key using the OpenSSL command

A private key is required to create an SSL keypair. The following procedure for Windows creates a private key file called server.key in the c:\key folder.

Before you begin

Ensure that OpenSSL is stored in C:\Mapp\OSS\apache\bin\openssl on the SVP. (You do not need to install OpenSSL.) If not, Download and install openssl.exe from http://www.openssl.org/ to the C:\openssl folder.
NoteC:\Mapp indicates the installation directory for the storage management software and SVP software. Specify C:\Mapp for the installation directory if another directory is specified for the installation directory.

Procedure

  1. When you install OpenSSL, if the read-only attribute is set, release it from the c:\openssl folder. (This step is not necessary if you use OpenSSL on the SVP.)

  2. Open a command prompt with administrator permissions.

  3. Move the current directory to the folder to which the key file is output (such as c:\key), and execute the following command.

    When OpenSSL is installed:

    C:\key>c:\openssl\bin\openssl genrsa -out server.key 2048

    When using OpenSSL on the SVP:

    C:\key>c:\Mapp\OSS\apache\bin\openssl genrsa -out server.key 2048

Creating a public key using the OpenSSL command

A public key has the file extension .csr. It is required to create an SSL keypair. The following procedure is for the Windows operating system.

Before you begin

Download openssl.exe from the OpenSSL website or determine to use OpenSSL on the SVP.

Procedure

  1. Open a command prompt with administrator permissions.

  2. Execute the following command:

    When OpenSSL is installed:

    C:\key>c:\openssl\bin\openssl req -sha256 -new -key server.key -config c:\openssl\bin\openssl.cnf -out server.csr

    When using OpenSSL on the SVP:

    C:\Key>Mapp\OSS\apache\bin\openssl req -sha256 -new -key server.key -config c:\Mapp\OSS\apache\conf\openssl.cnf -out server.csr

    NoteC:\Mapp indicates the installation directory for the storage management software and SVP software. Spacify C:\Mapp for the installation directory if another directory is specified for the installation directory.
    NoteThis command uses SHA-256 as a hash algorithm.
    • Use SHA-256 for the hash algorithm. Do not use MD5 or SHA-1 for the hash algorithm due to its low security level.
    • When you use OpenSSL on the SVP, do not change the contents of c:\Mapp\OSS\apache\conf\openssl.cnf.
  3. Enter the following information in the prompt:

    • Country Name (two-letter code)
    • State or Province Name
    • Locality Name
    • Organization Name
    • Organization Unit Name
    • Common Name

      To create a self-signed certificate, enter the IP address of the SVP or GUM. The name you entered here is used as the server name (host name). To obtain a signed and trusted certificate, ensure that the server name is the same as the host name.

    • Email Address
    • Challenge password (optional)
    • Company name (optional)
Example

The following example shows the contents of a command window when you create a public key.

......++++++ 
..++++++ 
is 65537 (0x10001) 
C:\key>c:\openssl\bin\openssl req -sha256 -new -key server.key -config c 
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. 
\openssl\bin\openssl.cfg -out server.csr 
For some fields there will be a default value. 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:JP 
State or Province Name (full name) [Some-State]:Kanagawa 
Locality Name (eg, city) []:Odawara 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hitachi 
Organization Unit Name (eg, section) []:ITPD 
Common Name (eg, YOUR name) []:192.168.0.1 
Email Address []: 
Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []:

Obtaining a signed certificate

After creating a private key and public key, obtain a signed public key certificate file. You can use any of these methods to obtain a signed certificate file.

Note

When you send a request to a certificate authority, specify the SVP or GUM as the host name.

Hitachi recommends that self-signed certificates be used only for testing encrypted communication.

Obtaining a self-signed certificate

To obtain a self-signed certificate, open a command prompt and execute the following command:

When OpenSSL is installed:

C:\key>c:\openssl\bin\openssl x509 -req -sha256 -days 10000 -in server.csr -signkey server.key -out server.crt

When using OpenSSL on the SVP:

C:\key>c:\Mapp\OSS\apache\bin\openssl x509 -req -sha256 -days 10000 -in server.csr -signkey server.key -out server.crt

NoteC:\Mapp indicates the installation directory for the storage management software and SVP software. Spacify C:\Mapp for the installation directory if another directory is specified for the installation directory.
NoteThis command uses SHA-256 as a hash algorithm. MD5 or SHA-1 is not recommended for a hash algorithm due to its low security level.

