Skip to main content
Close

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Setting up a secure (SSL) connection

  1. Last updated
  2. Save as PDF

You can use a Secure Sockets Layer (SSL) certificate to create a secure, encrypted connection between the storage system and the management client.

Child Topics
  • Setting up SSL communications

    Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.

  • Managing SSL certificates

    When you use encrypted SSL communications to manage your storage system, you can select the desired cipher suite, update a signed certificate, and return an updated certificate to default.

  • Managing HCS certificates

    This topic explains how to set or delete certificates for Hitachi Command Suite (HCS) that are used to check the server's reliability when SSL communication for HCS external authentication is performed.

Setting up SSL communications

Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.

The following figure shows the procedure to set up SSL communication. Unless otherwise noted, all steps are required. Note that creation of private and public keys requires a dedicated program. You can download a program for creating private and public keys from the OpenSSL website (http://www.openssl.org/).

GUID-E0EADC18-03AF-4742-8D4E-62311D6605CE-low.png
Parent Topic
  • Setting up a secure (SSL) connection

    You can use a Secure Sockets Layer (SSL) certificate to create a secure, encrypted connection between the storage system and the management client.

Child Topics

Creating a keypair

To enable SSL, you must create a keypair consisting of a public and a private key on the management client. The instructions use Windows 7 as an example.

Parent Topic
  • Setting up SSL communications

    Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.

Child Topics

Creating a private key

A private key is required to create an SSL keypair. The following procedure for Windows 7 creates a private key file called server.key in the c:\key folder.

Before you begin

Download openssl.exe from the OpenSSL website.

Procedure

  1. If the read-only attribute is set, release it from the c:\openssl folder.

  2. Open a command prompt with administrator permissions.

  3. Move the current directory to the folder to which the key file is output (such as c:\key), and execute the following command: 

    c:\key > c:\openssl\bin\openssl genrsa -out server.key 1024
Parent Topic

Creating a public key

A public key has the file extension .csr. It is required to create an SSL keypair. The following procedure is for the Windows 7 operating system.

Before you begin

Download openssl.exe from the OpenSSL website.

Procedure

  1. Open a command prompt with administrator permissions.

  2. Move the current directory to the folder to which the key file is output (such as c:\key). Execute the following command:

    c:\key > c:\openssl req -sha256 -new -key server.key -config c:\openssl\bin\openssl.cfg -out server.csr

  3. Enter the following information in the prompt:

    • Country Name (two-letter code)
    • State or Province Name
    • Locality Name
    • Organization Name
    • Organization Unit Name
    • Common Name

      To create a self-signed certificate, enter the IP address of the SVP or GUM. The name you entered here is used as the server name (host name). To obtain a signed and trusted certificate, ensure that the server name is the same as the host name.

    • Email Address
    • Challenge password (optional)
    • Company name (optional)
Example

The following example shows the contents of a command window when you create a public key. 

......++++++ 
..++++++ 
is 65537 (0x10001) 
C:\key>c:\openssl\bin\openssl req -sha256 -new -key server.key -config c 
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. 
\openssl\bin\openssl.cfg -out server.csr 
For some fields there will be a default value. 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:JP 
State or Province Name (full name) [Some-State]:Kanagawa 
Locality Name (eg, city) []:Odawara 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hitachi 
Organization Unit Name (eg, section) []:ITPD 
Common Name (eg, YOUR name) []:192.168.0.1 
Email Address []: 
Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []:
Parent Topic

Obtaining a signed certificate

After creating a private key and public key, obtain a signed public key certificate file. You can use any of these methods to obtain a signed certificate file.

Note

When you send a request to a certificate authority, specify the SVP or GUM as the host name.

Hitachi recommends that self-signed certificates be used only for testing encrypted communication.

Parent Topic
  • Setting up SSL communications

    Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.

Child Topics

Obtaining a self-signed certificate

To obtain a self-signed certificate, open a command prompt and execute the following command:

c:\key>c:\openssl\bin\openssl x509 -req -sha256 -days 10000 -in server.csr -signkey server.key -out server.crt

NoteThis command uses SHA-256 as a hash algorithm. MD5 or SHA-1 is not recommended for a hash algorithm due to its low security level.

