Tools > Object Storage Certificates

Starting with StorNext 5 release 5.2, /usr/cvfs/config/ssl is no longer the default repository referenced by Storage Manager for SSL certificates when using HTTPS. The default certificate file or repository will depend on the OS vendor:

Considerations for SUSE Platforms

If you are using /usr/cvfs/config/ssl as your certificate repository, you will have a conflict with the default root certificate repository
/etc/ssl/certs. You have two options (below):

Option Number	Description
1	Use /usr/cvfs/config/ssl as your default certificate repository; set the FS_OBJSTORAGE_CAPATH=/usr/cvfs/config/ssl in the /usr/adic/TSM/config/fs_sysparm_override file, then copy all the root certificates from /etc/ssl/certs to /usr/cvfs/config/ssl. Note: Be sure to execute c_rehash on the directory that will be used as your default certificate repository afterward.
2	Do not use /usr/cvfs/config/ssl; instead use the default root certificate repository by copying your certificates from /usr/cvfs/config/ssl to /etc/ssl/certs. Note: Be sure to execute c_rehash on the directory that will be used as your default certificate repository afterward.

Considerations for Red Hat Platforms

If you are using /usr/cvfs/config/ssl as your certificate repository, you will not have a conflict with the default root certificate file. You will have to set FS_OBJSTORAGE_CAPATH=/usr/cvfs/config/ssl in the /usr/adic/TSM/config/fs_sysparm_override file.

Note: The filename extension / format of the self-signed Object Storage certificate must be .pem. You cannot create a self-signed Object Storage certificate with a different filename extension or format, as this is the only format currently supported with the program that uses the certificate.

1. On the Tools menu, click Object Storage Certificates. The Tools > Object Storage Certificates page appears.

2. On the Tools > Object Storage Certificates page, click New.... The Tools > Object Storage Certificates > New page appears.

3. In the various text boxes, input the appropriate certificate data. The table below describes the various text boxes on the Tools > Object Storage Certificates > New page:

   Note: Text box fields on the Tools > Object Storage Certificates > New page, designated with an asterisk (*) are required.

   Text Box	Description	Examples
   File Name (.pem extension)	The Privacy Enhanced Mail (PEM) filename and its respective filename extension of the self-signed Object Storage certificate. Note: Adding a certificate with the same name generates an error, instructing you to delete the certificate with that name first.	accounts.mycompany.pem
   Password (at least 4 characters)	The Password input is an optional field. If a Password is entered, the input mimics the OpenSSL command password requirements as follows: The Password input, and the Confirm Password input must match. The Password input must be at least 4 characters, and can be all empty spaces or contain spaces.	mypassword1234
   Confirm Password	See the requirements for the Password input.	mypassword1234
   Expiration Date	The Expiration Date low value is at least 1 day in the future. You can input a numeric value, and then select the unit of measurement from the drop-down list. The available unit of measurements are Years, Months, and Days. Note: There is no limit on the high end; however, if you input a value that is out of bounds for OpenSSL, then the OpenSSL command will generate an error.	5 Years
   Common Name	The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.	*.mycompany.com controller.mycompany.com
   Organizational Unit	The division of your organization handling the certificate.	Information Technology IT Department
   Organization	The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.	Mycompany Corp
   Location	The city where your organization is located.	Englewood
   State	The state where your organization is located. This should not be abbreviated.	Colorado
   Country	The two-letter ISO code for the country where your organization is located.	US
   Subject Alternative Name	The Subject Alternative Name is an optional field. If entered, it should be in the following format (also specified under the text box): dns=foo1.com, dns=foo2.com, ip=127.0.0.1, ip=127.0.0.2	dns=foo1.com, dns=foo2.com, ip=127.0.0.1, ip=127.0.0.2

4. Click Apply to submit your inputs and create a new self-signed Object Storage Certificate, or click Cancel to reset the form, and return to the Tools > Object Storage Certificates page. If the submission is successful, your newly created self-signed Object Storage Certificate appears on the Tools > Object Storage Certificates page.