This command creates a server.crt file in the c:\key folder, which is valid for 10,000 days. This is the signed private key, which is also referred to as a self-signed certificate.

Obtaining a signed and trusted certificate

To obtain a signed and trusted certificate, you must obtain a certificate signing request (CSR), send that file to a Certificate Authority (CA), and request that the CA issue a signed and trusted certificate. Each certificate authority has its own procedures and requirements. Use of this certificate results in higher reliability in exchange for greater cost and requirements. The signed and trusted certificate is the signed public key.

Before uploading the SSL certificate

Before uploading the SSL certificate to the SVP or management client, perform the following tasks:

  • If the passphrase is set, an SSL certificate cannot be applied for the SVP. You must release the passphrase for the SSL certificate before applying the SSL certificate to the SVP. For instructions, see Releasing an SSL certificate passphrase.
  • If you are uploading a created private key and the SSL certificate to the management client, you need to convert the SSL certificate to PKCS#12 format. For instructions, see Converting the SSL certificates to PKCS#12 format.

Releasing an SSL certificate passphrase

An SSL certificate cannot be uploaded to the SVP if the passphrase is set. If the passphrase is set, use the following procedure to release the passphrase for the SSL certificate before applying it to the SVP.

Before you begin

  • The private key (server.key file) must have been created.
  • OpenSSL must be installed. In this procedure, it is installed in C:\openssl.
  • All users must be logged out of Device Manager - Storage Navigator.

Procedure

  1. On the SVP, open a command prompt with administrator permissions.

  2. Move the current directory to the folder containing the key file (for example, C:\key).

  3. Execute the following command.

    CautionExecuting this command will overwrite the current key file. To prevent loss of the key file, either back up the key file before executing the following command, or specify a different key file input destination and output destination when executing the following command.

    When OpenSSL is installed:

    C:\key>c:\openssl\bin\openssl rsa -in key-file-input-destination -out key-file-output-destination

    When using OpenSSL on the SVP:

    C:\key>c:\Mapp\OSS\apache\bin\openssl rsa -in key-file-input-destination -out key-file-output-destination

    Note C:\Mapp indicates the installation directory for the storage management software and SVP software. If you specified a different installation directory, replace C:\Mapp with the specified installation directory.
  4. When Enter pass phrase for server.key: is displayed, enter the passphrase.

    The passphrase in the SSL private key is released, and the SSL certificate can be applied to the SVP.
Example (when passphrase is set)
C:\key>c:\openssl\bin\openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: "Enter passphrase"
Writing RSA key
Example (when passphrase is not set)
C:\key>c:\openssl\bin\openssl rsa -in server.key –out server.key
Writing RSA key

Converting the SSL certificates to PKCS#12 format

Uploaded SSL certificates need to be in PKCS#12 format.

If you are uploading a created private key and the SSL certificate to the management client, you need to convert the SSL certificate to PKCS#12 format. If you are not uploading the SSL certificate, conversion is not required.

Before you begin

  • You must store a private key and SSL certificate in the same folder.
  • In the following procedure:
    • The private key file name is “client.key”.
    • The SSL certificate file name is “client.crt”.
    • The SSL certificate in PKCS#12 format is output to c:\key.
    • If you update SSL certificates in a batch, conversion is not required.

Procedure

  1. Open a command prompt with administrator permissions.

  2. Enter the following command:

    When OpenSSL is installed:

    C:\key>c:\openssl\bin\openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

    When using OpenSSL on the SVP:

    C:\key>c:\Mapp\OSS\apache\bin\openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

    NoteC:\Mapp indicates the installation directory for the storage management software and SVP software. Spacify C:\Mapp for the installation directory if another directory is specified for the installation directory.
  3. Enter a password, which is used when uploading the SSL certificate in PKCS#12 format. You can use up to 128 alphanumeric characters and the following symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

  4. The client.p12 file is created in the C:\key folder. This client.p12 file is the SSL certificate in PKCS#12 format.

  5. Close the command prompt.

Uploading the SSL certificate to the SVP or management client

To use SSL-encrypted communication, you must upload the private key and the signed server certificate (public key) to the management client.