This command creates a server.crt file in the c:\key folder, which is valid for 10,000 days. This is the signed private key, which is also referred to as a self-signed certificate.

Parent Topic

Obtaining a signed and trusted certificate

To obtain a signed and trusted certificate, you must obtain a certificate signing request (CSR), send that file to a Certificate Authority (CA), and request that the CA issue a signed and trusted certificate. Each certificate authority has its own procedures and requirements. Use of this certificate results in higher reliability in exchange for greater cost and requirements. The signed and trusted certificate is the signed public key.

Parent Topic

Uploading the SSL certificate to the SVP or management client

To use SSL-encrypted communication, you must upload the private key and the signed server certificate (public key) to the management client.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged in to the SVP or management client.
  • A private key (.key file) has been created. Make sure that the file name is server.key.
  • The passphrase for the private key (server.key file) is released.
  • A signed public key certificate (.crt file) has been acquired. Make sure that the file name is server.crt.
  • The private key (.key file) must be in PEM format. You cannot use DER format.
  • The signed public key certificate (.crt file) must be in X509 PEM format. You cannot use X509 DER format.
  • The passphrase for the private key (server.key file) must be released.

Procedure

  1. In the maintenance utility Menu navigation tree, click System Management.

    GUID-D9D351DA-5040-49C4-A62F-25A7FAB75A0B-low.png

  2. Click Update Certificate Files.

    GUID-E7746BA2-9517-4A2C-8F9D-B57206A35269-low.png
    NoteFor storage systems without an SVP, unselect the Connect to SVP box.

  3. Select the Web Server checkbox, then click Browse.

  4. Browse to the certificate file and click Open. The File Upload window closes and returns you to the Update Certificate Files dialog box.

  5. Click Apply.

Parent Topic
  • Setting up SSL communications

    Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.

Child Topics

Releasing an SSL certificate passphrase

An SSL certificate cannot be applied for the SVP if the passphrase is set. If the passphrase is set, release the passphrase for the SSL certificate before applying the SSL certificate to the SVP. The following procedure explains how to verify and release the passphrase settings.

Before you begin

  • A private key (.key file) has been created.
  • OpenSSL must be installed. In this procedure, it is installed in C:\openssl.

Procedure

  1. Open a command prompt window with administrator permissions.

  2. Move the current directory to the folder (for example, C:\key) where the key file is stored, and run the following command:

    CautionExecuting this command will overwrite the current key file. To prevent loss of the key file, do one of the following:
    • Back up the key file first.
    • Use a different key file input destination and output destination. 
    C:\key>C:\openssl\bin\openssl rsa -in key-file-input-destination -out key-file-output-destination

    If Enter pass phrase for server.key: is displayed, the passphrase is set. Enter the passphrase. The passphrase in the SSL private key will be released, and the SSL certificate can be applied to the SVP.

Example (when passphrase is set) 
C:\key>c:\openssl\bin\openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: "Enter passphrase"
Writing RSA key
Example (when passphrase is not set) 
C:\key>c:\openssl\bin\openssl rsa -in server.key –out server.key
Writing RSA key
Parent Topic

Converting the SSL certificates to PKCS#12 format

Uploaded SSL certificates need to be in PKCS#12 format.

If you are uploading a created private key and the SSL certificate to the management client, you need to convert the SSL certificate to PKCS#12 format. If you are not uploading the SSL certificate, conversion is not required.

Before you begin

  • You must store a private key and SSL certificate in the same folder.
  • In the following procedure:
    • The private key file name is “client.key”.
    • The SSL certificate file name is “client.crt”.
    • The SSL certificate in PKCS#12 format is output to c:\key.