Click View... to display the details of a specified Object Storage certificate.

1. On the Tools menu, click Object Storage Certificates. The Tools > Object Storage Certificates page appears.

2. On the Tools > Object Storage Certificates page, click the option button to the left of a Object Storage certificate to select it, and then click View.... The Tools > Object Storage Certificates > View page appears. The table below describes the various fields on the Tools > Object Storage Certificates > View page:

   Name	Description	Examples
   Public Certificate File Name	The Privacy Enhanced Mail (PEM) filename and its respective filename extension (for example, .pem, or .der), of the Object Storage certificate.	/usr/cvfs/config/ssl/myCert.pem
   Private Key File Name	The filename of the private key in the Object Storage certificate. Note: Note: If the certificate was not created through this feature, you will receive following text (in red/bold): Certificates that were imported do not have Private Keys associated to them.	/usr/adic/gui/.ssl/myCert.pem
   Issuer	This property contains the name of the certificate authority (CA) that issued the certificate. The distinguished name for the certificate is a textual representation of the certificate subject or issuer.	CN=mycert.mycompany.com, OU=StorNext Software, O=Mycompany Corp, L=Englewood, ST=CO, C=US
   Common Name	The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.	mycert.mycompany.com
   Organizational Unit	The division of your organization handling the certificate.	Information Technology IT Department
   Organization	The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.	Mycompany Corp
   Serial Number	The serial number of the selected certificate.	F2:D8:5A:FA:C9:E6:11:CF
   Valid From	The date the certificate is valid from, in the form of yyyy-mm-dd hh:mm:ss time zone.	2013-01-31 14:33:07 MST
   Valid To	The date the certificate is valid to, in the form of yyyy-mm-dd hh:mm:ss time zone.	2018-01-30 14:33:07 MST
   Location	The city where your organization is located.	Englewood
   State	The state where your organization is located. This should not be abbreviated.	Colorado
   Country	The two-letter ISO code for the country where your organization is located.	US
   Signature Algorithm	The algorithm used to create the signature of the certificate.	SHA1withRSA
   Signature Algorithm OID	The object identifier (OID) identifies the type of signature algorithm used by the certificate.	1.2.840.113549.1.1.5
   Version	The version number of the certificate.	V3
   Subject Alternative Name	The Subject Alternative Name is the name of the user of the certificate. The alternative name for the certificate is a textual representation of the subject or issuer of the certificate.	DNS Name=foo1.com DNS Name=foo2.com IP Address=127.0.0.1

3. Click Back to return to the Tools > Object Storage Certificates page.

Click Import... to import a certificate.

Notes and Considerations

• Files that do not have a .pem extension will need to be converted to .pem for use in SSL communication. See Convert... to convert a file to the .pem format. You must convert a file, if you upload a file that is not already in the .pem format. Quantum only supports the .pem format.

• You can import one file, which contains multiple public keys. Doing so will create individual rows for each key file with the filename _multiple.pem. If any of the multiple keys is deleted, since they comprise the same file, the entire certificate is deleted, and all of the public keys are no longer persisted.

• You can view a certificate on an individual basis by selecting the certificate to view.

• You can import any type of valid public key file, as long as the certificate is not expired. If the certificate is expired, the import will fail, and you will be notified via an Error notification. If you import a file with multiple public keys, and any of the public keys in the file are expired, then the entire file is rejected.

• Empty files and files exceeding 10 MB are not permitted. If you want to change the 10 MB limit, you must manually edit the /usr/adic/gui/config/component.properties file, and modify the following value: objectstorage.ssl.maxCertSizeMb=10

• You cannot upload a private certificate file; however, you can create a private certificate. If your private / public key is in a .pem file, open the file in a text editor and remove the private key.