Caution

When DKCMAIN firmware version 88-03-24 or earlier is updated, the existing SSL certificate file is deleted and replaced with the default certificate file. Therefore, back up the SSL certificate file before DKCMAIN firmware version 88-03-24 or earlier is updated, and then install the backed-up certificate file.

When DKCMAIN firmware version 88-03-25-x0/00 or later is updated, the existing certificate file is inherited.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged in to the SVP or management client.
  • A private key (.key file) has been created. Make sure that the file name is server.key.
  • A signed public key certificate (.crt file) has been acquired. Make sure that the file name is server.crt.
  • The private key (.key file) must be in PEM format. You cannot use DER format.
  • The signed public key certificate (.crt file) must be in X509 PEM format. You cannot use X509 DER format.
  • The passphrase for the private key (server.key file) must be released.
  • If an intermediate certificate exists, you must prepare a signed public key certificate (server.crt file) in a certificate chain that contains the intermediate certificate.
  • The number of tiers of the certificate chain for the certificate to be uploaded must be 5 tiers or less including the root CA certificate.
  • The public key of the certificate to be uploaded must be RSA.

Procedure

  1. In the maintenance utility Menu navigation tree, click System Management.

    GUID-D9D351DA-5040-49C4-A62F-25A7FAB75A0B-low.png
  2. Click Update Certificate Files.

    GUID-E7746BA2-9517-4A2C-8F9D-B57206A35269-low.png
    NoteFor storage systems without an SVP, unselect the Connect to SVP box.
  3. Select the Web Server checkbox, then click Browse.

  4. Browse to the certificate file and click Open. The File Upload window closes and returns you to the Update Certificate Files dialog box.

  5. Click Apply.

Uploading the signed certificate for SSL communication between the SVP and management client to the SVP

To use a certificate for SSL communications between the SVP and the client PC, you must upload the private key and signed public key certificate to the SVP. Use the following procedure to upload a certificate by using the certificate update tool.

The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:

  • BasicConstraints
  • KeyUsage
  • SubjectKeyIdentifier
  • SubjectAltName
NoteWhen the storage management software is updated, the private key and signed public key certificate might be returned to default. If this happens, you need to upload the private key and signed public key certificate to the SVP again.

Before you begin

  • The private key (server.key file) must have been created. If the file name is not server.key, rename it to server.key.
  • The signed public key certificate (server.crt file) must have been obtained. If the file name is not server.crt, rename it to server.crt.
  • The private key (server.key file) and the signed public key certificate (server.crt file) must be in X509 PEM format. Do not use a certificate in X509 DER format.
  • If an intermediate certificate exists, you must prepare a signed public key certificate (server.crt file) in a certificate chain that contains the intermediate certificate.
  • The certificate chain for the certificate to be uploaded must have 5 tiers or fewer including the root CA certificate.
  • The following GUM firmware version is required to update a certificate file to a certificate file in a certificate chain that contains the intermediate certificate and root CA certificate:
    • 93-02-01-xx/xx or later
    • 88-06-01-xx/xx or later
  • The public key encryption method for the certificate to be uploaded must be RSA.
  • All users must be logged out of Device Manager - Storage Navigator.

Procedure

  1. On the SVP, start a Windows command prompt as Administrator.

  2. Move the current directory to the directory containing the certificate update tool MappApacheCrtUpdate.bat.

  3. Run the following commands:

    cd /d C:\Mapp\wk\Supervisor\MappIniSet
    MappApacheCrtUpdate.bat absolute-path-of-the-certificate-file absolute-path-of-the-private-key-file

    In this command, C:\MAPP indicates the installation directory of the storage management software and SVP software. If the installation directory is not C:\Mapp, replace C:\Mapp with your installation directory.

