Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Setting up SSL encryption

You can set up a Secure Sockets Layer (SSL) connection between the storage system and the SVP.

SSL encrypts the Hitachi Device Manager - Storage Navigator user ID and password exchanged between the storage system and SVP.

About SSL

SSL is a protocol for transmitting data securely over the Internet. Two SSL-enabled peers use their private key and public key to establish a secure communication session, with each peer encrypting transmitted data with a randomly generated and agreed-upon symmetric key.

The following terms are associated with SSL:

  • Keypair: A keypair is two mathematically related cryptographic keys consisting of a private key and its associated public key.
  • Server certificate: A server certificate forms an association between an identity (in this case, the SVP server) and a specific public key and private key. A server certificate is used to identify the SVP server to a client, so that the server and client can communicate using SSL. Certificates can be self-signed or issued by a certificate authority (CA). Self-signed certificates are generated by you, and the subject of the certificate is the same as the issuer of the certificate. A client PC and SVP on an internal LAN behind a firewall might provide sufficient security. Certificates issued by the CA are signed and trusted server certificates, where a Certificate Signing Request (CSR) is sent to and certified by a trusted CA such as VeriSign. Using a certificate from a CA provides higher reliability than a self-signed certificate, but is also more expensive and can include several requirements.

SSL encryption of the storage system

The storage system uses SSL encryption for three connection paths. These paths are designated A to C in the following table and figure.

Conection path in figure Connection path description Encryption purpose Certificate to be used
A Between the SVP and client PC Operation of Device Manager - Storage Navigator A signed certificate of SSL encryption between the SVP and client PC
B Between the SVP and storage system SVP exchanges the information with the storage system The certificate for "Connect to SVP" and the certificate for "Web server"
C Between the client PC and storage system Operation of maintenance utility The certificate for "Web server"

GUID-DC49C3B1-9025-4B5A-B7FF-A3C03E143C7F-low.png

To prevent a man-in-the middle attack, the encryption shown in notation B (between SVP and storage system) verifies the validity of the connection by using the certificate that was uploaded to the SVP in advance and by using the certificate of the storage system. The same certificate must be uploaded to the SVP and the storage system.

Note If a certificate for the SVP or the storage system is changed, the SVP does not operate normally. Upload the certificate to the storage system before uploading the certificate to the SVP.

Different certificates can be used to connect to the SVP and web server.

Certificate Upload destination Comments
A signed certificate of SSL encryption between the SVP and client PC SVP N/A
For connecting to the SVP SVP and storage system If a certificate for the SVP or the storage system was uploaded, the SVP will not operate normally.
For connecting to the web server SVP and storage system If a certificate for the SVP or storage system was uploaded, the SVP will not operate normally.

Creating private and public keys requires a dedicated program, such as those you can download from the OpenSSL website.

Setting up SSL communications

In the following procedure, you create private and public keys using a dedicated program, such as those you can download form the OpenSSL website.

  1. Download OpenSSL.

  2. Create a private key.

  3. Create a public key.

  4. Acquire a signed certificate.

  5. Upload the signed SSL certificate.

  6. Import the certificate into the web browser (optional).

  7. Block HTTP communications.

Updating the SVP server certificate

Updating the SVP certificate renders some tasks temporarily unavailable.

  • While the SVP server certificate is being updated, tasks that are being performed or scheduled to be performed on Device Manager - Storage Navigator are not executed.
  • Certificates for RMI communication are updated asynchronously (within approximately two minutes).
  • If an SVP certificate is updated during Hitachi Command Suite setup operation, the setup operation results in an error.
  • Updating the SSL certificate may cause an SVP failure. Therefore exercise care to keep the certificate and private key consistent.
  • After the certificate update completes, the SVP server can take 30 to 60 minutes to restart, depending on the environment. A long period of time can cause an internal server error without displaying the update completion dialog box does. Despite this behavior, the certificate update completes.

Creating a private key (.key file)

A private key is required to create an SSL keypair.

