Tools > Lattus Certificates

The Tools menu's Lattus Certificates option enables you to manage, and perform various actions to the public and private certificates that various applications requiring SSL authentication use. To access the Tools > Lattus Certificates page, on the Tools menu, click Lattus Certificates. For configuration details, see HTTPS Configuration. If you are working on a Lattus system which does not have an existing SSL certificate, see Work on a Lattus System and a StorNext Metadata Controller. The table below provides the information displayed for each certificate, on the Tools > Lattus Certificates page:

Heading Description Examples

Public Certificate File Name

The Privacy Enhanced Mail (PEM) filename and its respective filename extension (for example, .pem, or .der, of the Lattus certificate.

• There will always be a public certificate, but in some instances where you create a private certificate using this feature, the name will be both the name of the public and private certificate.

• There will always be a public file name, and a private if you use this feature to generate your certificates.

accounts.mycompany.pem

accounts.mycompany.der

Common Name

The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.

*.mycompany.com

controller.mycompany.com

Organization

The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.

Mycompany Corp

Organizational Unit

The division of your organization handling the certificate.

Information Technology

IT Department

Valid From

The date the certificate is valid from, in the form of yyyy-mm-dd hh:mm:ss time zone.

1998-08-22 11:41:51 MST

Valid To

The date the certificate is valid to, in the form of yyyy-mm-dd hh:mm:ss time zone.

1998-08-22 11:41:51 MST

Starting with StorNext 5 release 5.2, /usr/cvfs/config/ssl is no longer the default repository referenced by Storage Manager for SSL certificates when using HTTPS. The default certificate file or repository will depend on the OS vendor:

Operating System Default Repository Referenced by Storange Manager
Debian /etc/ssl/certs/ca-certificates.crt
Red Hat /etc/pki/tls/certs/ca-bundle.crt or /etc/ssl/certs/ca-bundle.crt
SUSE /etc/ssl/certs/

If you are using /usr/cvfs/config/ssl as your certificate repository, you will have a conflict with the default root certificate repository
/etc/ssl/certs. You have two options (below):

Option Number Description
1

Use /usr/cvfs/config/ssl as your default certificate repository; set the FS_OBJSTORAGE_CAPATH=/usr/cvfs/config/ssl in the /usr/adic/TSM/config/fs_sysparm_override file, then copy all the root certificates from /etc/ssl/certs to /usr/cvfs/config/ssl.

Note: Be sure to execute c_rehash on the directory that will be used as your default certificate repository afterward.
2

Do not use /usr/cvfs/config/ssl; instead use the default root certificate repository by copying your certificates from
/usr/cvfs/config/ssl to /etc/ssl/certs.

Note: Be sure to execute c_rehash on the directory that will be used as your default certificate repository afterward.

If you are using /usr/cvfs/config/ssl as your certificate repository, you will not have a conflict with the default root certificate file. You will have to set FS_OBJSTORAGE_CAPATH=/usr/cvfs/config/ssl in the /usr/adic/TSM/config/fs_sysparm_override file.

Note: The filename extension / format of the self-signed Lattus certificate must be .pem. You cannot create a self-signed Lattus certificate with a different filename extension or format, as this is the only format currently supported with the program that uses the certificate.

  1. On the Tools menu, click Lattus Certificates. The Tools > Lattus Certificates page appears.

  2. On the Tools > Lattus Certificates page, click New.... The Tools > Lattus Certificates > New page appears.

  3. In the various text boxes, input the appropriate certificate data. The table below describes the various text boxes on the Tools > Lattus Certificates > New page:

Note: Text box fields on the Tools > Lattus Certificates > New page, designated with an asterisk (*) are required.

Text Box Description Examples

File Name (.pem extension)

The Privacy Enhanced Mail (PEM) filename and its respective filename extension of the self-signed Lattus certificate.

