Import a Secure Sockets Layer (SSL) Certificate
This section provides procedures to import a SSL certificate.
Note: Quantum recommends you review your specific SSL Certificate Authority vendor requirements to upload/submit your Certificate Signed Request to purchase a certificate.
Important
The procedures must be executed on each node of your system where StorNext runs an Apache Tomcat server.
Use the CLI commands below to manage your SSL certificates.
Prerequisites
-
You must have StorNext 7.0.2 (or later) installed on your system.
-
You must have the StorNext User Interface (UUI) packages installed on your system.
For an initial installation, you can use /opt/quantum/uui-ssl/bin/quantum-uui-ssl-shared-cert.el7.centos.noarch.rpm, which installs an SSL certificate and key file in /opt/quantum/uui-ssl/nginx/nginx.crt and /opt/quantum/uui-ssl/nginx/nginx.key.
If you save your own SSL certificate file and key file as /opt/quantum/uui-ssl/nginx/nginx.crt and /opt/quantum/uui-ssl/nginx/nginx.key, your system uses these files and it is not necessary to run the uuissl load commands or the uuissl new command.
Do the following to view the version of your UUI SSL package:
- Open an SSH connection to your system and log in.
-
At the prompt, enter the following:
/opt/quantum/uui-ssl/bin/uuissl versionExample Output
quantum-uui-ssl-shared-cert-7.0.2.4-1.el7.centos.noarch
Note: If you have a multi-node system, then perform the following procedure on both the primary and secondary MDC nodes.
- Open an SSH connection to your system and log in.
- At the prompt, enter the following:
- At the prompt, enter the location of the certificate file. For example:
-
At the prompt, enter the location of the key file: For example:
/opt/quantum/uui-ssl/nginx/mysslkey.key
(Optional)
Enter the following command if you do not want to be prompted with the steps below:
Where, [certfile] and [keyfile] is the location for the certificate file and the key file, respectively.
/opt/quantum/uui-ssl/nginx/mysslcertificate.crt
Example Output
Restarting Unified StorNext UI API Gateway...
Remove cron to check running version matches rpm ...
-- Logs begin at Wed 2021-10-13 08:27:28 CDT. --
Oct 13 13:50:38 my-appliance-hostname systemd[1]: Started Quantum StorNext Unified UI Container API-Gateway.
Oct 13 14:38:41 my-appliance-hostname systemd[1]: Stopping Quantum StorNext Unified UI Container API-Gateway...
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Remove cron to check running version matches rpm ...
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Stopping docker quantum-api stack
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_endpoint-database
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_gateway-admin-api
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_keycloak-database
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_keycloak-server
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_kong-database
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_kong-server
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_license-aggregator
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_license-sender
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-appliance-controller-hosts
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-atfs-controller-hosts
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-datamovers
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-filesystems
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-flexsync-hosts
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-fseries-hosts
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-hosts
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-hseries-hosts
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-metadata-controllers
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-name-servers
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-qxs-hosts
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-unified-connector-hosts
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-usbe-hosts
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-fs-create
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-registrar
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-templates
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_user-management-api
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing network quantum-api-external-net
Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing network quantum-api-net
Oct 13 14:38:56 my-appliance-hostname apigw[10750]: docker quantum-api stack stopped
Oct 13 14:38:56 my-appliance-hostname systemd[1]: Stopped Quantum StorNext Unified UI Container API-Gateway.
Docker stack quantum_api IS NOT running.
UUI autostart enabled
-- Logs begin at Wed 2021-10-13 08:27:28 CDT. --
Oct 13 14:38:56 my-appliance-hostname systemd[1]: Stopped Quantum StorNext Unified UI Container API-Gateway.
Oct 13 14:38:56 my-appliance-hostname systemd[1]: Starting Quantum StorNext Unified UI Container API-Gateway...