1. On the Tools menu, click Object Storage Certificates. The Tools > Object Storage Certificates page appears.

2. On the Tools > Object Storage Certificates page, click Import.... The Import A Certificate dialog box appears.

3. In the Import A Certificate dialog box, click Choose File to select a file to import. The Open dialog box appears. Alternatively, click Close to cancel the import.

4. In the Open dialog box, navigate to the certificate file you want to import, and then click Open.

If the import is successful, the Information notification at the top of the Tools > Object Storage Certificates page displays, as an example, “Certificate certificate_name.com.pem uploaded successfully.”

Click Convert... to convert a file to the .pem format. You must convert a file, if you upload a file that is not already in the .pem format. Quantum only supports the .pem format.

Notes and Considerations

• If a file with the same name exists, you cannot convert the file to the .pem format. Delete the existing file first.

• If the file can be converted, that is, anything that is not a .pem file format, then the interface will attempt to convert it to the .pem format. The standard extension is .pem.

• The PEM format can contain private keys (RSA or DSA), public keys (RSA or DSA) and X.509 certificates. It is the default format for OpenSSL, and stores the data in either ASN.1 or DER format, surrounded by ASCII headers. Therefore, it is suitable for sending files as text, between systems.

• A file can contain multiple certificates.

• Below is a complete listing of files that can be converted:

  • PKCS7: This is the Cryptographic Message Syntax Standard. A file can contain multiple certificates. Optionally they can be hashed. Optionally a certificate can be accompanied by a private key. As well as the original PKCS #7, there are three revisions: a, b, and c. The standard extensions for these four versions are .spc, .7m, .p7s, .p7a, .p7c, .p7b,and .p7z respectively.

  • DER: This format can contain private keys (RSA or DSA), public keys (RSA or DSA) and X.509 certificates. It is the default format for most browsers. A file can contain only one certificate. Optionally, the certificate can be encrypted. The standard extension is .cer, but might be .der or .crt in some installations. If any of these file formats are actually ASCII base65 PEM files, the conversion will fail.

• Below are formats that cannot be converted to .pem:

  • PKCS12: This format can contain private keys (RSA or DSA), public keys (RSA or DSA) and X.509 certificates. It stores them in a binary format. The standard extension is .pfx or .p12.

1. On the Tools menu, click Object Storage Certificates. The Tools > Object Storage Certificates page appears.

2. On the Tools > Object Storage Certificates page, click the option button to the left of a Object Storage certificate to select it, and then click Convert.... The Convert Certificate dialog box appears.

3. In the Convert Certificate dialog box, click Yes to convert the file, or No to cancel the conversion process and return to the Tools > Object Storage Certificates page.

If the conversion is successful, the .pem file appears in the Object Storage Certificates table.

This feature allows you to conveniently backup any certificate listed on the Tools > Object Storage Certificates page.

1. On the Tools menu, click Object Storage Certificates. The Tools > Object Storage Certificates page appears.
2. On the Tools > Object Storage Certificates page, click the option button to the left of a Object Storage certificate to select it, and then click Download. The Download Private/Public Key Pair dialog box appears.
3. In the Download Private/Public Key Pair dialog box, click the file link to begin the download. If the download is successful, the .pem file appears in your local download directory.
4. In the Download Private/Public Key Pair dialog box, click Done to return to the Tools > Object Storage Certificates page.

1. On the Tools menu, click Object Storage Certificates. The Tools > Object Storage Certificates page appears.

2. On the Tools > Object Storage Certificates page, click the option button to the left of a Object Storage certificate to select it, and then click Delete. The Delete Private/Public Certificate(s) dialog box appears.

3. In the Delete Private/Public Certificate(s) dialog box, click the button next to the appropriate file, and then click Yes to delete the file, or click No to return to the Tools > Object Storage Certificates page.

If the file is deleted successfully, the Information notification at the top of the Tools > Object Storage Certificates page displays, as an example, “File backed up to {/usr/cvfs/config_history/ssl/ accounts.google.der.20130213155919}.”