Note: Adding a certificate with the same name generates an error, instructing you to delete the certificate with that name first.

accounts.mycompany.pem

Password

(at least 4 characters)

The Password input is an optional field. If a Password is entered, the input mimics the OpenSSL command password requirements as follows:

  • The Password input, and the Confirm Password input must match.
  • The Password input must be at least 4 characters, and can be all empty spaces or contain spaces.

mypassword1234

Confirm Password

See the requirements for the Password input.

mypassword1234

Expiration Date

The Expiration Date low value is at least 1 day in the future. You can input a numeric value, and then select the unit of measurement from the drop-down list. The available unit of measurements are Years, Months, and Days.

Note: There is no limit on the high end; however, if you input a value that is out of bounds for OpenSSL, then the OpenSSL command will generate an error.

5 Years

Common Name

The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.

*.mycompany.com

controller.mycompany.com

Organizational Unit

The division of your organization handling the certificate.

Information Technology

IT Department

Organization

The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.

Mycompany Corp

Location

The city where your organization is located.

Englewood

State

The state where your organization is located. This should not be abbreviated.

Colorado

Country

The two-letter ISO code for the country where your organization is located.

US

Subject Alternative Name

The Subject Alternative Name is an optional field. If entered, it should be in the following format (also specified under the text box):

dns=foo1.com, dns=foo2.com, ip=127.0.0.1, ip=127.0.0.2

dns=foo1.com, dns=foo2.com, ip=127.0.0.1, ip=127.0.0.2

  1. Click Apply to submit your inputs and create a new self-signed Lattus Certificate, or click Cancel to reset the form, and return to the Tools > Lattus Certificates page. If the submission is successful, your newly created self-signed Lattus Certificate appears on the Tools > Lattus Certificates page.

Click View... to display the details of a specified Lattus certificate.

  1. On the Tools menu, click Lattus Certificates. The Tools > Lattus Certificates page appears.

  2. On the Tools > Lattus Certificates page, click the option button to the left of a Lattus certificate to select it, and then click View.... The Tools > Lattus Certificates > View page appears. The table below describes the various fields on the Tools > Lattus Certificates > View page:

Name Description Examples

Public Certificate File Name

The Privacy Enhanced Mail (PEM) filename and its respective filename extension (for example, .pem, or .der), of the Lattus certificate.

/usr/cvfs/config/ssl/myCert.pem

Private Key File Name

The filename of the private key in the Lattus certificate.

Note: Note: If the certificate was not created through this feature, you will receive following text (in red/bold): Certificates that were imported do not have Private Keys associated to them.

/usr/adic/gui/.ssl/myCert.pem

Issuer

This property contains the name of the certificate authority (CA) that issued the certificate. The distinguished name for the certificate is a textual representation of the certificate subject or issuer.

CN=mycert.mycompany.com, OU=StorNext Software, O=Mycompany Corp, L=Englewood, ST=CO, C=US

Common Name

The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.

mycert.mycompany.com

Organizational Unit

The division of your organization handling the certificate.

Information Technology

IT Department

Organization

The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.

Mycompany Corp

Serial Number

The serial number of the selected certificate.

F2:D8:5A:FA:C9:E6:11:CF

Valid From

The date the certificate is valid from, in the form of yyyy-mm-dd hh:mm:ss time zone.

2013-01-31 14:33:07 MST

Valid To

The date the certificate is valid to, in the form of yyyy-mm-dd hh:mm:ss time zone.

2018-01-30 14:33:07 MST

Location

The city where your organization is located.

Englewood

State

The state where your organization is located. This should not be abbreviated.

Colorado

Country

The two-letter ISO code for the country where your organization is located.

US

Signature Algorithm

The algorithm used to create the signature of the certificate.

SHA1withRSA

Signature Algorithm OID

The object identifier (OID) identifies the type of signature algorithm used by the certificate.

1.2.840.113549.1.1.5

Version

The version number of the certificate.

V3

Subject Alternative Name

The Subject Alternative Name is the name of the user of the certificate. The alternative name for the certificate is a textual representation of the subject or issuer of the certificate.

DNS Name=foo1.com

DNS Name=foo2.com

IP Address=127.0.0.1

  1. Click Back to return to the Tools > Lattus Certificates page.

Click Import... to import a certificate.