Procedure

  1. Download and install the openssl.exe file from the OpenSSL website.

    In the following example, the openssl.exe file is installed to the c:\openssl folder.
  2. If the read-only attribute is set, remove this attribute from the c:\openssl folder.

  3. Open a command prompt.

  4. Move the current directory to the folder to which the key file is output, such as c:\key.

  5. Execute the following command: c:\key > c:\openssl\bin\openssl genrsa -out server.key 2048

    A file called server.key is created in the c:\key folder. This file becomes the private key.

Creating a public key (.csr file)

A public key is required to create an SSL keypair.

Procedure

  1. Open a command prompt and issue the following command: C:\key > c:\openssl\bin\openssl req -sha256 -new -key server.key –config c:\openssl\bin\openssl.cfg -out server.csr

    This command uses SHA-256 as a hash algorithm. The server.csr file is created in the C:\key folder as a public key.
    Note Do not use MD5 or SHA-1 for a hash algorithm due to its low security level. Use SHA-256 for a hash algorithm.
  2. Enter the following information in the prompt:

    • Country Name (two-letter code)
    • State or Province Name
    • Locality Name
    • Organization Name
    • Organization Unit Name
    • Common Name
    • To create a self-signed certificate, enter the IP address of the server (SVP). The name you entered here is used as the server name (host name). To obtain a signed and trusted certificate, verify that the server name matches the host name of the SVP.
    • Email Address
    • Challenge password (optional)
    • Company name (optional)
    The following example shows a sample command prompt input.

    GUID-9DEFFC70-3C35-4A10-AF82-78C53AE60A6E-low.png

Acquiring a signed certificate for the private key

After creating a private key and a public key, acquire a signed certificate file for the public key.

There are three ways to acquire a signed certificate:

  • Create a certificate by self-signing.
  • Acquire a certificate of certificate authority that is used within your company.
  • Acquire an official certificate by requesting one from a CA.

When you send a request to a certificate authority, specify SVP as the host name. There will be an extra charge.

Best practice is to use self-signed certificates only when testing encrypted communication.

To acquire a self-signed certificate:

Procedure

  1. Open a command prompt.

  2. Issue the following command: c:\key>c:\openssl\bin\openssl x509 -req -sha256 -days 10000 -in server.csr -signkey server.key -out server.crt

    The validity period is set 10,000 days as an example. This command uses SHA-256 as a hash algorithm.
    Note Do not use MD5 or SHA-1 for a hash algorithm due to its low security level. Use SHA-256 for a hash algorithm.

Acquiring a signed and trusted certificate

To acquire a signed and trusted certificate, you must acquire a CSR, send that file to a CA, and request the CA to issue a signed and trusted certificate.

Each certificate authority has its own procedures and requirements, and there is generally a cost for doing so. The signed and trusted certificate is the signed public key.

Removing the passphrase from an SSL certificate

You cannot upload a passphrase-protected SSL certificate to the SVP. Before uploading a SSL certificate to the SVP, remove the passphrase from the SSL certificate.

The following procedure describes how to verify whether the passphrase is set and how to remove it.

Procedure

  1. On the SVP, start a Windows command prompt as Administrator.

  2. To verify a passphrase, move to the current directory to the folder (for example, C:\key) to store the key file, and then issue the following command: C:\key>c:\openssl\bin\openssl rsa -in [input_key_file] -out [output_key_file]

    Note If you issue this command, the key file is overwritten. Therefore, best practice is to back up a key file in advance and prepare the output or input directory of the key file separately.
  3. You cannot upload a passphrase-protected SSL certificate to the SVP. Enter the passphrase that has been set and remove it using the command to verify a passphrase: C:\key>c:\openssl\bin\openssl rsa –in server.key –out server.key Enter pass phrase for server.key: Enter the passphrase. Writing RSA key

  4. If the path phrase entry is not required for the path phrase confirmation command, you can upload a SSL certificate to the SVP :

    1. Issue the following command: C:\key>c:\openssl\bin\openssl rsa -in [input_key_file] -out [output_key_file].

    2. Press the Enter key.

    3. Issue the following command: Writing RSA key.

  5. Verify that the path phrase is released, and then close the command prompt.

Converting the SSL certificate into the PKCS#12 format

When uploading the created private key and the SSL certificate to the storage system, you must convert the certificate into the PKCS#12 format. If the SSL certificate is not uploaded to the storage system, the conversion is unnecessary.