  4. When prompted, press any key to continue.

  5. When the processing is complete, you can close the command prompt.

Uploading the certificates for “Connect to SVP” and “Web server” to the storage system

Before uploading the SSL certificate, you must upload and update the certificate for “Connect to SVP” and the certificate for “Web server” that are used for SSL communications between the management client and the storage system and between the SVP and the storage system.

The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:

  • BasicConstraints
  • KeyUsage
  • SubjectKeyIdentifier
NoteWhen the storage management software is updated, the private key and signed public key certificate might be returned to default. If this happens, you need to upload the private key and signed public key certificate to the SVP again.

Before you begin

  • The certificate files must be in PKCS#12 format.
  • If you have a server certificate file and a private key file that are in PEM format, you need to convert the certificates to PKCS#12 format. Also, register the server certificate files before conversion in the SVP.
  • If an intermediate certificate exists, you must prepare a signed public key certificate in a certificate chain that contains the intermediate certificate.
  • The number of tiers of the certificate chain for the certificate to be uploaded must be 5 tiers or less including the root CA certificate.
  • The following GUM firmware version is required to update a certificate file to a certificate file in a certificate chain that contains the intermediate certificate and CA certificate:
    • 93-02-01-xx/xx or later
    • 88-06-01-xx/xx or later
  • The public key encryption method for the certificate to be uploaded must be RSA.

Procedure

  1. In the maintenance utility Menu navigation tree, click System Management Update Certificate Files.

    GUID-D9D351DA-5040-49C4-A62F-25A7FAB75A0B-low.png
  2. Select the check box for the certificate you want to update, and then specify the certificate file.

    • If you are using Hitachi Storage Advisor Embedded, select Web Server.
      NoteIf the storage system does not have an SVP, make sure to clear (uncheck) the check box for Connect to SVP.
    • If you are using Hitachi Device Manager - Storage Navigator, select Web Server or Connect to SVP.
    GUID-E7746BA2-9517-4A2C-8F9D-B57206A35269-low.png
  3. Confirm the settings, and then click Apply.

  4. When the completion message appears, close the dialog box.

Uploading the certificate for “Connect to SVP” to the SVP

Before using a certificate for SSL communications between the SVP and the storage system, you need to upload the signed public key certificate to the SVP.

The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:

  • BasicConstraints
  • KeyUsage
  • SubjectKeyIdentifier

Before you begin

  • The private key for the storage system and the signed public key certificate must be updated in the maintenance utility.
  • The signed public key certificate (server.crt file) must be in X509 PEM format.
  • If an intermediate certificate exists, you must prepare a signed public key certificate (server.crt file) in a certificate chain that contains the intermediate certificate.
  • The number of tiers of the certificate chain for the certificate to be uploaded must be 5 tiers or less including the root CA certificate.
  • The following GUM firmware version is required to update a certificate file to a certificate file in a certificate chain that contains the intermediate certificate and CA certificate:
    • 93-02-01-xx/xx or later
    • 88-06-01-xx/xx or later
  • The public key encryption method for the certificate to be uploaded must be RSA.
  • All users must be logged out of Device Manager - Storage Navigator.

Procedure

  1. On the SVP, start a Windows command prompt as Administrator.

  2. Move the current directory to the directory containing the tool MappL7SwitchGumSslCrtUpdate.bat.

  3. Run the following commands:

    cd /d C:\Mapp\wk\Supervisor\MappIniSet
    MappL7SwitchGumSslCrtUpdate.bat absolute-path-of-the-certificate-file

    In this command, C:\MAPP indicates the installation directory of the storage management software and SVP software. If the installation directory is not C:\Mapp, replace C:\Mapp with your installation directory.

  4. When prompted, press any key to continue.

  5. When the processing is complete, you can close the command prompt.

Uploading the certificate to the web server

Execute the SSL communication with Device Manager - Storage Navigator installed on the SVP as a client and the controller of the storage system as a server. Upload the private key and the signed server certificate (public key) to the SVP for using the SSL communication. The following describes how to upload the certificate using the certificate update tool.