  • Files that do not have a .pem extension will need to be converted to .pem for use in SSL communication. See Convert... to convert a file to the .pem format. You must convert a file, if you upload a file that is not already in the .pem format. Quantum only supports the .pem format.

  • You can import one file, which contains multiple public keys. Doing so will create individual rows for each key file with the filename _multiple.pem. If any of the multiple keys is deleted, since they comprise the same file, the entire certificate is deleted, and all of the public keys are no longer persisted.

  • You can view a certificate on an individual basis by selecting the certificate to view.

  • You can import any type of valid public key file, as long as the certificate is not expired. If the certificate is expired, the import will fail, and you will be notified via an Error notification. If you import a file with multiple public keys, and any of the public keys in the file are expired, then the entire file is rejected.

  • Empty files and files exceeding 10 MB are not permitted. If you want to change the 10 MB limit, you must manually edit the /usr/adic/gui/config/component.properties file, and modify the following value: objectstorage.ssl.maxCertSizeMb=10

  • You cannot upload a private certificate file; however, you can create a private certificate. If your private / public key is in a .pem file, open the file in a text editor and remove the private key.

  1. On the Tools menu, click Lattus Certificates. The Tools > Lattus Certificates page appears.

  2. On the Tools > Lattus Certificates page, click Import.... The Import A Certificate dialog box appears.

  3. In the Import A Certificate dialog box, click Choose File to select a file to import. The Open dialog box appears. Alternatively, click Close to cancel the import.

  4. In the Open dialog box, navigate to the certificate file you want to import, and then click Open.

If the import is successful, the Information notification at the top of the Tools > Lattus Certificates page displays, as an example, “Certificate certificate_name.com.pem uploaded successfully.

Click Convert... to convert a file to the .pem format. You must convert a file, if you upload a file that is not already in the .pem format. Quantum only supports the .pem format.

  • If a file with the same name exists, you cannot convert the file to the .pem format. Delete the existing file first.

  • If the file can be converted, that is, anything that is not a .pem file format, then the interface will attempt to convert it to the .pem format. The standard extension is .pem.

  • The PEM format can contain private keys (RSA or DSA), public keys (RSA or DSA) and X.509 certificates. It is the default format for OpenSSL, and stores the data in either ASN.1 or DER format, surrounded by ASCII headers. Therefore, it is suitable for sending files as text, between systems.

  • A file can contain multiple certificates.

  • Below is a complete listing of files that can be converted:

    • PKCS7: This is the Cryptographic Message Syntax Standard. A file can contain multiple certificates. Optionally they can be hashed. Optionally a certificate can be accompanied by a private key. As well as the original PKCS #7, there are three revisions: a, b, and c. The standard extensions for these four versions are .spc, .7m, .p7s, .p7a, .p7c, .p7b,and .p7z respectively.

    • DER: This format can contain private keys (RSA or DSA), public keys (RSA or DSA) and X.509 certificates. It is the default format for most browsers. A file can contain only one certificate. Optionally, the certificate can be encrypted. The standard extension is .cer, but might be .der or .crt in some installations. If any of these file formats are actually ASCII base65 PEM files, the conversion will fail.

  • Below are formats that cannot be converted to .pem:

    • PKCS12: This format can contain private keys (RSA or DSA), public keys (RSA or DSA) and X.509 certificates. It stores them in a binary format. The standard extension is .pfx or .p12.

  1. On the Tools menu, click Lattus Certificates. The Tools > Lattus Certificates page appears.

  2. On the Tools > Lattus Certificates page, click the option button to the left of a Lattus certificate to select it, and then click Convert.... The Convert Certificate dialog box appears.

  3. In the Convert Certificate dialog box, click Yes to convert the file, or No to cancel the conversion process and return to the Tools > Lattus Certificates page.

If the conversion is successful, the .pem file appears in the Lattus Certificates table.

This feature allows you to conveniently backup any certificate listed on the Tools > Lattus Certificates page.