Note In this procedure, the file name of the private key is set as client.key and the file name of the SSL certificate, client.crt. In addition, the SSL certificate file in the PKCS#12 format is output to c:\key.

This procedure assumes that the private key and the SSL certificate are stored in the same folder, and that all users are logged out of Device Manager - Storage Navigator.

Procedure

  1. On the SVP, start a Windows command prompt as Administrator.

  2. Issue the following command: C:\key>c:\openssl\bin\openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

  3. Enter an arbitrary password. This password is used when uploading the SSL certificate in the PKCS#12 format to the storage system. The characters used for the password when creating the SSL certificate in the PKCS#12 format are shown as folllows. and specified by the character string of 128 characters or less: A-Z a-z 0-9 ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ `{ | } ~

    The client.p12 file is created in the C:\key folder. This file is the SSC certificate converted into the PKCS#12 format.
  4. Close the command prompt.

Uploading the signed server certificate of the SSL communication between the SVP and client PC

Upload the private key and the signed server certificate (public key) to the SVP for using an arbitrary certificate for SSL communications between the SVP and client PC.

The following describes how to upload the certificate using the certificate update tool. This procedure assumes that:

  • A private key (server.key file) has been created. Change the file name to server.key unless the file already uses that name.
  • A signed public key certificate (server.crt file) has been acquired. Change the file name to server.crt unless the file already has that name.
  • All users are logged out of Device Manager - Storage Navigator.

Procedure

  1. On the SVP, start a Windows command prompt as Administrator.

  2. Move the current directory to the directory where the certificate update tool (MappApacheCrtUpdate.bat) is located. Issue the following command: C:\MAPP\wk\Supervisor\MappIniSet\ MappApacheCrtUpdate.bat r[absolute path of the certificate file] r[absolute path of the private key file].

    Note C:\MAPP indicates the installation directory of the SVP. If you specify an installation directory other than C:\Mapp, replace C:\Mapp with the specified installation directory.
  3. At the message Press any key to continue the process…, enter an arbitrary key.

  4. Close the command prompt.

Returning the certificate of the SSL communication between the SVP and the client PC to the default

This procedure requires all users to log out of Device Manager - Storage Navigator.

Procedure

  1. On the SVP, start a Windows command prompt as an Administrator.

  2. Move the current directory to the directory where the tool (MappApacheCrtInit.bat) is located. Issue the following command: C:\MAPP\wk\Supervisor\MappIniSet\ MappApacheCrtInit.bat

    Note C:\MAPP indicates the installation directory of the SVP. If you specify an installation directory other than C:\Mapp, replace C:\Mapp with the specified installation directory.
  3. At the message Press any key to continue the process…, enter an arbitrary key.

  4. Close the command prompt.

Uploading the certificate to the SVP

To you use an arbitrary certificate for SSL communications between the SVP and storage system, upload the private key and the signed server certificate (public key) to the SVP.

This procedure assumes that:

  • The private key of the storage system and the signed server certificate (public key) from the maintenance utility have been updated.
  • The private key (server.key file) and the signed public key certificate (server.crt file) are in the X.509 PEM or X.509 DER format.

  • All users are logged out of Device Manager - Storage Navigator.

Procedure

  1. On the SVP, start a Windows command prompt as Administrator.

  2. Move the current directory to the directory where the certificate update tool (MappL7SwitchGumSslCrtUpdate.bat) is located. Issue the following command: C:\MAPP\wk\Supervisor\MappIniSet\ MappL7SwitchGumSslCrtUpdate.bat r[absolute path of the certificate file]

    Note C:\MAPP indicates the installation directory of the SVP. If you specify an installation directory other than C:\Mapp, replace C:\Mapp with the specified installation directory.
  3. At the message Press any key to continue the process…, enter an arbitrary key.