This procedure assumes that:

  • The private key for the web server and the signed public key certificate must be updated in the maintenance utility.
  • The private key (server.key file) and signed public key certificate (server.crt file) must be in X509 PEM format or X509 DER format.
  • If an intermediate certificate exists, you must prepare a signed public key certificate (server.crt file) in a certificate chain that contains the intermediate certificate.
  • The number of tiers of the certificate chain for the certificate to be uploaded must be 5 tiers or less including the root CA certificate.
  • The following GUM firmware version is required to update a certificate file to a certificate file in a certificate chain that contains the intermediate certificate and root CA certificate:
    • 93-02-01-xx/xx or later
    • 88-06-01-xx/xx or later
  • The public key encryption method for the certificate to be uploaded must be RSA.
  • All users must be logged out of Device Manager - Storage Navigator.

Procedure

  1. On the SVP, start a Windows command prompt as Administrator.

  2. Move the current directory to the directory containing the certificate update tool (MappSn2GumSslCrtUpdate.bat).

  3. Run the following commands:

    C:\MAPP\wk\Supervisor\MappIniSet\ 
    MappSn2GumSslCrtUpdate.bat r[absolute path of the certificate file]

    In this command, C:\MAPP indicates the installation directory of the storage management software and SVP software. If the installation directory is not C:\Mapp, replace C:\Mapp with your installation directory.

  4. When prompted, press any key to continue.

  5. When the processing is complete, you can close the command prompt.

Importing the SSL certificate to the Web browser

To allow your Web browser to automatically trust SSL certificates, you can import the SSL certificate into your Web browser.

Consult your Web browser's documentation for instructions to import the SSL certificate to the Web browser.

Blocking HTTP communication to the SVP

You can use the HTTP setting tool to block or allow access to the HTTP communication port as needed.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged in to the SVP.

Procedure

  1. Close all management client sessions on the storage system, including Storage Advisor Embedded, maintenance utility, and Device Manager - Storage Navigator.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the HTTP setting tool is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappHttpBlock.bat
  4. A completion message box displays. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Releasing HTTP communication blocking

If the web server supports SSL (HTTPS), you can use the HTTP setting tool to release a block to the HTTP communication port as needed.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged into the SVP or management client.

Procedure

  1. Close all management client sessions on the storage system, including Storage Advisor Embedded, maintenance utility, and Device Manager - Storage Navigator.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the HTTP setting tool is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappHttpRelease.bat
  4. A completion message box displays. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Managing SSL certificates

When you use encrypted SSL communications to manage your storage system, you can select the desired cipher suite, update a signed certificate, and return an updated certificate to default.

SSL connection protects the User IDs and passwords that are exchanged when users log in to the management client.

Selecting a cipher suite

Cipher suites are part of SSL Version 3 and OSI Transport Layer Security Version 1 Cipher Specifications.
NoteThe cipher suites for RSA key exchange used by SSL communication are set to enabled by default.
Caution
  • If you set protocols between the SVP and the storage system, the setting operation on the SVP is also necessary.
  • When the storage system is other than VSP E series, if you select either of the following cipher suites, make sure to enable the cipher suites for RSA key exchange on the SVP.
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA

    If you select not to use both these cipher suites, make sure to disable the cipher suites for RSA key exchange on the SVP.

  • After you select a cipher suite, the available cipher suites differ, depending on the connection path for SSL communications.

Before you begin

You must have the Storage Administrator (View & Modify) role to complete this procedure.

Procedure

  1. In the maintenance utility Menu navigation tree, click System Management.

    GUID-7E10CD77-2CA0-48FA-95AB-CDE4DB125EDA-low.png

  2. Click Select Cipher Suite.

  3. Select the type of communication to use between the management client and the storage system.

    The selections change the encryption level. Higher encryption provides better security but the communication speed is slower. After you select a cipher suite, the available cipher suites differ depending on the connection path for SSL communications.
    • TLS_RSA_WITH_AES_128_CBC_SHA (Prioritize Transmission Speed): This selection provides higher communication speed and lower security.
    • TLS_RSA_WITH_AES_128_CBC_SHA256 (Prioritize Security): This selection provides higher security and lower communication speed.
    If you select either of the following cipher suites, enable the cipher suites for RSA key exchange on the SVP:
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA

    If you do not use either of these cipher suites, disable the cipher suites for RSA key exchange on the SVP.