1. On the Tools menu, click Object Storage Certificates. The Tools > Object Storage Certificates page appears.

2. On the Tools > Object Storage Certificates page, click Refresh.

You must have the following binary files installed for proper functionality and use of this feature:

For the installation procedure and configuration of the binary files, see the StorNext Installation Guide.

If you are working on a Object Storage system which does not have an existing SSL certificate, this section outlines what you need to do to use both the private and public portions of the SSL certificate. This section discusses how to use the PEM (Privacy Enhanced Mail) file that you create using the StorNext GUI. A typical PEM file will look like the server.pem file referenced in Basic Secure Sockets Layer (SSL) Guidelines.

See Basic Secure Sockets Layer (SSL) Guidelines, as it outlines some standard information about using private and public certificates.

Create a Private and Public SSL Certificate for use on a Object Storage System and a StorNext MDC

1. On the Tools menu, click Object Storage Certificates. The Tools > Object Storage Certificates page appears.

2. On the Tools > Object Storage Certificates page, click New.... The Tools > Object Storage Certificates > New page appears.

3. In the various text boxes, input the appropriate certificate data. The table in the Create a Self-signed Certificate section describes the various text boxes on the Tools > Object Storage Certificates > New page:

   Note: Text box fields on the Tools > Object Storage Certificates > New page, designated with an asterisk (*) are required.

   • For the purposes of Object Storage, do NOT enter a password in the Password field.
   • In the Subject Alternative Name field, input the DNS and IP entries of all the servers for the certificate to work for. For example:
     
     dns=ibis1-controller1, dns=ibis1-controller1.mycompany.com, ip=192.168.166.94, ip=192.168.166.97, ip=192.168.10.3, ip=192.168.20.3

4. Click Apply to submit your inputs and create a private and public SSL certificate for use on a Object Storage System and a StorNext MDC, or click Cancel to reset the form, and return to the Tools > Object Storage Certificates page. If the submission is successful, your newly created private and public SSL certificate for use on a Object Storage System and a StorNext MDC appears on the Tools > Object Storage Certificates page.

5. To obtain the private and public SSL certificate to be used on the Object Storage system, select the server.pem file and click Download. In the Download Private/Public Key Pair dialog box, click the file for “Click the Private Self-Signed Certificate file link to begin the download" and save the file where the Object Storage CMC can access it.

6. Verify the Object Storage system is working with your server.pem file.

7. (Optional) Delete the server.pem file from the StorNext MDC, as it is no longer needed by the MDC.

   1. On the Tools > Object Storage Certificates page, click the option button to the left of the server.pem certificate to select it, and then click Delete. The Delete Private/Public Certificate(s) dialog box appears.

   2. In the Delete Private/Public Certificate(s) dialog box, click “Check this to delete the Private Self-Signed Certificate file.”, and then click Yes to delete the file, or click No to return to the Tools > Object Storage Certificates page.

Root Certificates may expire. When they do, you can update all your Root Certificates to the latest available from http://rpmfind.net/linux/rpm2html/search.php?query=ca-certificates. Select the one that fits your system.

1. Determine the default configured CA Root Certificate configured for StorNext using libcurl:

   # curl-config --ca

   /etc/pki/tls/certs/ca-bundle.crt

2. Download the RPM that matches your system. In this example, we downloaded ca-certificates-2014.1.98-65.1.el6.noarch.rpm.