Notes and Considerations

You can download any file listed on the Tools > Lattus Certificates page. If you download a file created using the Create a Self-signed Certificate procedure, both the public and private certificate files are downloaded as one file.
  1. On the Tools menu, click Lattus Certificates. The Tools > Lattus Certificates page appears.
  2. On the Tools > Lattus Certificates page, click the option button to the left of a Lattus certificate to select it, and then click Download. The Download Private/Public Key Pair dialog box appears.
  3. In the Download Private/Public Key Pair dialog box, click the file link to begin the download. If the download is successful, the .pem file appears in your local download directory.
  4. In the Download Private/Public Key Pair dialog box, click Done to return to the Tools > Lattus Certificates page.
Notes and Considerations

You can delete any file listed on the Tools > Lattus Certificates page.

After the file is deleted, the file is backed up to /usr/cvfs/config_history/ssl, with the same filename as the original, in addition to the standard time stamp yyyyMMddHHmmss.

  1. On the Tools menu, click Lattus Certificates. The Tools > Lattus Certificates page appears.

  2. On the Tools > Lattus Certificates page, click the option button to the left of a Lattus certificate to select it, and then click Delete. The Delete Private/Public Certificate(s) dialog box appears.

  3. In the Delete Private/Public Certificate(s) dialog box, click the button next to the appropriate file, and then click Yes to delete the file, or click No to return to the Tools > Lattus Certificates page.

If the file is deleted successfully, the Information notification at the top of the Tools > Lattus Certificates page displays, as an example, “File backed up to {/usr/cvfs/config_history/ssl/ accounts.google.der.20130213155919}.

Notes and Considerations

The Refresh feature scans the /usr/cvfs/config/ssl directory, and adds any public certificates found within the directory to the Lattus Certificates table.

The Refresh feature works independently of the user interface. If an administrator using the command line interface, manually creates, updates, or deletes any of the certificates found in /usr/cvfs/config/ssl, the certificates are automatically updated on the Lattus Certificates table.

If an invalid certificate is manually placed in the list using the command line interface, an error message is displayed until the invalid file is removed. Until you remove the invalid file by manually removing the invalid certificate, other certificates are not displayed.

  1. On the Tools menu, click Lattus Certificates. The Tools > Lattus Certificates page appears.

  2. On the Tools > Lattus Certificates page, click Refresh.

You must have the following binary files installed for proper functionality and use of this feature:

Binary File Description

objectstorage.openssl.binary

If the objectstorage.openssl.binary file is not installed, the New... button is disabled, and you will receive an error message.

objectstorage.c_rehash.binary

If the objectstorage.c_rehash.binary file is not installed, both the New... and Import... buttons are disabled, and you will receive an error message.

For the installation procedure and configuration of the binary files, see the StorNext Installation Guide.

If you are working on a Lattus system which does not have an existing SSL certificate, this section outlines what you need to do to use both the private and public portions of the SSL certificate. This section discusses how to use the PEM (Privacy Enhanced Mail) file that you create using the StorNext GUI. A typical PEM file will look like the server.pem file referenced in Basic Secure Sockets Layer (SSL) Guidelines.

See Basic Secure Sockets Layer (SSL) Guidelines, as it outlines some standard information about using private and public certificates.

  1. On the Tools menu, click Lattus Certificates. The Tools > Lattus Certificates page appears.

  2. On the Tools > Lattus Certificates page, click New.... The Tools > Lattus Certificates > New page appears.

  3. In the various text boxes, input the appropriate certificate data. The table in the Create a Self-signed Certificate section describes the various text boxes on the Tools > Lattus Certificates > New page:

Note: Text box fields on the Tools > Lattus Certificates > New page, designated with an asterisk (*) are required.

  • For the purposes of Lattus, do NOT enter a password in the Password field.
  • In the Subject Alternative Name field, input the DNS and IP entries of all the servers for the certificate to work for. For example:

    dns=ibis1-controller1, dns=ibis1-controller1.mycompany.com, ip=192.168.166.94, ip=192.168.166.97, ip=192.168.10.3, ip=192.168.20.3

  1. Click Apply to submit your inputs and create a private and public SSL certificate for use on a Lattus System and a StorNext MDC, or click Cancel to reset the form, and return to the Tools > Lattus Certificates page. If the submission is successful, your newly created private and public SSL certificate for use on a Lattus System and a StorNext MDC appears on the Tools > Lattus Certificates page.