  4. Click Apply to save the setting and close the dialog box.

Updating a signed certificate

To use SSL-encrypted communication, you must update and upload the private key and the signed server certificate (public key) to the management client.

Note The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
  • BasicConstraints
  • KeyUsage
  • SubjectKeyIdentifier
  • subjectAltName

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged in to the SVP or management client.
  • A private key (.key file) has been created. Make sure that the file name is server.key.
  • The passphrase for the private key (server.key file) is released.
  • A signed public key certificate (.crt file) has been acquired. Make sure that the file name is server.crt.
  • The private key (.key file) must be in PEM format. You cannot use DER format.
  • The signed public key certificate (.crt file) must be in X509 PEM format. You cannot use X509 DER format.
  • The passphrase for the private key (server.key file) must be released.

Procedure

  1. Close all management client sessions on the storage system, including Storage Advisor Embedded, maintenance utility, and Device Manager - Storage Navigator.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the .bat file is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappApacheCrtUpdate.bat absolute-path-of-signed-public-key-certification-file absolute-path-of-private-key-file
    Note

    A space is required between MappApacheCrtUpdate.bat and the signed public key certification file path.

    A space is required between the signed public key certification file path and the private key file path.

  4. A completion message box displays. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Notes on updating a signed certificate for the service processor

The following notes provide additional information about updating a signed certificate.

  • While the service processor certificate is being updated, tasks that are being run or scheduled to run on Device Manager - Storage Navigator are not executed.
  • Certificates for RMI communication are updated asynchronously. The process takes about two minutes.
  • If the service processor certificate is updated while Ops Center Administrator or Hitachi Command Suite is being set up, the setup operation will fail.
  • Updating the SSL certificate might change the system drastically and may lead to service processor failure. Therefore take sufficient care to consider the content of the certificate and private key to be set.
  • After the certificate update is complete, depending on the environment, the service processor can take 30 to 60 minutes to restart.

Returning the certificate to default

You can return the certificate that was updated by the procedure in Updating a signed certificate back to default.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged into the management client.
  • A private key (.key file) has been created. Make sure that the file name is server.key. See Creating a private key using the OpenSSL command.
  • The passphrase for the private key (server.key file) is released.
  • A signed public key certificate (.crt file) has been acquired. Make sure that the file name is server.crt. See Creating a public key using the OpenSSL command.
  • The private key (.key file) must be in PEM format. You cannot use DER format.
  • The signed public key certificate (.crt file) must be in X509 PEM format. You cannot use X509 DER format. See Obtaining a self-signed certificate .
  • The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
    • BasicConstraints
    • KeyUsage
    • SubjectKeyIdentifier
    • subjectAltName
  • The passphrase for the private key (server.key file) must be released.

Procedure

  1. Close all management client sessions on the storage system, including Storage Advisor Embedded, maintenance utility, and Device Manager - Storage Navigator.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the .bat file is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappApacheCrtInit.bat
  4. A completion message box displays. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Messages about website security certificates

When the message "There is a problem with this website's security certificate." is displayed, click Continue to this website (not recommended).

When you are using encrypted SSL communications to connect to the storage system, the browser displays a warning message if the security certificate is not issued by a trusted certificate authority. This warning message also appears when the IP address or host name specified in the URL does not match the CN listed in the security certificate.

If this warning message starts to appear after an update of the storage management software, check to see if the SSL certificate returned to the default. If the SSL certificate has returned to the default, install the certificate file that was backed up when the storage management software was updated.

GUID-0D4C564C-9973-43A7-9E34-FAA1100AAA42-low.png

Updating the certificate files

The Update Certificate Files window is used to update the certificates that are used for communication between the management client and the storage system.

Before you begin

  • You must have the Storage Administrator (View & Modify) role to complete this procedure.