Procedure

  1. Open a command prompt with administrator permissions.

  2. Enter the following command: C:key>c:\openssl\bin\openssl pkcs12 -export -in client.crt –inkey client.key -out client.p12

  3. Enter a password, which is used when uploading the SSL certificate in PKCS#12 format. You can use up to 128 alphanumeric characters and the following symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

  4. The client.p12 file is created in the C:\key folder. This client.p12 file is the SSL certificate in PKCS#12 format.

  5. Close the command prompt.

Parent Topic

Returning the certificate to default

You can return the certificate that was updated by the procedure in Uploading a signed certificate to default.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. On the Device Manager - Storage Navigator computer, open a web browser and enter the following URL to open the Tool Panel dialog box. 

    http://IP-address-or-host-name-of-SVP/cgi-bin/utility/toolpanel.cgi
    GUID-4CFDCFC0-7E81-4336-9328-E944870C3054-low.png

  3. In the Tool Panel dialog box, click Update Certificate Files. The Update Certificate Files login dialog box opens.

    If SSL communication has been established, the Security Alert dialog box opens before the login dialog box. In the Security Alert dialog box, click OK.

  4. In the Login dialog box, enter the administrator user ID and password, and click login. The Upload dialog box opens.

  5. In the Upload dialog box, click Return to Default. A confirmation dialog box opens.

  6. Click Yes to confirm and close the dialog box.

    When the certificate update is complete, the SVP Web server restarts to show the update. When the restart is complete, the Update Completion dialog box opens.

  7. In the Update Completion dialog box, click OK. The dialog box closes and the display returns to the Login dialog box.

    NoteIf an error occurs during the certificate update, an error message appears. Resolve the problem described in the error message and then repeat this procedure, starting with Step 4 (login) above.
    NoteIf the Security Alert dialog box for the certificate opens at other times, click View Certificate to confirm that the certificate is correct and then click Yes.
Parent Topic
  • Setting up SSL communications

    Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.

Importing the SSL certificate to the Web browser

To allow your Web browser to automatically trust SSL certificates, you can import the SSL certificate into your Web browser.

Consult your Web browser's documentation for instructions to import the SSL certificate to the Web browser.

Parent Topic
  • Setting up SSL communications

    Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.

Blocking HTTP communication to the management client

You can use the HTTP setting tool to block or allow access to the HTTP communication port as needed.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged into the SVP or management client.

Procedure

  1. Close all management client sessions on the storage system, including Storage Advisor Embedded, maintenance utility, and Device Manager - Storage Navigator.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the HTTP setting tool is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappHttpBlock.bat

  4. A completion message box displays. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Parent Topic
  • Setting up SSL communications

    Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.

Releasing HTTP communication blocking

If the web server supports SSL (HTTPS), you can use the HTTP setting tool to release a block to the HTTP communication port as needed.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged into the SVP or management client.

Procedure

  1. Close all management client sessions on the storage system, including Storage Advisor Embedded, maintenance utility, and Device Manager - Storage Navigator.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the HTTP setting tool is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappHttpRelease.bat

  4. A completion message box displays. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Parent Topic
  • Setting up SSL communications

    Before you enable SSL encryption, you must create a private key and a public key to establish a secure communication session.

Managing SSL certificates

When you use encrypted SSL communications to manage your storage system, you can select the desired cipher suite, update a signed certificate, and return an updated certificate to default.

SSL connection protects the User IDs and passwords that are exchanged when users log in to the management client.

Parent Topic
  • Setting up a secure (SSL) connection

    You can use a Secure Sockets Layer (SSL) certificate to create a secure, encrypted connection between the storage system and the management client.

Child Topics

Selecting a cipher suite

Before you begin

You must have the Storage Administrator (View & Modify) role to complete this procedure.

Procedure

  1. In the maintenance utility Menu navigation tree, click System Management.

    GUID-7E10CD77-2CA0-48FA-95AB-CDE4DB125EDA-low.png

  2. Click Select Cipher Suite.

  3. Select the type of communication to use between the management client and the storage system. The selections change the encryption level. Higher encryption provides better security but the communication speed is slower.

    • TLS_RSA_WITH_AES_128_CBC_SHA (Prioritize Transmission Speed). This selection provides higher communication speed and lower security.
    • TLS_RSA_WITH_AES_128_CBC_SHA256 (Prioritize Security). This selection provides higher security and lower communication speed.