Oct 13 14:38:57 my-appliance-hostname apigw[12439]: quantum-hwmond not installed, skipping pause
Oct 13 14:38:57 my-appliance-hostname apigw[12439]: /opt/quantum/fscreate_templates directory exists
Oct 13 14:38:57 my-appliance-hostname apigw[12439]: /opt/quantum/api-gateway/volumes/license_report directory exists
Oct 13 14:38:57 my-appliance-hostname apigw[12439]: Deploy docker quantum-api stack
Oct 13 14:38:57 my-appliance-hostname apigw[12439]: Creating network quantum-api-net
Oct 13 14:38:57 my-appliance-hostname apigw[12439]: Creating network quantum-api-external-net
Oct 13 14:38:57 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-hseries-hosts
Oct 13 14:38:57 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-name-servers
Oct 13 14:38:58 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-fs-create
Oct 13 14:38:59 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-templates
Oct 13 14:38:59 my-appliance-hostname apigw[12439]: Creating service quantum-api_gateway-admin-api
Oct 13 14:39:00 my-appliance-hostname apigw[12439]: Creating service quantum-api_license-aggregator
Oct 13 14:39:01 my-appliance-hostname apigw[12439]: Creating service quantum-api_license-sender
.Oct 13 14:39:02 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-registrar
Oct 13 14:39:02 my-appliance-hostname apigw[12439]: Creating service quantum-api_user-management-api
Oct 13 14:39:03 my-appliance-hostname apigw[12439]: Creating service quantum-api_kong-server
Oct 13 14:39:04 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-datamovers
Oct 13 14:39:04 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-filesystems
Oct 13 14:39:05 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-metadata-controllers
Oct 13 14:39:06 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-qxs-hosts
Oct 13 14:39:06 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-unified-connector-hosts
.Oct 13 14:39:07 my-appliance-hostname apigw[12439]: Creating service quantum-api_kong-database
Oct 13 14:39:08 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-fseries-hosts
Oct 13 14:39:09 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-hosts
Oct 13 14:39:09 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-appliance-controller-hosts
Oct 13 14:39:10 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-atfs-controller-hosts
Oct 13 14:39:11 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-flexsync-hosts
Oct 13 14:39:12 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-usbe-hosts
.Oct 13 14:39:12 my-appliance-hostname apigw[12439]: Creating service quantum-api_endpoint-database
Oct 13 14:39:13 my-appliance-hostname apigw[12439]: Creating service quantum-api_keycloak-database
Oct 13 14:39:14 my-appliance-hostname apigw[12439]: Creating service quantum-api_keycloak-server
Oct 13 14:39:14 my-appliance-hostname apigw[12439]: Waiting for kong-server container startup
.....Oct 13 14:39:37 my-appliance-hostname apigw[12439]: Waiting for response from kong-server container .....................
Oct 13 14:39:37 my-appliance-hostname apigw[12439]: Waiting for response from kong-server services ping: bad address 'keycloak-server'
..Oct 13 14:39:47 my-appliance-hostname apigw[12439]: .ping: bad address 'keycloak-server'
..Oct 13 14:39:58 my-appliance-hostname apigw[12439]: .
Oct 13 14:39:58 my-appliance-hostname apigw[12439]: kong-server container ready
Oct 13 14:39:58 my-appliance-hostname apigw[12439]: Waiting for keycloak-server container startup
Oct 13 14:39:58 my-appliance-hostname apigw[12439]: Waiting for response from keycloak-server container
.Oct 13 14:40:05 my-appliance-hostname apigw[12439]: Waiting for response from keycloak-server services
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: keycloak-server container ready
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: Waiting for rest-registrar container startup
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: Waiting for response from rest-registrar container
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: Waiting for response from rest-registrar services
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: rest-registrar container ready
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: PING 10.65.162.1 (10.65.162.1) 56(84) bytes of data.
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: 64 bytes from 10.65.162.1: icmp_seq=1 ttl=64 time=0.132 ms
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: --- 10.65.162.1 ping statistics ---
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: 1 packets transmitted, 1 received, 0% packet loss, time 0ms
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: rtt min/avg/max/mdev = 0.132/0.132/0.132/0.000 ms
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: PING 10.65.162.2 (10.65.162.2) 56(84) bytes of data.