  4. Close the command prompt.

Uploading the certificate to the web server

Execute the SSL communication with Device Manager - Storage Navigator installed on the SVP as a client and the controller of the storage system as a server. Upload the private key and the signed server certificate (public key) to the SVP for using the SSL communication. The following describes how to upload the certificate using the certificate update tool.

This procedure assumes that:

  • The private key of the storage system and the signed server certificate (public key) for the web server from the maintenance utility have been updated.
  • The private key (server.key file) and the signed public key certificate (server.crt file) are in X.509 PEM or X.509 DER format.

  • All users are logged out of Device Manager - Storage Navigator.

Procedure

  1. On the SVP, start a Windows command prompt as Administrator.

  2. Move the current directory to the directory where the certificate update tool (MappSn2GumSslCrtUpdate.bat) is located. Issue the following command: C:\MAPP\wk\Supervisor\MappIniSet\ MappSn2GumSslCrtUpdate.bat r[absolute path of the certificate file]

    Note C:\MAPP indicates the installation directory of the SVP. If you specify an installation directory other than C:\Mapp, replace C:\Mapp with the specified installation directory.
  3. At the message Press any key to continue the process…, enter an arbitrary key.

  4. Close the command prompt.

Returning the web server certificate to the default

If necessary, you can revert to the default web server certificate.

This procedure assumes that:

  • The private key (server.key file) and the signed public key certificate (server.crt file) are in X.509 PEM or X.509 DER format.

  • All users are logged out of Device Manager - Storage Navigator.

Procedure

  1. On the SVP, start a Windows command prompt as Administrator.

  2. Move the current directory to the directory where the certificate update tool (MappSn2GumSslCrtInit.bat) is located. Issue the following command: C:\MAPP\wk\Supervisor\MappIniSet\MappSn2GumSslCrtInit.bat

    Note C:\MAPP indicates the installation directory of the SVP. If you specify an installation directory other than C:\Mapp, replace C:\Mapp with the specified installation directory.
  3. At the message Press any key to continue the process…, enter an arbitrary key.

  4. Close the command prompt.

Resolving security certificate messages

When starting an SSL-enabled Device Manager - Storage Navigator session, the following message appears if the security certificate was not issued by a trusted certificate authority. If the following alert message appears, click Continue to this website (not recommended).

GUID-3882D860-5580-420F-A04D-511D4C4A91A5-low.png

Blocking HTTP communications to the SVP

You can block outside access to the HTTP communication port used by the SVP.

  1. Request all users to log out of HDvM - SN.

  2. Using a management console PC attached to the SVP, connect to the SVP using Windows Remote Desktop Client.

  3. On the SVP, exit to a Windows command prompt as Administrator.

  4. Move to the directory where the MappHttpBlock.bat tool is located, and then issue the following command:

    C:\MAPP\wk\Supervisor\MappIniSet\MappHttpBlock.bat

    In this command, C:\MAPP indicates the installation directory of the storage management software and SVP software. If the installation directory is different, replace C:\MAPP with the specified installation directory.

  5. At the message Press any key to continue the process…, press any key, and then close the command prompt window.

Releasing HTTP communications to the SVP

If you blocked outside access to the HTTP communications used by the SVP, use the following procedure to release the blocked port.

  1. Request all users to log out of HDvM - SN.

  2. Using a management console PC attached to the SVP, connect to the SVP using Windows Remote Desktop Client.

  3. On the SVP, exit to a Windows command prompt as Administrator.

  4. Move to the directory where the MappHttpBlock.bat tool is located, and then enter the following command:

    C:\MAPP\wk\Supervisor\MappIniSet\MappHttpRelease.bat

    In this command, C:\MAPP indicates the installation directory of the storage management software and SVP software. If the installation directory is different, replace C:\MAPP with the specified installation directory.

  5. At the message Press any key to continue the process…, enter a port number that is not being used by another device or application.

  6. Close the command prompt window.