  4. Click Apply to save the setting and close the dialog box.

Parent Topic
  • Managing SSL certificates

    When you use encrypted SSL communications to manage your storage system, you can select the desired cipher suite, update a signed certificate, and return an updated certificate to default.

Updating a signed certificate

To use SSL-encrypted communication, you must update and upload the private key and the signed server certificate (public key) to the management client.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged in to the SVP or management client.
  • A private key (.key file) has been created. Make sure that the file name is server.key.
  • The passphrase for the private key (server.key file) is released.
  • A signed public key certificate (.crt file) has been acquired. Make sure that the file name is server.crt.
  • The private key (.key file) must be in PEM format. You cannot use DER format.
  • The signed public key certificate (.crt file) must be in X509 PEM format. You cannot use X509 DER format.
  • The passphrase for the private key (server.key file) must be released.

Procedure

  1. Close all management client sessions on the storage system, including Storage Advisor Embedded, maintenance utility, and Device Manager - Storage Navigator.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the .bat file is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappApacheCrtUpdate.bat absolute-path-of-signed-public-key-certification-file absolute-path-of-private-key-file
    Note

    A space is required between MappApacheCrtUpdate.bat and the signed public key certification file path.

    A space is required between the signed public key certification file path and the private key file path.

  4. A completion message box displays. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Parent Topic
  • Managing SSL certificates

    When you use encrypted SSL communications to manage your storage system, you can select the desired cipher suite, update a signed certificate, and return an updated certificate to default.

Notes on updating a signed certificate for the service processor

The following notes provide additional information about updating a signed certificate.

  • While the service processor certificate is being updated, tasks that are being run or scheduled to run on Device Manager - Storage Navigator are not executed.
  • Certificates for RMI communication are updated asynchronously. The process takes about two minutes.
  • If the service processor certificate is updated while Storage Advisor or Hitachi Command Suite is being set up, the setup operation will fail.
  • Updating the SSL certificate might change the system drastically and may lead to service processor failure. Therefore take sufficient care to consider the content of the certificate and private key to be set.
  • After the certificate update is complete, depending on the environment, the service processor can take 30 to 60 minutes to restart.
Parent Topic
  • Managing SSL certificates

    When you use encrypted SSL communications to manage your storage system, you can select the desired cipher suite, update a signed certificate, and return an updated certificate to default.

Returning the certificate to default

You can return the certificate that was updated by the procedure in Updating a signed certificate back to default.

Before you begin

  • You must have the Storage Administrator (Initial Configuration) role to perform this task.
  • You must be logged into the management client.
  • A private key (.key file) has been created. Make sure that the file name is server.key. See Creating a private key.
  • The passphrase for the private key (server.key file) is released.
  • A signed public key certificate (.crt file) has been acquired. Make sure that the file name is server.crt. See Creating a public key.
  • The private key (.key file) must be in PEM format. You cannot use DER format.
  • The signed public key certificate (.crt file) must be in X509 PEM format. You cannot use X509 DER format. See Obtaining a self-signed certificate .
  • The passphrase for the private key (server.key file) must be released.

Procedure

  1. Close all management client sessions on the storage system, including Storage Advisor Embedded, maintenance utility, and Device Manager - Storage Navigator.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the .bat file is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappApacheCrtInit.bat

  4. A completion message box displays. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Parent Topic
  • Managing SSL certificates

    When you use encrypted SSL communications to manage your storage system, you can select the desired cipher suite, update a signed certificate, and return an updated certificate to default.

Website security certificates

When the message "There is a problem with this website's security certificate." is displayed, click Continue to this website (not recommended).

If the security certificate is not issued by a trusted certificate authority, the browser displays a warning message whenyou use encrypted SSL communications to connect to the storage system.

In addition, if the IP address or host name you specified as the URL and the common name (CN) in the security certificate are different, this warning message appears.

GUID-0D4C564C-9973-43A7-9E34-FAA1100AAA42-low.png

Parent Topic
  • Managing SSL certificates

    When you use encrypted SSL communications to manage your storage system, you can select the desired cipher suite, update a signed certificate, and return an updated certificate to default.

Updating the certificate files

The Update Certificate Files window is used to update the certificates that are used for communication between the management client and the storage system.