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: 64 bytes from 10.65.162.2: icmp_seq=1 ttl=64 time=0.155 ms
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: --- 10.65.162.2 ping statistics ---
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: 1 packets transmitted, 1 received, 0% packet loss, time 0ms
Oct 13 14:40:05 my-appliance-hostname apigw[12439]: rtt min/avg/max/mdev = 0.155/0.155/0.155/0.000 ms
Oct 13 14:40:06 my-appliance-hostname apigw[12439]: Try setting DNS ndots:1
Oct 13 14:40:06 my-appliance-hostname apigw[12439]: Kong reloaded
Oct 13 14:40:06 my-appliance-hostname apigw[12439]: PING keycloak-server (10.0.100.51): 56 data bytes
Oct 13 14:40:06 my-appliance-hostname apigw[12439]: 64 bytes from 10.0.100.51: seq=0 ttl=64 time=0.062 ms
Oct 13 14:40:06 my-appliance-hostname apigw[12439]: --- keycloak-server ping statistics ---
Oct 13 14:40:06 my-appliance-hostname apigw[12439]: 1 packets transmitted, 1 packets received, 0% packet loss
Oct 13 14:40:06 my-appliance-hostname apigw[12439]: round-trip min/avg/max = 0.062/0.062/0.062 ms
Oct 13 14:40:06 my-appliance-hostname apigw[12439]: Update SSL certificate if needed
.Oct 13 14:40:10 my-appliance-hostname apigw[12439]: Checking SSL certificate
Oct 13 14:40:10 my-appliance-hostname apigw[12439]: SSL certificate from /opt/quantum/uui-ssl/nginx already added
Oct 13 14:40:10 my-appliance-hostname apigw[12439]: USBE running: update public key
Oct 13 14:40:10 my-appliance-hostname apigw[12439]: Create cron to check running version matches rpm ...
Oct 13 14:40:10 my-appliance-hostname apigw[12439]: api-gateway started
Docker stack quantum-api IS running.
NAMES STATUS
quantum-api_kong-server.1.bsrj6ofc24jzcda7xv52hzkwr Up 43 seconds (healthy)
quantum-api_keycloak-server.1.r29fzo2o4w6tpgjynq1y9qwn7 Up 54 seconds (healthy)
quantum-api_keycloak-database.1.gtt9msr29rbnubj060eo4ssi2 Up 55 seconds (healthy)
quantum-api_endpoint-database.1.bizq5tmo78c1vpqoz6hi9ctrj Up 55 seconds (healthy)
quantum-api_rest-aggregator-usbe-hosts.1.nddlquran5uly3vff6mpn44y6 Up 56 seconds
quantum-api_rest-aggregator-flexsync-hosts.1.9m64laquouptiq7hlworrp6bg Up 56 seconds
quantum-api_rest-aggregator-atfs-controller-hosts.1.s8ihcqwpatma1hxyd0r34bwmh Up 57 seconds
quantum-api_rest-aggregator-appliance-controller-hosts.1.eauxd3xzmf6yz12py9t687bfn Up 58 seconds
quantum-api_rest-aggregator-hosts.1.6tuyxcbcusi9zy3ncr5ytrmr3 Up 59 seconds
quantum-api_rest-aggregator-fseries-hosts.1.o5l27c9binq711d43avpkowxn Up About a minute
quantum-api_kong-database.1.kqnu06gsd3a1jvih28scv6s4s Up About a minute (healthy)
quantum-api_rest-aggregator-unified-connector-hosts.1.4dj6ykhaavy6qxjlvflhzukev Up About a minute
quantum-api_rest-aggregator-qxs-hosts.1.4smqots3jxxn3utf8pjylywix Up About a minute
quantum-api_rest-aggregator-metadata-controllers.1.dfzmxu65us1x2quogo8yy90ui Up About a minute
quantum-api_rest-aggregator-filesystems.1.r9an5mm3r5avsr75iu1lmrzxh Up About a minute
quantum-api_rest-aggregator-datamovers.1.skn0q9umcbdx47qt2iyfzoa5r Up About a minute
quantum-api_user-management-api.1.keqxvjgi6g8xg3afe77ul00xc Up About a minute
quantum-api_license-sender.1.lj0y2fy2oauv985jsvi041a0t Up About a minute
quantum-api_rest-registrar.1.rvp4huaumeqdka6fg5yl8r55t Up About a minute
quantum-api_license-aggregator.1.mgpvghj7j2t5kf9luc2vd2fag Up About a minute
quantum-api_gateway-admin-api.1.amvbjacqi2c8gh3lwc0jv6r48 Up About a minute
quantum-api_rest-templates.1.uwhenw3wotnhc3gl9f2jl0g3b Up About a minute
quantum-api_rest-fs-create.1.cpe3z979kolb09wagpwkerbc6 Up About a minute
quantum-api_rest-aggregator-name-servers.1.qotjsek0qrkqwqlolkx3ovg87 Up About a minute
quantum-api_rest-aggregator-hseries-hosts.1.ki7yh9xi8gsndvneve1aze4rx Up About a minute
UUI autostart enabled
Create cron to check running version matches rpm ...