Procedure

  1. In the maintenance utility Menu navigation tree, click System Management.

    GUID-D9D351DA-5040-49C4-A62F-25A7FAB75A0B-low.png
  2. Click Update Certificate Files.

    GUID-E7746BA2-9517-4A2C-8F9D-B57206A35269-low.png
    NoteFor storage systems without an SVP, unselect the Connect to SVP box.
  3. To update the certificate file on the management client:

    1. Select the Web Server checkbox, then click Browse.

    2. Browse to the certificate file and click Open. The File Upload window closes and returns you to the Update Certificate Files dialog box.

    3. In the Web Server Password: field, enter the certificate password.

    4. Enter the password again in the Web Server Re-enter Password: field.

    NoteFor storage systems without an SVP, continue to step 5.
  4. To update the certificate file on the SVP:

    1. Select the Connect to SVP checkbox, then click Browse.

    2. Browse to the certificate file and click Open. The File Upload window closes and returns you to the Update Certificate Files dialog box.

    3. In the Connect to SVP Password: field, enter the certificate password.

    4. Enter the password again in the Connect to SVP Re-enter Password: field.

  5. Click Apply to update the certificates.

Updating SSL certificates for the SVP and storage system in a batch

If only one storage system is registered in the SVP, you can update the following SSL certificates in a batch:

  • Signed certificate for SSL communication between the SVP and the management client
  • Certificate for connecting to the SVP
  • Certificate for connecting to the web server on the storage system
Note The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
  • BasicConstraints
  • KeyUsage
  • SubjectKeyIdentifier
  • subjectAltName

Before you begin

  • Ensure that only one storage system is registered in the SVP.
  • A private key for external communication between the SVP and the management client has been created.
  • A signed public key certificate for external communication between the SVP and the management client has been acquired.
  • A private key for internal communication for connecting to the SVP or web server and a signed public key certificate must be X509 PEM or X509 DER format.
  • All users must be logged out of Hitachi Device Manager - Storage Navigator.
  • You must have the Security Administrator (View & Modify) role and Support Personnel (User) role to perform this task.

Create the following parameter file (in JSON format) beforehand. Allowed characters when you specify the path to the certificate in the parameter file are alphanumeric characters, spaces, and symbols: - _ . \ / :.

  • "user": "user-name-of-the-account-registered-in-the-storage-system"
  • "password": "password-of-the-account-registered-in-the-storage-system"
  • "innerConnectionCertPath": "absolute-path-to-the-public-key-certificate-for-internal-communication"
  • "innerPrivateKeyPath": "absolute-path-to-the-private-key-for-internal-communication"
  • "outerConnectionCertPath": "absolute-path-to-the-public-key-certificate-for-external-communication"
  • "outerPrivateKeyPath": "absolute-path-to-the-private-key-for-external-communication"
{
"user": "someuser",
"password": "password123",
"innerConnectionCertPath": "c:\\sslcert\\innercert.crt",
"innerPrivateKeyPath": "c:\\sslcert\\innercert.key",
"outerConnectionCertPath": "c:\\sslcert\\outercert.crt",
"outerPrivateKeyPath": "c:\\sslcert\\outercert.key"
}

Procedure

  1. On the SVP, start Windows command prompt as an Administrator.

  2. Move the current directory to the directory where the tool exists

    cd /d C:\Mapp\wk\Supervisor\MappIniSet
    Note
    • C:\Mapp indicates the installation directory of the storage management software and the SVP software. When the installation directory other than C:\Mapp was specified, replace C:\Mapp with the specified installation directory.
    • If you specify --ignore-cert-verification, the signed certificate for SSL communication between the SVP and the management client is not verified when the certificate is updated. Specify this option immediately after you install HDvM - SN on the SVP or when the certificate has not been normally updated. (You must check the IP address of the GUM on the storage system beforehand.)
    • If you specify --delete, the parameter file is automatically deleted after the SSL certificate is updated.
  3. Run the following command:

    mappsslcertupdate.bat
            --file=name-of-the-parameter-file-created-beforehand
  4. A message appears indicating that the command finished, and then the GUM restarts automatically.