Before you begin

  • You must have the Storage Administrator (View & Modify) role to complete this procedure.

Procedure

  1. In the maintenance utility Menu navigation tree, click System Management.

    GUID-D9D351DA-5040-49C4-A62F-25A7FAB75A0B-low.png

  2. Click Update Certificate Files.

    GUID-E7746BA2-9517-4A2C-8F9D-B57206A35269-low.png
    NoteFor storage systems without an SVP, unselect the Connect to SVP box.

  3. To update the certificate file on the management client:

    1. Select the Web Server checkbox, then click Browse.

    2. Browse to the certificate file and click Open. The File Upload window closes and returns you to the Update Certificate Files dialog box.

    3. In the Web Server Password: field, enter the certificate password.

    4. Enter the password again in the Web Server Re-enter Password: field.

    NoteFor storage systems without an SVP, continue to step 5.

  4. To update the certificate file on the SVP:

    1. Select the Connect to SVP checkbox, then click Browse.

    2. Browse to the certificate file and click Open. The File Upload window closes and returns you to the Update Certificate Files dialog box.

    3. In the Connect to SVP Password: field, enter the certificate password.

    4. Enter the password again in the Connect to SVP Re-enter Password: field.

  5. Click Apply to update the certificates.

Parent Topic
  • Managing SSL certificates

    When you use encrypted SSL communications to manage your storage system, you can select the desired cipher suite, update a signed certificate, and return an updated certificate to default.

Managing HCS certificates

This topic explains how to set or delete certificates for Hitachi Command Suite (HCS) that are used to check the server's reliability when SSL communication for HCS external authentication is performed.

Parent Topic
  • Setting up a secure (SSL) connection

    You can use a Secure Sockets Layer (SSL) certificate to create a secure, encrypted connection between the storage system and the management client.

Child Topics
  • Registering HCS certificates

    To check the server reliability during SSL communication for HCS external authentication, upload an HCS public key certificate to the web server to register the certificate.

  • Deleting HCS certificates

    You can delete the certificates you registered in the procedure of the "Registering certificates for HCS" section. After you delete a certificate, server reliability for that certificate is not checked by SSL communication for HCS external authentication.

Registering HCS certificates

To check the server reliability during SSL communication for HCS external authentication, upload an HCS public key certificate to the web server to register the certificate.

NoteEnsure that you register or delete the correct certificate. Otherwise, HCS external authentication will not return.

Before you begin

  • You must be logged into the SVP.
  • The private key file on the HCS server must be current. Update it if necessary.
  • The certificate file must have a .crt extension. Rename the file if necessary.
  • The certificate must be in X509 PEM format or X509 DER format.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the certificate update tool is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappHcsCrtEntry.bat absolute-path-of-signed-public-key-certificate-file
    NoteA space is required between MappHcsCrtEntry.bat and the signed public key certification file path.

  4. A completion message box displays. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Parent Topic
  • Managing HCS certificates

    This topic explains how to set or delete certificates for Hitachi Command Suite (HCS) that are used to check the server's reliability when SSL communication for HCS external authentication is performed.

Deleting HCS certificates

You can delete the certificates you registered in the procedure of the "Registering certificates for HCS" section. After you delete a certificate, server reliability for that certificate is not checked by SSL communication for HCS external authentication.

Before you begin

  • You must be logged into the SVP.
  • The private HCS server key must be updated.
  • The certificate file must have a .crt extension. Rename the file if necessary.
  • The certificate must be in X509 PEM format or X509 DER format.

Procedure

  1. Close all Device Manager - Storage Navigator sessions on the SVP.

  2. Open a command prompt window with administrator permissions.

  3. In the folder where the certificate update tool is located, execute the following command:

    C:\MAPP\wk\Supervisor\MappIniSet>MappHcsCrtDelete.bat

  4. A completion message box opens. Press any key to acknowledge the message and close the message box.

  5. Close the command prompt window.

Parent Topic
  • Managing HCS certificates

    This topic explains how to set or delete certificates for Hitachi Command Suite (HCS) that are used to check the server's reliability when SSL communication for HCS external authentication is performed.