3. View the contents of the RPM.

   # rpm -q -filesbypkg -p ca-certificates-2014.1.98-65.1.el6.noarch.rpm

   ca-certificates /etc/pki/ca-trust

   ca-certificates /etc/pki/ca-trust/README

   .. snip ..

   ca-certificates /etc/pki/tls

   ca-certificates /etc/pki/tls/cert.pem

   ca-certificates /etc/pki/tls/certs

   ca-certificates /etc/pki/tls/certs/ca-bundle.crt

   ca-certificates /etc/pki/tls/certs/ca-bundle.trust.crt

   .. snip ..

   ca-certificates

   /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit

   ca-certificates /usr/share/pki/ca-trust-source/ca-bundle.trust.crt

4. Install /etc/pki/tls/certs/ca-bundle.crt.

   # mv /etc/pki/tls/certs/ca-bundle.crt etc/pki/tls/certs/ca-bundle.crt.bak

   # rpm2cpio ca-certificates-2014.1.98-65.1.el6.noarch.rpm | cpio -ivd

   /etc/pki/tls/certs/ca-bundle.crt

5. Install the complete latest RPM.

6. Backup any files that you do not want replaced. This step may require you to install required dependencies.

   # rpm -hiv ca-certificates-2014.1.98-65.1.el6.noarch.rpm

   p11-kit >= 0.18.4-2 is needed by ca-certificates-2014.1.98-65.1.el6.noarch

   p11-kit-trust >= 0.18.4-2 is needed by

   ca-certificates-2014.1.98-65.1.el6.noarch

The table below provides the information displayed for each certificate, on the Tools > Object Storage Certificates page:

When HTTPS is configured to communicate with a server, the server sends its certificate to the client as part of the connection handshake. The client verifies the certificate to ensure that it is issued by a trusted Certificate Authority (CA), it is still valid (not expired or revoked), and the hostname matches the certificate owner.

Trusted CA certificates are located in the system's default certificate repository. See HTTPS Default CA ROOT Certificate File or Path. To reference an additional certificate repository or file, set the Storage Manager parameters FS_OBJSTORAGE_CAPATH or FS_OBJSTORAGE_CACERT.

You can configure the certificate verification level from its default value by setting the Storage Manager parameter FS_OBJSTORAGE_SSL_VERIFY_PEERHOST:

• If you set the parameter to 0, the certificate verification is skipped.
• If you set the value to 1, only the peer is verified; in other words, that it is issued by a trusted CA, and it is still valid.
• If you set the parameter to 2, in addition to peer verification, the hostname is also verified. By default, both peer and hostname are verified.

Certificates for public cloud storage, such as Amazon AWS, Microsoft Azure and Google Cloud, are issued by third-party CAs, whose certificates are already included in the default certificate repository. For on-premise object storage, if HTTPS is configured, the certificate is often self-signed. In this case, in order to pass the certificate verification, you must either install the self-signed certificate in the default system certificate repository (recommended) or specify the location of the self-signed certificate using Storage Manager system parameters.

In order to check whether the endpoint of an HTTPS server passes the certificate verification, use the openssl tool to check the verification status. For example, to check whether a public cloud storage endpoint is trusted, run:

# openssl s_client -connect s3.amazonaws.com:443

CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Baltimore CA-2 G2
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = s3.amazonaws.com
verify return:1

...
    PSK identity hint: None
    Start Time: 1556906789
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

The output displays that the server's certificate was issued by trusted CA (DigiCert Inc), which was issued by a ROOT CA (CyberTrust), and the verification passed (ok).

For a self-signed certificate, if you do not specify the issuer's certificate, the certificate verification fails. For example:

# openssl s_client  -connect 10.65.166.129:7071

CONNECTED(00000003)
depth=0 C = US, ST = Minnesota, L = Mendota Heights, O = Quantum Corporation, OU = StorNext Engineering, CN = geoc10-1.mdh.quantum.com
verify error:num=18:self signed certificate
verify return:1
...

However, if you either put the self-signed certificate in the certificate repository, or specify it using the system parameter FS_OBJSTORAGE_CAPATH, the verification succeeds. For example:

# openssl s_client -CApath /usr/cvfs/config/ssl -connect 10.65.166.129:7071
CONNECTED(00000003)
depth=0 C = US, ST = Minnesota, L = Mendota Heights, O = Quantum Corporation, OU = StorNext Engineering, CN = geoc10-1.mdh.quantum.com
verify return:1
...
    Start Time: 1556829277
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)