Restarting Unified StorNext UI Server...
Stopping quantum_usbe ...
Stopping docker quantum_usbe stack
Removing service quantum_usbe_nginx
Removing service quantum_usbe_pgsql
Removing service quantum_usbe_php
Removing network quantum_usbe_default
quantum_usbe stopped.
Starting quantum_usbe ...
Deploy docker quantum_usbe stack
Setting up /var/lib/docker/volumes/usbe_data/_data/var/log
Creating network quantum_usbe_default
Creating service quantum_usbe_pgsql
Creating service quantum_usbe_php
Creating service quantum_usbe_nginx
Fixing permissions for usbe volume directory for www-data
PING 10.65.189.1 (10.65.189.1) 56(84) bytes of data.
64 bytes from 10.65.189.1: icmp_seq=1 ttl=64 time=0.148 ms
--- 10.65.162.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.148/0.148/0.148/0.000 ms
PING 10.65.189.2 (10.65.189.2) 56(84) bytes of data.
64 bytes from 10.65.189.2: icmp_seq=1 ttl=64 time=0.132 ms
--- 10.65.189.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.132/0.132/0.132/0.000 ms
Try setting DNS ndots:1
PING pgsql (10.0.5.2): 56 data bytes
64 bytes from 10.0.5.2: seq=0 ttl=64 time=0.044 ms
--- pgsql ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.044/0.044/0.044 ms
// Clearing the cache for the prod environment with debug
// false
[OK] Cache for the "prod" environment (debug=false) was successfully cleared.
quantum_usbe started.
Restarting Unified StorNext UI Frontend...
Stopping quantum_usui ...
Stopping docker quantum_usui stack
Removing service quantum_usui_nginx
Removing network quantum_usui_default
quantum_usui stopped.
Starting quantum_usui docker stack...
Creating network quantum_usui_default
Creating service quantum_usui_nginx
quantum_usui docker stack started.
Note: If you have a multi-node system, then perform the following procedure on both the primary and secondary MDC nodes.
- Open an SSH connection to your system and log in.
- At the prompt, enter the following:
Example Output
Stopping StorNext Legacy UI...
Redirecting to /usr/bin/systemctl stop stornext_web
Importing StorNext Unified UI SSL Certificate to StorNext Legacy UI...
Importing keystore server.p12 to /usr/adic/gui/config/.keystore...
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/adic/gui/config/.keystore -destkeystore /usr/adic/gui/config/.keystore -deststoretype pkcs12".
Starting StorNext Legacy UI...
Redirecting to /usr/bin/systemctl start stornext_web
Do the following to generate and load a new self-signed certificate and key.
- Open an SSH connection to your system and log in.
- At the prompt, enter the following:
/opt/quantum/uui-ssl/bin/uuissl new
Example Output
Generating a 4096 bit RSA private key ........................................................................++ ........................................................................++ writing new private key to 'nginx.key' ----- Updating APIGW... { "created_at": 1601317027, "cert": "-----BEGIN CERTIFICATE-----\bS01Lm1kaC5xdWFudHVtLmNv\n-----END CERTIFICATE-----", "id": "adae7bb0-bac8-4923-9f1f-db7ec3b9123c", "tags": null, "key": "-----BEGIN PRIVATE KEY-----\nMIIJQgIBADANBgkqhksdfsfs\n-----END PRIVATE KEY-----", "snis": [ "localhost", "mySSLcert", "mySSLcert.mydomain.com" ] } Restarting USBE... Stopping quantum_usbe ... Removing service quantum_usbe_nginx Removing service quantum_usbe_pgsql Removing service quantum_usbe_php Removing network quantum_usbe_default quantum_usbe stopped. Starting quantum_usbe ... Setting up /var/lib/docker/volumes/usbe_data/_data/var/log Creating network quantum_usbe_default Creating service quantum_usbe_nginx Creating service quantum_usbe_pgsql Creating service quantum_usbe_php Fixing permissions for usbe volume directory for www-data // Clearing the cache for the prod environment with debug // false [OK] Cache for the "prod" environment (debug=false) was successfully cleared. // Warming up the cache for the prod environment with debug // false [OK] Cache for the "prod" environment (debug=false) was successfully warmed. quantum_usbe started. Restarting USUI... Stopping quantum_usui docker stack... Removing service quantum_usui_nginx Removing network quantum_usui_default Starting quantum_usui docker stack... Creating network quantum_usui_default Creating service quantum_usui_nginx quantum_usui docker stack started.
