Basic Secure Sockets Layer (SSL) Guidelines

If you are working on a Lattus system that already has an existing SSL certificate, this section outlines what you need to do to get the public portion of that certificate onto a StorNext MDC to be used for secure https transfers.

Note: StorNext only supports certificates in PEM format.

This section provides guidelines on how to use the PEM (Privacy Enhanced Mail) file that already exists on your Lattus system. A typical PEM file will look like the server.pem illustrated in Example of a server.pem File.

• The PEM file is a clear text file which contains both a private and public SSL certificate.
• The private portion of the PEM file begins with the text “-----BEGIN RSA PRIVATE KEY----” and ends with the text “-----END RSA PRIVATE KEY-----”. Below is an example of a PEM file containing 4 public certificates and 1 private certificate.

-----BEGIN CERTIFICATE----- (Your Primary SSL certificate: your_domain_name.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate: SomeCA.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate: SomeRoot.crt) -----END CERTIFICATE----- This is a Certificate with Private and Public keys: -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----

• The private portion of the PEM file should NEVER be transferred off the Lattus system in any format for use by a StorNext MDC, as the private portion of the PEM file is never needed by a StorNext MDC. This helps to ensure that the security on the Lattus system remains intact and is not jeopardized.

After you have identified where the PEM file is located, perform Step 1 through Step 5 below to create a public SSL certificate for use on a StorNext MDC:

1. Assume the name of your self-signed certificate is server.pem and that it contains both a private and public certificates. If your server.pem file only contains 1 public certificate, run the following command from a terminal to create a public.pem certificate file and then proceed to Step 3.

2. If your server.pem file contains multiple public certificates, perform Step 2(a) through Step 2(d):
   1. Issue the following command on the terminal to make a copy of your private key (this file will become your public key):
   cp server.pem public.pem
   2. Open the public.pem file with your text editor of choice:
   vi public.pem
   3. In the above example of the .pem file, delete the lines beginning with text “-----BEGIN RSA PRIVATE KEY----” and ending with “-----END RSA PRIVATE KEY-----”, inclusive.

   Caution: The public.pem file should NOT contain any blank lines. If you edit the file, please verify there are no blank lines in the code. Blank lines in the public.pem file is not supported by the API used to import the file.

   4. Save this public.pem file – the resulting file should look like the example in Example of a public.pem File.
3. Transfer the public.pem file to a place where the MDC’s GUI can access it.
4. On the Tools menu of the StorNext GUI, click Object Storage Certificates. The Tools > Object Storage Certificates page appears.
5. On the Tools > Object Storage Certificates page, click Import.... The Import A Certificate dialog box appears.
6. In the Import A Certificate dialog box, click Choose File to select a file to import. The Open dialog box appears. Alternatively, click Close to cancel the import.
7. In the Open dialog box, navigate to the public.pem certificate file you want to import, and then click Open.

Note: Public Certificate files uploaded through the GUI are placed in the following directory: /usr/cvfs/config/ssl

If the import is successful, the Information notification at the top of the Tools > Object Storage Certificates page displays, “Certificate public.pem uploaded successfully.”