  5. Restart the SVP manually.

Administering management software certificates

You can set or delete certificates for management software including Hitachi Command Suite and Hitachi Ops Center Administrator that are used to check the server's reliability when SSL communication external authentication is performed.

You cannot register the certificate for both of the HCS and Ops Center Administrator at the same time. Register one of the certificate for the server you are using to manage the storage system.

Registering management software certificates

To check the server reliability during SSL communication for management software external authentication, upload an public key certificate of the management software to the web server to register the certificate.

Before you begin

  • You must be logged into the SVP.
  • The private key file on the management software server must be current. Update it if necessary.
  • The certificate file must have a .crt extension. Rename the file if necessary.
  • The certificate must be in X509 PEM format or X509 DER format.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the certificate update tool is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappHcsCrtEntry.bat absolute-path-of-signed-public-key-certificate-file
    NoteA space is required between MappHcsCrtEntry.bat and the signed public key certification file path.
    NoteIf using Hitachi Ops Center Administrator, execute the same command.
  4. A completion message box displays. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Deleting HCS certificates

You can delete the certificates you registered for the management software. After you delete a certificate, server reliability for that certificate is not checked by SSL communication for management software external authentication.

Before you begin

  • You must be logged into the SVP.
  • The private key file on the management software server must be current. Update it if necessary.
  • The certificate file must have a .crt extension. Rename the file if necessary.
  • The certificate must be in X509 PEM format or X509 DER format.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the certificate update tool is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappHcsCrtDelete.bat
    NoteIf using Hitachi Ops Center Administrator, execute the same command.
  4. A completion message box opens. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Using HSTS

HSTS (HTTP Strict Transport Security) is a security mechanism used when the Web server communicates with the Web browser using HTTPS.

Note If you enable HSTS, you might not connect to Device Manager - Storage Navigator by using HTTP. If the connection does not work by using HTTP, use HTTPS.

Enabling HSTS

HTTP Strict Transport Security (HSTS) is a security mechanism that informs web browsers they can communicate with web servers only through secured HTTPS connections. Use the following procedure to enable HSTS.
CautionIf you enable HSTS, you might not be able to use HTTP for connection to Device Manager - Storage Navigator. In this case, use HTTPS for connection to Device Manager - Storage Navigator.

Procedure

  1. On the SVP, open a command prompt with administrator permissions.

  2. Move the current directory to the folder containing the setting tool.

  3. Execute the following command:

    cd /d C:\Mapp\wk\Supervisor\MappIniSet
    MappHstsEnable.bat
    
    Note C:\Mapp: indicates the installation directory of the storage management software and SVP software. If you specified a different installation directory, replace C:\Mapp with the specified installation directory.
  4. When prompted, press any key to continue.

  5. To verify that HSTS is enabled, execute the following command:

    MappHstsState.bat
    • If "hsts=on" appears, HSTS is enabled. Press the Enter key, and then go to the next step.
    • If "hsts=off" appears, HSTS is not enabled. Press the Enter key, and then go back to step 3.
    • If a message indicating that the specified file could not be found appears, the HSTS settings failed. Press the Enter key, and then go back to step 3.
  6. Close the command prompt window.

Disabling HSTS

To disable HSTS, use the following procedure:

Procedure

  1. Open a command prompt with administrator permissions on the SVP.

  2. Move the current directory to the folder in which the setting tool is located, and then execute the following command:

    cd /d C:\Mapp\wk\Supervisor\MappIniSet
    MappHstsDisable.bat
    
    Note C:\Mapp: indicates the installation directory of storage management software and SVP software. If you specified an installation directory other than C:\Mapp, replace C:\Mapp with the specified installation directory.
  3. When "Press any key to continue ..." appears in the window, press the Enter key.

  4. To verify that HSTS is disabled, execute the following command:

    MappHstsState.bat
    Note

    If "hsts=off" appears, HSTS is disabled. Press the Enter key. If "hsts=on" appears, HSTS is not disabled. Press the Enter key, and then go back to step 2.

    If the message indicating that the specified file could not be found appears, the HSTS settings failed. Press the Enter key, and then go back to step 2.

  5. Close the command prompt window.