- Open an SSH connection to your system and log in.
- At the prompt, enter the following:
/opt/quantum/uui-ssl/bin/uuissl show
Example Output
Certificate: Data: Version: 3 (0x2) Serial Number: c2:ab:82:4e:2f:7f:55:8b Signature Algorithm: sha256WithRSAEncryption Issuer: CN=mySSLcert.mydomain.com Validity Not Before: Aug 17 16:39:53 2020 GMT Not After : Aug 15 16:39:53 2030 GMT Subject: CN=mySSLcert.mydomain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:ab:56:b3:eb:46:91:6d:cc:4e:07:94:7c:f3:7a: 18:ae:13:78:42:1f:59:12:74:fd:8b:12:c6:6f:2c: 70:9d:e4:f0:89:97:c0:0a:f7:3c:4d:c5:f3:87:a8: e8:0e:5c:07:e9:7c:22:86:19:84:77:ff:b2:91:f3: 2f:af:1e:b3:88:4c:d3:48:39:d5:f2:11:13:21:8e: a6:c5:8a:00:08:d9:58:0e:8b:5d:fd:de:e2:4b:94: cb:f7:de:9f:a4:b5:3d:66:59:31:5a:c0:dc:c0:a5: a6:7a:5e:07:12:d4:88:96:5e:90:f3:90:35:f5:07: af:4d:06:8a:ba:48:6a:a9:1f:a0:f4:1a:f1:d2:0c: 2f:a3:ad:30:b9:e1:4e:e9:1e:14:63:db:33:4d:64: 14:54:b3:0f:59:a4:52:10:64:26:74:a5:f1:fb:4e: 1a:f9:16:cf:f1:da:95:65:81:b7:7f:9e:11:10:2b: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:mySSLcert.mydomain.com:441, DNS:mySSLcert.mydomain.com :8443, DNS:mySSLcert.mydomain.com:8445 Signature Algorithm: sha256WithRSAEncryption 6d:66:ae:44:c1:19:36:e2:8e:05:f8:76:24:7f:e3:44:c9:85: 68:f9:8a:57:eb:af:cc:ff:18:de:0b:33:c9:d0:8f:3f:67:b7: d6:98:28:28:2e:aa:27:3a:09:3a:be:a4:1d:5a:52:8d:a9:5c: 1f:3e:03:bb:1e:0b:da:83:53:57:4b:97:d8:b2:e5:9f:cf:a5: 0b:ac:40:c4:92:82:35:3f:6a:69:24:71:c9:5f:19:73:47:63: 1e:72:4e:53:a3:ec:68:f9:c1:d0:0f:ec:59:5b:54:bf:50:e5: 0c:88:36:6f:27:2f:cd:ea:8e:fc:58:fb:b3:62:af:b5:5a:0b: 7f:80:6a:14:60:7b:0f:95:da:7f:9e:12:10:c2:3e:2c:28:5e: e1:73:17:86:c0:0b:90:ed:06:5f:e6:4a:93:82:20:e2:f6:fe: e0:8a:2f:5c:2f:59:c1:02:de:97:ed:f4:06:8e:31:3f:07:f6: 1e:e0:8e:f7:8c:d3:22:2a:6d:eb:54:d8:06:46:67:f1:3e:df: 6e:68:75:da:b0:7f:f3:50:7c:e4:6e:62:09:81:14:45:a1:d1: -----BEGIN CERTIFICATE----- MIIFMjCCAxqgAwIBAgIJAMGtgT4/j1R7MA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV BAMMGHV1aS12bS01Lm1kaC5xdWFudHVtLmNvbTAeFw0yMDA4MTcxNjM5NTNaFw0z MDA4MTUxNjM5NTNaMCMxITAfBgNVBAMMGHV1aS12bS01Lm1kaC5xdWFudHVtLmNv bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtWs+tGkW3MTgeUfPN6 GK4TeEIfWRJ0/YsSxm8scJ3k8ImXwAr3PE3F84eo6A5cB+l8IoYZhHf/spHzL68e s4hM00g51fIREyGOpsWKAAjZWA6LXf3e4kuUy/fen6S1PWZZMVrA3MClpnpeBxLU iJZekPOQNfUHr00GirpIaqkfoPQa8dIML6OtMLnhTukeFGPbM01kFFSzD1mkUhBk JnSl8ftOGvkWz/HalWWBt3+eERArKEHPjnLA0sq46rTKhGU3MN0E3vMh7yh7KlZK GjQBBVMWg36Ffkr8GIwygfS5fPH4fQ5IJL+adXHEPtWMsfxW5hV74SPNCETKFw2I 35AXSM+o3RS5Ubpr/bYeUgI1T5+pskMw3/NF7fR7//J7F8+adDNULJfC17jHfVTK -----END CERTIFICATE-----
Keytool Usage:
For all uses of the keytool utility, you will be prompted to enter a password, which is stored in the following file as the value of keystorePass. By default, the keytool utility password is changeit.
grep Pass /usr/adic/tomcat/conf/server.xml