  2. To obtain the private and public SSL certificate to be used on the Lattus system, select the server.pem file and click Download. In the Download Private/Public Key Pair dialog box, click the file for “Click the Private Self-Signed Certificate file link to begin the download" and save the file where the Lattus CMC can access it.

  3. Verify the Lattus system is working with your server.pem file.

  4. (Optional) Delete the server.pem file from the StorNext MDC, as it is no longer needed by the MDC.

    1. On the Tools > Lattus Certificates page, click the option button to the left of the server.pem certificate to select it, and then click Delete. The Delete Private/Public Certificate(s) dialog box appears.

    2. In the Delete Private/Public Certificate(s) dialog box, click “Check this to delete the Private Self-Signed Certificate file.”, and then click Yes to delete the file, or click No to return to the Tools > Lattus Certificates page.

Root Certificates may expire. When they do, you can update all your Root Certificates to the latest available from http://rpmfind.net/linux/rpm2html/search.php?query=ca-certificates. Select the one that fits your system.

  1. Determine the default configured CA Root Certificate configured for Stornext using libcurl:

# curl-config --ca

/etc/pki/tls/certs/ca-bundle.crt
  1. Download the RPM that matches your system. In this example, we downloaded ca-certificates-2014.1.98-65.1.el6.noarch.rpm.

  2. View the contents of the RPM.

# rpm -q -filesbypkg -p ca-certificates-2014.1.98-65.1.el6.noarch.rpm

ca-certificates /etc/pki/ca-trust

ca-certificates /etc/pki/ca-trust/README

.. snip ..

ca-certificates /etc/pki/tls

ca-certificates /etc/pki/tls/cert.pem

ca-certificates /etc/pki/tls/certs

ca-certificates /etc/pki/tls/certs/ca-bundle.crt

ca-certificates /etc/pki/tls/certs/ca-bundle.trust.crt

.. snip ..

ca-certificates

/usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit

ca-certificates /usr/share/pki/ca-trust-source/ca-bundle.trust.crt
  1. Install /etc/pki/tls/certs/ca-bundle.crt.

# mv /etc/pki/tls/certs/ca-bundle.crt etc/pki/tls/certs/ca-bundle.crt.bak

# rpm2cpio ca-certificates-2014.1.98-65.1.el6.noarch.rpm | cpio -ivd

/etc/pki/tls/certs/ca-bundle.crt

  1. Install the complete latest RPM.

  2. Backup any files that you do not want replaced. This step may require you to install required dependencies.

# rpm -hiv ca-certificates-2014.1.98-65.1.el6.noarch.rpm

p11-kit >= 0.18.4-2 is needed by ca-certificates-2014.1.98-65.1.el6.noarch

p11-kit-trust >= 0.18.4-2 is needed by

ca-certificates-2014.1.98-65.1.el6.noarch

The table below provides the information displayed for each certificate, on the Tools > Lattus Certificates page:

Heading

Description

Examples

Public Certificate File Name

The Privacy Enhanced Mail (PEM) filename and its respective filename extension (for example, .pem, or .der), of the Lattus certificate.

  • There will always be a public certificate, but in some instances where you create a private certificate using this feature, the name will be both the name of the public and private certificate.
  • There will always be a public file name, and a private if you use this feature to generate your certificates.

accounts.mycompany.pem

accounts.mycompany.der

Common Name

The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.

*.mycompany.com

controller.mycompany.com

Organization

The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.

Mycompany Corp

Organizational Unit

The division of your organization handling the certificate.

Information Technology

IT Department

Valid From

The date the certificate is valid from, in the form of yyyy-mm-dd hh:mm:ss time zone.

1998-08-22 11:41:51 MST

Valid To

The date the certificate is valid to, in the form of yyyy-mm-dd hh:mm:ss time zone.

1998-08-22 11:41:51 MST