keystorePass="changeit"
The keytool utility is located in the following directory:
You must generate a .csr file to submit for self-signing or by a trusted Certificate Authority.
Execute the command below to generate the file, tomcat.csr.
/usr/adic/java/jre/bin/keytool -certreq -keyalg RSA -keystore /usr/adic/gui/config/.keystore -alias tomcat -file tomcat.csr
Enter keystore password:
You can expect the following JKS format warning:
Execute the following command to view the .csr file you generated above:
Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=California, L=San Jose, O=StorNext Software, OU=Quantum Corp., CN=node-1.node-1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus:
If you have a public domain open on port 80 you can submit the .csr file to be signed by a Trusted CA. There are both paid and open source options. If you sign a .csr in this manner, then it does not work for a domain that cannot be reached publicly on port 80 and is not a registered domain name. If you have a Trusted CA, sign the .csr and then proceed to Step 3: Combine the Two Certificates to Create a Chain.
When you self-signing a certificate, you create your own .CRT file.
You must provide the tomcat.cnf file with a subjectAltName that reflects the IP address to Hostname resolution of the system that users connect to the Stornext GUI with:
echo "subjectAltName=DNS:spsxcellis2.sps.lab,DNS:sps.lab,IP:10.20.232.6" > /etc/pki/tls/tomcat.cnf
[root@sps-xcellis2 jon]# nslookup sps-xcellis2
Server: 10.20.232.95
Address: 10.20.232.95#53
Name: sps-xcellis2.sps.lab
Address: 10.20.232.6
Create the .CRT file:
[root@sps-xcellis2 cert]# openssl x509 -req -in tomcat.csr -out tomcat.crt -CA /usr/cvfs/config/certs/server.crt -CAkey /usr/cvfs/config/certs/server.key -sha256 -days 365 -CAcreateserial -extfile /etc/pki/tls/tomcat.cnf
Signature ok
subject=/C=US/ST=California/L=San Jose/O=StorNext Software/OU=Quantum Corp./CN=node-1.node-1
Getting CA Private Key
[root@sps-xcellis2 cert]# ls
tomcat.crt tomcat.csr
The following procedure creates the file, myTomcat.crt. Execute the following command:
Caution: You must first import the CA certificate.
Execute the following commands:
[root@sps-xcellis2 cert]# /usr/adic/java/jre/bin/keytool -keystore /usr/adic/gui/config/.keystore -import -alias xmed -file ./myCA.crt
Enter keystore password:
Certificate reply was installed in keystore
[root@sps-xcellis2 cert]# /usr/adic/java/jre/bin/keytool -keystore /usr/adic/gui/config/.keystore -import -alias tomcat -file ./myTomcat.crt
Enter keystore password:
Certificate reply was installed in keystore
Execute the following command:
Note: The procedure to add the root certificate into the browser's list of recognized Trusted Certificate Authorities is specific to the browser you are using; for additional information, refer to the browser documentation.